In 2023, a dermatology practice in Connecticut paid $150,000 to settle an OCR investigation that traced back, in part, to unsecured electronic communications — including text messages containing patient information. The case underscored what many covered entities still underestimate: texting and HIPAA compliance is not a gray area. It is a defined regulatory obligation with real enforcement consequences.

Healthcare professionals love the speed and convenience of texting. Nurses coordinate shift changes. Physicians consult on cases. Front-desk staff confirm appointments. But every one of those messages is a potential HIPAA violation if protected health information travels through an unsecured channel.

Why Standard Texting Fails HIPAA Security Rule Requirements

The HIPAA Security Rule under 45 CFR Part 164 Subpart C requires covered entities and business associates to implement administrative, physical, and technical safeguards for electronic protected health information (ePHI). Standard SMS texting — the default messaging app on virtually every smartphone — fails on multiple fronts.

First, standard SMS is not encrypted in transit. Messages travel through carrier networks in a form that can be intercepted. Second, texts sit on devices in an unencrypted state, meaning a lost or stolen phone exposes every message. Third, there is no access control — anyone who picks up an unlocked phone can read the conversation.

These gaps directly conflict with the Security Rule's requirements for encryption, access controls, and audit controls. Using standard SMS to transmit PHI is not simply risky; it is a compliance failure your organization can be held accountable for.

Texting and HIPAA Compliance: The Safeguards You Must Implement

OCR has made clear that the rules do not prohibit texting outright. What they prohibit is texting PHI without appropriate safeguards. If your organization wants to use text-based communication, you need to meet specific Security Rule standards.

  • Encryption: Messages containing PHI must be encrypted both in transit and at rest. This typically requires a secure messaging platform designed for healthcare, not consumer apps like iMessage or WhatsApp.
  • Access Controls: Only authorized workforce members should access the messaging platform, using unique credentials and multi-factor authentication where possible.
  • Audit Controls: Your organization needs the ability to log message activity — who sent what, when, and to whom — for compliance monitoring and incident response.
  • Automatic Logoff and Remote Wipe: Devices must lock after inactivity, and your IT team must be able to remotely wipe a lost or stolen device containing ePHI.
  • Retention and Disposal: Messages containing PHI must be retained per your organization's policies and securely disposed of when no longer needed.

If your current texting practices do not check every one of these boxes, you have a compliance gap that needs immediate attention.

The Business Associate Agreement Trap with Messaging Vendors

Healthcare organizations consistently overlook one critical step when adopting secure messaging platforms: executing a business associate agreement (BAA). Under the HIPAA Omnibus Rule, any vendor that creates, receives, maintains, or transmits PHI on your behalf is a business associate.

That includes your messaging platform provider. If you are using a service like TigerConnect, Imprivata Cortext, or OhMD, you need a signed BAA before a single message containing PHI is sent. Without it, your organization is in violation — regardless of how secure the platform claims to be.

Many consumer-grade apps explicitly refuse to sign a BAA. That alone disqualifies them from any use involving protected health information.

Common Texting Violations That Trigger OCR Investigations

In my work with covered entities, I see the same texting-related HIPAA violations repeatedly. Understanding these patterns can help your organization avoid becoming the next enforcement case.

  • Physicians texting patient lab results to colleagues via standard SMS. Even between two clinicians, unsecured PHI in transit is a violation.
  • Staff texting appointment reminders with diagnosis codes or treatment details. Appointment reminders themselves may be permissible, but including clinical details crosses the minimum necessary standard.
  • Group texts that include PHI. A single misdirected group message can expose dozens of patient records and trigger the Breach Notification Rule.
  • No mobile device policy in place. OCR expects a documented policy governing mobile device use. Without one, your risk analysis is incomplete.

Each of these scenarios can lead to a reportable breach, OCR investigation, and financial penalties ranging from $100 to $50,000 per violation under the HITECH Act's tiered penalty structure.

The Risk Analysis Step Most Organizations Skip

Your HIPAA risk analysis — required under 45 CFR §164.308(a)(1)(ii)(A) — must specifically address mobile communications, including texting. Yet many organizations perform a risk analysis that focuses on EHR systems and network security while ignoring the devices in every employee's pocket.

Document how PHI could be exposed through text messages. Identify who in your workforce uses texting in their role. Assess whether current controls are sufficient. Then implement corrective actions and track them. This is not optional — it is the foundation of your Security Rule compliance program.

Workforce Training: The First Line of Defense for Texting Compliance

Technical controls matter, but they fail without a trained workforce. Your team needs to understand exactly what they can and cannot communicate via text, which platforms are approved, and what to do if they accidentally send PHI through an unsecured channel.

This is where HIPAA training and certification becomes essential. Training should cover mobile device policies, secure messaging procedures, and breach reporting obligations — not just generic HIPAA overviews. Every member of your workforce, from clinicians to administrative staff, must receive this training and acknowledge it in writing.

Organizations that invest in structured, ongoing workforce education through programs like HIPAA Certify's workforce compliance platform see measurably fewer incidents tied to unsecured communications. The cost of training is a fraction of the cost of a single OCR settlement.

Three Steps to Take This Week

Texting and HIPAA compliance does not require eliminating text communication entirely. It requires doing it correctly. Here are three immediate actions for your organization:

  • Audit current texting practices. Survey your workforce to determine how and where PHI is being communicated via text. You cannot fix what you have not identified.
  • Adopt a HIPAA-compliant messaging platform with a signed BAA. Migrate all PHI-related communication to that platform and decommission the use of standard SMS for clinical discussions.
  • Update your Notice of Privacy Practices and internal policies. Ensure your policies explicitly address mobile communication, and train every workforce member on the updated requirements.

The convenience of texting is not going away. But neither is OCR's expectation that your covered entity will protect PHI in every format, on every device, in every transmission. Build the safeguards now — before a lost phone or misdirected message forces you to build them under investigation.