That Text You Just Sent? It Probably Violated Federal Law
A nurse at a mid-size cardiology practice texts the on-call physician: "Mrs. Rivera's EF dropped to 25%, started on dobutamine drip, bed 4." Standard clinical shorthand. Happens thousands of times a day across the country. And in most cases, it's a HIPAA violation sitting in someone's unencrypted message thread.
If you're wondering whether your organization's SMS is HIPAA compliant, the short answer is almost certainly no — not unless you've taken very specific steps to lock it down. Standard text messaging on consumer smartphones lacks encryption in transit and at rest, has no access controls, no audit trails, and no remote wipe capability. Every single one of those gaps puts protected health information at risk.
I've spent years reviewing communication workflows at covered entities and business associates. Texting is where I find the most casual, widespread HIPAA exposure — and it's the one area where staff genuinely don't realize they're doing anything wrong.
Why Standard SMS Fails Every HIPAA Test
The HIPAA Security Rule requires three categories of safeguards for electronic protected health information (ePHI): administrative, physical, and technical. Standard SMS — the kind built into every iPhone and Android — fails on all three.
No Encryption
Regular SMS messages travel through carrier networks without end-to-end encryption. They can be intercepted, stored on carrier servers, and backed up to unencrypted cloud accounts. The Security Rule at 45 CFR Part 164, Subpart C requires covered entities to implement encryption mechanisms for ePHI in transit. Standard texting doesn't qualify.
No Access Controls
Anyone who picks up an unlocked phone can read every text on it. There's no role-based access, no unique user identification for the messaging app, and no automatic session timeout. If a clinician leaves their phone on the break room table, every patient name and diagnosis in their text history is exposed.
No Audit Logs
HIPAA requires that you track who accessed what PHI and when. Standard SMS has no logging mechanism. You can't prove who read a message, when it was opened, or whether it was forwarded to an unauthorized recipient.
No Remote Wipe
When a phone is lost or stolen — and HHS estimates device theft and loss remain top breach causes — you need the ability to remotely destroy ePHI on that device. Native SMS offers no such capability.
The $3 Million Penalty That Started with a Pager Replacement
You might remember the 2017 OCR settlement with Memorial Healthcare System for $5.5 million, driven partly by insufficient access controls on electronic systems. While that case involved login credentials rather than texting specifically, the core issue is identical: ePHI accessible to people who shouldn't have it, through systems with no safeguards.
I've seen smaller organizations assume texting penalties only happen to large health systems. That's dangerously wrong. OCR investigates complaints regardless of organizational size, and a single patient complaint about their diagnosis showing up in a screenshot can trigger a full review of your communication practices.
What Does "SMS HIPAA Compliant" Actually Mean?
This is the question I hear most often, so let me answer it directly.
For SMS to be HIPAA compliant, the messaging platform must provide: end-to-end encryption, user authentication, automatic message expiration or remote wipe, audit logging, and administrative controls — and you must have a Business Associate Agreement (BAA) with the platform vendor.
That last point is critical. Even if a vendor claims their product is "HIPAA compliant," it means nothing without a signed BAA. The BAA makes the vendor legally accountable for protecting the PHI that passes through their system. No BAA, no compliance. Period.
Consumer Apps Don't Count
iMessage, WhatsApp, standard Android Messages — none of these services will sign a BAA with your organization. Apple has stated explicitly that iMessage is not designed for HIPAA compliance in healthcare settings. WhatsApp's end-to-end encryption is a step in the right direction technically, but Meta will not execute a BAA. Without that agreement, using these platforms for PHI is a violation regardless of their security features.
What a Compliant Texting Workflow Actually Looks Like
In my experience, organizations that get texting right follow a specific pattern. Here's what I recommend to every covered entity I work with.
1. Choose a Secure Messaging Platform with a BAA
Several healthcare-specific messaging platforms exist that offer encryption, access controls, message expiration, and audit trails. Before signing any contract, confirm the vendor will execute a BAA and ask for documentation of their security architecture. Review it against the Security Rule's requirements.
