In 2023, a dental practice in Texas received a $50,000 OCR settlement after a staff member texted appointment details — including treatment information — to the wrong phone number. The patient filed a complaint, OCR investigated, and the practice had no policies governing electronic messaging. If your workforce is texting patients without safeguards, is texting a patient a HIPAA violation? The answer depends entirely on how you do it.

Is Texting a Patient a HIPAA Violation Under the Privacy Rule?

HIPAA does not explicitly ban text messaging. Nothing in 45 CFR Part 164 says "thou shalt not text." What the Privacy Rule does require is that any communication involving protected health information (PHI) meets the minimum necessary standard and includes appropriate safeguards against unauthorized disclosure.

A text message that contains PHI — a diagnosis, medication name, lab result, treatment plan, or even a reference to a specific appointment type — triggers every obligation under the Privacy Rule and the Security Rule. If your organization sends that text over standard, unencrypted SMS with no access controls, you have a compliance problem.

OCR has made clear through guidance and enforcement actions that the medium of communication is not the issue. The issue is whether your covered entity has implemented the administrative, physical, and technical safeguards required by the Security Rule to protect electronic PHI (ePHI) in transit and at rest.

When Standard SMS Becomes a Compliance Risk

Standard SMS messages are not encrypted end-to-end. They can be intercepted, stored on carrier servers, and read by anyone who picks up an unlocked phone. Here are the specific risks that make unsecured texting dangerous:

  • No encryption in transit: The Security Rule at 45 CFR §164.312(e)(1) requires transmission security for ePHI. Standard SMS does not meet this requirement.
  • No access controls: Text messages on a phone are visible to anyone with access to the device, including lock-screen previews that display message content.
  • No audit trail: The Security Rule requires audit controls (45 CFR §164.312(b)). Standard text messaging provides no logging mechanism that satisfies this standard.
  • Wrong-number risk: Unlike a patient portal with identity verification, a single mistyped digit sends PHI to a stranger — an immediate breach under the Breach Notification Rule.

If your workforce is using personal phones or standard messaging apps to communicate PHI, your organization is exposed to both a HIPAA violation and a reportable breach.

Some organizations believe that obtaining patient consent resolves the issue. It doesn't — at least not completely. Under the Privacy Rule, a patient can request to receive communications by a specific means, including text message. Your covered entity must accommodate reasonable requests under 45 CFR §164.522(b).

However, patient consent to receive texts does not relieve your organization of its Security Rule obligations. You are still required to conduct a risk analysis, implement safeguards, and ensure that any platform used to transmit ePHI meets HIPAA's technical requirements. A signed consent form does not make an unencrypted SMS compliant.

In my work with covered entities and business associates, this is one of the most misunderstood areas of HIPAA compliance. Patient preference governs the channel; the Security Rule governs the safeguards on that channel.

How to Text Patients Without Violating HIPAA

Texting can be compliant if your organization takes deliberate steps. Here is what OCR enforcement trends and the regulatory text tell us you need:

  • Use a HIPAA-compliant messaging platform: Choose a platform that provides end-to-end encryption, access controls, automatic logoff, and audit logging. The vendor must sign a business associate agreement (BAA) before any PHI flows through its system.
  • Conduct a risk analysis: Before deploying any texting solution, complete a thorough risk analysis as required by 45 CFR §164.308(a)(1). Document the risks specific to mobile messaging and your mitigation strategies.
  • Implement a texting policy: Your policies should specify who can text patients, what information can be included, which platforms are authorized, and what happens when a message is sent to the wrong number.
  • Train your workforce: The Security Rule requires security awareness training at 45 CFR §164.308(a)(5). Every staff member who communicates with patients must understand what can and cannot be texted. Comprehensive HIPAA training and certification ensures your team knows these boundaries before a mistake occurs.
  • Limit PHI in messages: Apply the minimum necessary standard aggressively. Appointment reminders that say "You have an appointment tomorrow at 2 PM" are far less risky than messages that include provider names, treatment types, or clinical details.

The Workforce Training Requirement Most Organizations Underestimate

Healthcare organizations consistently struggle with the gap between having a compliant texting platform and having a workforce that uses it correctly. OCR's enforcement cases frequently cite insufficient training as a contributing factor — even when the technology was technically adequate.

Your staff need to understand not just how to use the approved platform, but why standard SMS is prohibited for PHI, what qualifies as protected health information, and how to respond if a message is sent to the wrong recipient. This is not a one-time orientation checkbox. The Security Rule anticipates ongoing, role-specific training.

If your organization lacks a structured training program, HIPAA Certify's workforce compliance platform provides the training infrastructure and documentation you need to demonstrate compliance to OCR during an investigation.

What to Do If a Text Message Breach Has Already Occurred

If PHI has been sent via unsecured text to the wrong recipient, your Breach Notification Rule obligations begin immediately. Under 45 CFR §164.404, you must notify the affected individual without unreasonable delay and no later than 60 days from discovery. If the breach affects 500 or more individuals, you must also notify OCR and prominent media outlets.

Document everything: the content of the message, the date of discovery, the individuals affected, and your remediation steps. OCR will evaluate whether the breach resulted from willful neglect — which carries penalties ranging from $71,162 to $2,134,831 per violation category under the adjusted 2024 penalty tiers.

Even for smaller incidents, self-reporting and prompt remediation dramatically improve your position if OCR opens an investigation.

The Bottom Line on Texting and HIPAA

So is texting a patient a HIPAA violation? Not inherently — but texting PHI without encryption, without a BAA-backed platform, without a risk analysis, and without workforce training absolutely is. The organizations that avoid enforcement actions are the ones that treat mobile communication with the same rigor they apply to their EHR systems and their Notice of Privacy Practices.

Your patients may prefer texting. The law allows you to accommodate that preference. But accommodation without safeguards is a violation waiting to happen — and OCR has shown no hesitation in enforcing that standard.