The Text That Cost a Practice Everything

A physician texted a colleague a photo of a patient's wound for a quick consult. Standard SMS. No encryption. The phone was lost in a restaurant two hours later. Within weeks, 412 patients received breach notification letters, and the practice spent over $150,000 on remediation before the state attorney general even got involved.

I've seen this exact pattern play out a dozen times. The staff member always says the same thing: "I didn't think a text was a big deal." But making your text messaging HIPAA compliant isn't optional — it's a legal requirement every time protected health information travels through a messaging platform.

Here's the reality most healthcare organizations avoid confronting: standard text messaging was never designed to protect sensitive data. And the Office for Civil Rights doesn't care that it was "just a quick text."

What Makes Text Messaging HIPAA Compliant — and What Doesn't

HIPAA doesn't ban texting. Let me say that again because people get this wrong constantly. There is no regulation that says "thou shalt not text." What HIPAA does require is that any electronic transmission of PHI meets the Security Rule's administrative, physical, and technical safeguards.

Standard SMS and iMessage fail on nearly every count. They lack end-to-end encryption that the covered entity controls, they store messages on devices without managed access controls, and they offer zero audit trail capabilities. That's three strikes before you even get to the question of whether the recipient's device is secured.

The Technical Safeguards You Actually Need

  • Encryption in transit and at rest: Messages containing ePHI must be encrypted using standards that meet NIST guidelines. Regular SMS doesn't qualify.
  • Access controls: Only authorized users should be able to view PHI. A shared phone on a nurse's station doesn't cut it.
  • Audit controls: You need logs showing who sent what, when, and to whom. Standard texting apps don't generate these.
  • Automatic logoff and session management: If a device sits idle, the messaging app must lock or log out.
  • Remote wipe capability: If a device is lost or stolen, you need to be able to destroy the data remotely.

If your current texting setup doesn't check every one of those boxes, your text messaging isn't HIPAA compliant. Period.

The $3 Million Lesson From Impermissible Disclosures

In 2019, the University of Rochester Medical Center agreed to a $3 million settlement with OCR after failing to encrypt mobile devices and manage ePHI on portable electronics. The investigation revealed that despite two prior incidents involving lost devices with unencrypted PHI, the organization still hadn't implemented mobile device policies that met Security Rule requirements.

That settlement wasn't about texting specifically — but it was about the exact same vulnerability. Unencrypted PHI on mobile devices. No enforceable policies. No workforce training. OCR's corrective action plan required URMC to overhaul its entire mobile device management program.

Your organization faces the same risk every time a staff member fires off a text containing a patient name, diagnosis, medication, or appointment detail through an unsecured channel.

"Can Patients Text Us First?"

This is the question I get more than any other. Here's the short answer for anyone searching: if a patient initiates a text conversation and you respond with limited information through that same channel, you have some flexibility — but you are not absolved of your HIPAA obligations.

HHS has acknowledged that patients can choose to communicate via unsecured channels if they're informed of the risks and still consent. But this doesn't mean your staff can then send lab results, diagnoses, or treatment plans over standard SMS just because the patient texted first.

You still need to document the patient's preference, warn them that standard texting isn't secure, and limit the PHI you share to what the patient requested. And critically — the patient's consent to receive unsecured texts doesn't protect you from enforcement if your internal staff communications about that patient are also unsecured.

What the HHS Guidance Actually Says

The HHS FAQ on electronic communications states that providers can use electronic communications including texting to discuss health information with patients, provided reasonable safeguards are in place. "Reasonable safeguards" means you've assessed the risk, implemented what's appropriate, and trained your workforce. It doesn't mean "the patient said it was fine, so we're good."

Secure Messaging Platforms: What to Look For

I'm not going to recommend specific vendors — that's not my role. But I will tell you exactly what your platform needs to do before you can call your text messaging HIPAA compliant.

  • Business Associate Agreement: Any third-party messaging vendor that handles PHI on your behalf must sign a BAA. No exceptions. If a vendor refuses or says they don't need one, walk away immediately.
  • Message expiration and retention controls: You need the ability to set message lifespans and manage retention according to your policies and state requirements.
  • User authentication: Multi-factor authentication for every user, every time. A four-digit PIN on a texting app is not sufficient.
  • Administrative controls: Your compliance officer needs the ability to manage users, pull audit logs, and enforce policies across the organization from a central dashboard.
  • Separation from personal messaging: Staff should not be mixing personal texts and PHI-containing messages in the same app. Containerization or a dedicated app is essential.

If you're evaluating platforms right now, our Mobile Devices & PHI training course walks through the full decision framework for securing PHI on smartphones and tablets.

Your Staff Is Already Texting PHI — Train Them Before OCR Calls

Here's what I've learned after years in this field: by the time an organization reaches out about compliant texting, their staff has already been texting PHI through unsecured channels for months or years. The horse is already out of the barn.

The critical first step isn't buying a platform. It's workforce training. Your employees need to understand what constitutes PHI, why standard texting exposes it, and what the consequences look like — for the organization and for them personally.

OCR's enforcement actions consistently cite "failure to train workforce members" as a contributing factor in settlements. It's one of the most common findings in corrective action plans. And it's one of the easiest to fix.

Training Priorities for Texting and Mobile Communication

Start with these three areas:

  • Identifying PHI in messages: Staff often don't realize that a patient's name combined with an appointment time is PHI. Training has to cover the 18 HIPAA identifiers and how they show up in everyday texts.
  • Device security basics: Lock screens, OS updates, app permissions, lost device protocols. Our Working from Home & PHI course covers these fundamentals for any workforce member using personal or employer-issued devices.
  • Incident reporting: Staff need to know that texting PHI to the wrong number is a potential breach — and that they're required to report it immediately, not hide it.

If your organization has remote workers — and in 2026, most healthcare organizations do — the stakes are even higher. Personal networks, shared family devices, and home offices without physical safeguards multiply the risk. Our HIPAA Training for Remote Healthcare Workers addresses these scenarios directly.

A Simple Policy Framework You Can Implement This Week

You don't need a 40-page policy document to get started. You need clear rules that your workforce can actually follow. Here's the framework I recommend to every client:

  • Rule 1: No PHI through standard SMS, iMessage, WhatsApp, or any consumer messaging app. No exceptions.
  • Rule 2: All clinical communication containing PHI must go through the organization's approved, BAA-covered messaging platform.
  • Rule 3: If a patient texts you PHI, do not respond with additional PHI through that channel. Direct them to the patient portal or a secure communication method.
  • Rule 4: Report any accidental PHI disclosure via text — including wrong-number texts — to your privacy officer within 24 hours.
  • Rule 5: Personal devices used for any work communication must meet minimum security requirements: encryption enabled, current OS, screen lock with biometric or strong passcode, remote wipe enrolled.

Post these rules. Train on them quarterly. Document the training. That documentation is what stands between you and a six-figure corrective action plan.

The Bottom Line on Text Messaging and HIPAA

Making text messaging HIPAA compliant requires three things working together: a secure platform with a signed BAA, enforceable organizational policies, and trained workforce members who understand the rules and follow them.

Skip any one of those three legs and the whole thing collapses. I've watched it happen to organizations that spent six figures on a secure messaging platform but never trained their staff to use it. The nurses kept texting through iMessage because nobody told them to stop.

Technology alone doesn't create compliance. People do. And people need training to get it right. Browse the full HIPAACertify course catalog to find the training that fits your organization's risk profile — before OCR makes the decision for you.