In 2023, a dental practice in Texas agreed to a $50,000 settlement with OCR after an investigation revealed staff members were texting appointment reminders containing patient diagnoses over standard SMS — with no encryption, no access controls, and no written policy governing the practice. The scenario is alarmingly common. Every week, I hear from healthcare organizations asking whether their text messaging is HIPAA compliant, and the answer almost always starts with "not yet."

Why Standard Text Messaging Is Not HIPAA Compliant

Standard SMS and consumer messaging apps like iMessage, WhatsApp, and Facebook Messenger were not designed to meet HIPAA's Security Rule requirements under 45 CFR Part 164, Subpart C. These platforms lack the administrative, physical, and technical safeguards the rule demands for any electronic protected health information (ePHI) in transit or at rest.

The core problems with standard texting are straightforward. Messages are stored in plain text on devices and carrier servers. There is no audit trail showing who accessed the message. Organizations cannot remotely wipe messages if a device is lost or stolen. And there is no way to enforce automatic logoff or unique user authentication on a personal phone's native messaging app.

OCR has never issued a specific "texting rule," but the agency has made clear through guidance and enforcement actions that the Security Rule applies to ePHI regardless of the medium. If your workforce sends or receives protected health information via text, every applicable safeguard must be in place.

Security Rule Safeguards Required for Text Messaging HIPAA Compliant Communication

Making text messaging HIPAA compliant requires satisfying three categories of safeguards. Missing any one of them leaves your covered entity or business associate exposed to OCR enforcement action.

Technical Safeguards

  • Encryption: Messages containing PHI must be encrypted both in transit and at rest. The NIST standard referenced by HHS is AES 128-bit or higher. Standard SMS does not meet this threshold.
  • Access Controls: Only authorized users should access messaging platforms. This means unique user IDs, automatic logoff after inactivity, and password or biometric authentication.
  • Audit Controls: Your organization must maintain logs showing who sent, received, and accessed messages containing ePHI — including timestamps and recipient details.
  • Integrity Controls: Mechanisms must be in place to ensure messages have not been altered or destroyed improperly during transmission.

Administrative Safeguards

  • Risk Analysis: Before deploying any messaging solution, your organization must conduct a thorough risk analysis under 45 CFR §164.308(a)(1)(ii)(A) to identify vulnerabilities specific to mobile communications.
  • Policies and Procedures: Written policies must define who can text, what information can be included, which platform must be used, and how messages are retained and disposed of.
  • Workforce Training: Every member of your workforce who uses messaging tools must be trained on acceptable use, PHI handling, and how to report a suspected breach. Completing a structured HIPAA training and certification program is the most reliable way to ensure this requirement is met across your entire team.

Physical Safeguards

  • Device Security: Mobile devices used for messaging must be protected with screen locks, remote wipe capability, and physical access restrictions.
  • Workstation and Device Controls: Your organization must track which devices are authorized to access the messaging platform and have a documented process for decommissioning devices when workforce members leave.

Business Associate Agreements: The Step Most Organizations Skip

If you use a third-party messaging platform to transmit PHI, that vendor is a business associate. Under the Omnibus Rule, you must execute a business associate agreement (BAA) before any ePHI is transmitted through their system. Major consumer apps — including standard SMS carriers, WhatsApp, and Facebook Messenger — will not sign a BAA. This alone disqualifies them from HIPAA-compliant use.

HIPAA-compliant messaging vendors like TigerConnect, OhMD, and Spruce Health will sign BAAs and provide the encryption, audit, and access controls required by the Security Rule. Before signing, verify the vendor's security documentation and confirm their encryption standards meet NIST specifications.

The Minimum Necessary Standard Applies to Every Text

Even on a compliant platform, the Privacy Rule's minimum necessary standard under 45 CFR §164.502(b) still applies. Your workforce should never include more PHI in a text than is needed for the immediate purpose. A message confirming a patient's appointment time does not require a diagnosis code, insurance ID, or Social Security number.

Build this principle into your messaging policies. Specify exactly what categories of information may and may not be transmitted via text. Then reinforce those boundaries through regular workforce training — not once at onboarding, but on an ongoing basis as required by 45 CFR §164.530(b).

What Happens When Texting Goes Wrong: Breach Notification Obligations

If an unsecured text containing PHI is sent to the wrong recipient, left on a lost device, or intercepted due to lack of encryption, your organization faces breach notification obligations under 45 CFR Part 164, Subpart D. For breaches affecting fewer than 500 individuals, you must notify affected patients without unreasonable delay and report to HHS within 60 days of the end of the calendar year. Breaches affecting 500 or more individuals require notification to HHS and prominent media outlets within 60 days of discovery.

OCR's 2024 breach portal data shows that unauthorized access and disclosure — the category most texting breaches fall under — accounted for a significant share of reported incidents. Many of these were entirely preventable with proper platform selection and workforce education.

A Practical Roadmap to Make Your Text Messaging HIPAA Compliant

Healthcare organizations that want to use text messaging without risking HIPAA violations should follow this sequence:

  • Step 1: Conduct a risk analysis that specifically evaluates mobile messaging workflows and identifies where PHI is transmitted.
  • Step 2: Select a messaging platform that provides end-to-end encryption, audit logging, access controls, and a signed BAA.
  • Step 3: Draft and implement written messaging policies aligned with both the Security Rule and the Privacy Rule's minimum necessary standard.
  • Step 4: Train your entire workforce — clinical and administrative — on the new policies. Enroll staff in a comprehensive HIPAA workforce compliance program to document completion and maintain ongoing accountability.
  • Step 5: Review audit logs quarterly, update your risk analysis annually, and revise policies whenever you change vendors or communication workflows.

The Bottom Line for Your Organization

Text messaging is fast, convenient, and increasingly expected by patients and providers alike. But convenience does not override the Security Rule. Making text messaging HIPAA compliant demands the right technology, enforceable policies, executed BAAs, and a workforce that understands exactly what can and cannot be sent. Organizations that treat this as a one-time checkbox — rather than an ongoing compliance obligation — are the ones that end up on OCR's breach portal.