In 2023, a small dental practice in Texas received a six-figure settlement demand from OCR after a patient complaint revealed staff were texting appointment details, diagnoses, and insurance information through standard SMS on personal phones. No encryption. No access controls. No policy documentation whatsoever. The practice had no idea that every one of those text messages was a potential HIPAA violation — and they are far from alone. The absence of a HIPAA texting policy remains one of the most common compliance gaps I encounter in my work with covered entities of all sizes.

Why Standard Text Messaging Violates the Security Rule

Standard SMS and consumer messaging apps like iMessage, WhatsApp, and Facebook Messenger do not meet HIPAA Security Rule requirements under 45 CFR Part 164, Subpart C. These platforms lack the encryption, audit controls, and access management that the Security Rule demands for any electronic protected health information (ePHI) in transit and at rest.

The issue is straightforward: when a clinician texts a patient's lab result to a colleague via SMS, that message can be intercepted, stored on carrier servers indefinitely, and accessed by anyone who picks up an unlocked phone. There is no authentication, no automatic logoff, and no audit trail. Each of those missing safeguards maps directly to a required or addressable implementation specification in the Security Rule.

OCR has never carved out an exception for text messaging. If protected health information moves through a communication channel, that channel must comply with the same technical, administrative, and physical safeguards as any other system handling PHI.

What a Compliant HIPAA Texting Policy Must Include

A defensible HIPAA texting policy is not a one-paragraph memo telling staff to "be careful." It is a documented, enforceable set of requirements that your organization must be able to produce during an OCR audit or breach investigation. At a minimum, your policy should address the following:

  • Approved platforms only: Specify which HIPAA-compliant secure messaging platforms are authorized for use. These platforms must offer end-to-end encryption, user authentication, remote wipe, and message expiration capabilities.
  • Prohibition on standard SMS for PHI: Explicitly state that workforce members may not send, receive, or store PHI via standard text messaging, consumer apps, or personal devices unless those devices are enrolled in your mobile device management (MDM) system.
  • Minimum necessary standard: Reinforce that even on approved platforms, staff must limit PHI to the minimum necessary to accomplish the intended purpose — a principle codified in the Privacy Rule at 45 CFR §164.502(b).
  • Authentication and access controls: Require multi-factor authentication or PIN access for any messaging app that handles ePHI. Auto-lock and automatic logoff must be enabled.
  • Audit and retention: Define how message logs are captured, stored, and reviewed. Your organization needs audit trail capability to demonstrate compliance.
  • Sanctions for violations: Document specific disciplinary consequences for policy violations, as required by the administrative safeguard provisions at 45 CFR §164.308(a)(1)(ii)(C).
  • Business associate agreements: If you use a third-party messaging vendor, a signed BAA must be in place before any PHI flows through their platform. The vendor is a business associate under the Omnibus Rule, period.

The Workforce Training Requirement Most Organizations Underestimate

Writing a policy is necessary but insufficient. Under 45 CFR §164.530(b), covered entities must train all workforce members on policies and procedures related to PHI — and that explicitly includes your texting policy. OCR enforcement actions repeatedly cite training failures as aggravating factors that increase penalty tiers.

Your training must go beyond a single onboarding session. Staff need concrete examples: what a compliant text looks like versus a non-compliant one, what to do if they accidentally send PHI via SMS, and how to use the approved platform correctly. Annual refreshers are essential, and documentation of completed training must be retained for six years.

If your organization hasn't formalized this process, structured HIPAA training and certification programs can help you build a training framework that satisfies OCR's expectations and creates a defensible compliance record.

Integrating Your Texting Policy into Your Risk Analysis

Your HIPAA texting policy cannot exist in isolation. It must be a documented component of the risk analysis required by 45 CFR §164.308(a)(1)(ii)(A). During your risk analysis, you should identify every channel through which PHI is transmitted — and text messaging, whether sanctioned or not, must appear on that inventory.

Healthcare organizations consistently struggle with this because shadow IT is pervasive. Staff adopt messaging tools without IT approval. Physicians text each other out of convenience. A thorough risk analysis surfaces these realities so your organization can address them with technology controls and policy enforcement rather than hoping the problem doesn't exist.

Document the risks, assign risk levels, and implement corresponding controls. If OCR investigates a breach involving text messaging, the first thing they will request is your risk analysis and the policies derived from it.

Patient-Initiated Texting and the Right to Request

A frequent question I receive: what if the patient wants to communicate via text? The Privacy Rule at 45 CFR §164.522(b) gives patients the right to request confidential communications by alternative means. If a patient asks to receive appointment reminders via text, you may accommodate that request — but you must document it and inform the patient that standard SMS is not secure.

This does not eliminate your obligations. You still must apply the minimum necessary standard, avoid sending sensitive clinical details via unsecured channels, and document the patient's preference. Many organizations handle this through their Notice of Privacy Practices, noting that patients who opt into text communications accept certain risks.

Enforcement Is Accelerating — Don't Wait for a Complaint

OCR's enforcement priorities have increasingly focused on technical safeguards and electronic communication. Between 2020 and 2024, settlements involving inadequate ePHI protections have risen sharply, with penalties ranging from $100,000 to over $4.3 million depending on the scope of the violation and the organization's compliance posture.

A missing or inadequate HIPAA texting policy is low-hanging fruit for investigators. It signals systemic compliance weakness and often leads to broader audit findings around risk analysis, workforce training, and business associate management.

The most effective step your organization can take today is to audit your current texting practices, implement an approved secure messaging platform, document your policy, train your workforce, and build the evidence trail that proves you did all of it. Comprehensive workforce HIPAA compliance programs give your team the knowledge to recognize risks before they become reportable breaches.

Your Next Step

Pull your current policies. Search for the word "texting" or "messaging." If you don't find a dedicated, enforceable HIPAA texting policy — or worse, if you find nothing at all — your organization has an open compliance gap that every OCR auditor and plaintiff's attorney knows exactly how to exploit. Close it now, not after the breach notification deadline is already ticking.