2. Prohibit PHI in Standard SMS — No Exceptions
Your workforce needs a clear, written policy: no patient names, diagnoses, treatment details, medication information, or any of the 18 HIPAA identifiers in standard text messages. Ever. This policy must be part of your training program and reinforced regularly.
3. Train Every Staff Member Who Touches a Phone
This is where most organizations fall apart. You can buy the best secure messaging platform on the market, but if your staff defaults to regular texting because it's faster, you've wasted every dollar. Training has to be specific to the tools people actually use. Our Mobile Devices & PHI training covers exactly this scenario — how to handle ePHI on smartphones, tablets, and other portable devices in a way that satisfies OCR.
4. Enable Mobile Device Management (MDM)
MDM software lets your IT team enforce passcode requirements, encrypt device storage, and remotely wipe devices that are lost or stolen. If your workforce uses personal devices for any work-related communication — even just checking a schedule — MDM is non-negotiable.
5. Audit Regularly
Quarterly audits of your messaging practices catch drift before it becomes a breach. Check that staff are using the approved platform, that the vendor's BAA is current, and that terminated employees have been removed from the system.
Remote Workers Make This Problem Exponentially Worse
The shift to remote and hybrid healthcare work has blown the texting problem wide open. Telehealth coordinators, remote coders, work-from-home billing staff — they're all communicating about patients from home networks, personal devices, and shared family computers.
I've reviewed incidents where a remote coder texted a colleague a patient's Social Security number to resolve a billing question. The text sat in an unencrypted iMessage thread on a phone that the coder's teenager also used. That's a breach waiting to happen — or more accurately, a breach that already happened under HIPAA's definition.
If any part of your workforce operates remotely, your SMS compliance strategy has to account for that reality. Our HIPAA Training for Remote Healthcare Workers walks through the specific risks remote staff face, including unsecured communication channels. And for organizations building out their work-from-home policies, our Working from Home & PHI course provides a practical framework your staff can actually follow.
The "But Everyone Does It" Defense Won't Save You
I hear this constantly. "Every practice in our area texts like this." "The hospital across town does the same thing." OCR doesn't grade on a curve. The fact that your peers are also non-compliant doesn't reduce your liability by a single dollar.
Under the HITECH Act's penalty tiers, violations due to willful neglect that are not corrected carry penalties of $68,928 to $2,067,813 per violation category, per year. HHS adjusts these annually for inflation. A pattern of unsecured texting across your organization could represent dozens of individual violation categories — insufficient encryption, lack of access controls, missing audit logs, failure to train workforce — each compounding separately.
Five Questions to Ask Your Team This Week
- Do we have a signed BAA with every messaging platform our staff uses for PHI? If the answer is no for even one platform, you have an active compliance gap.
- Does our written policy explicitly address SMS and consumer messaging apps? A generic "protect PHI" policy isn't specific enough.
- Have we trained staff on approved communication tools in the last 12 months? Annual training is the minimum. Role-specific training is better.
- Can we remotely wipe a lost device within 24 hours? If your IT team can't answer this confidently, your breach response plan has a hole in it.
- Are we auditing actual texting behavior, not just policy compliance on paper? Policies don't protect patients. Behavior does.
Making SMS HIPAA Compliant Is a Process, Not a Product
No single app or platform makes you compliant. Compliance lives in the combination of technology, policy, training, and enforcement. You need a secure platform backed by a BAA. You need policies that are specific and enforceable. You need training that addresses the exact tools your workforce uses every day. And you need leadership willing to hold people accountable when they cut corners.
The organizations I've seen handle this well treat secure messaging the same way they treat hand hygiene — as a non-negotiable professional standard that gets reinforced constantly. The ones that struggle treat it as an IT problem and hope the technology alone will save them.
Your patients trust you with their most sensitive information. Every unencrypted text with a diagnosis, a medication list, or a name and date of birth betrays that trust — whether the patient ever finds out or not. Fix your texting. Fix it now. And make sure every person on your team understands exactly what's at stake.