In 2023, a dental practice in Texas paid a $50,000 settlement to the HHS Office for Civil Rights after an employee texted patient appointment details — including diagnostic information — to the wrong phone number. The patient filed a complaint, OCR investigated, and what they found wasn't just a one-time texting error. It was a complete absence of policies governing mobile communications containing protected health information. This is the compliance gap that texting and HIPAA collisions create every day across healthcare.
Why Texting and HIPAA Create Constant Risk
Standard SMS text messages are not encrypted. They travel across carrier networks in plain text, get stored on devices without access controls, and persist in backups that your organization doesn't manage. Every one of these realities directly conflicts with the HIPAA Security Rule's requirements under 45 CFR § 164.312.
The Security Rule demands that covered entities and business associates implement technical safeguards to protect electronic PHI — including encryption and access controls. A standard text message satisfies none of these requirements. Yet workforce members across healthcare continue to text PHI because it's fast, familiar, and seemingly harmless.
OCR has never issued a blanket ban on texting in healthcare. But the agency has made clear through enforcement actions and guidance that any transmission of protected health information must meet the Security Rule's standards — regardless of the communication channel.
The Encryption Requirement Most Organizations Ignore
The Security Rule lists encryption as an "addressable" specification under 45 CFR § 164.312(e)(1). Healthcare organizations consistently misread "addressable" as "optional." It is not. If encryption is reasonable and appropriate — and for text-based PHI communication, it almost always is — your organization must implement it or document an equivalent alternative safeguard.
Standard SMS and consumer messaging apps like iMessage, WhatsApp, and Facebook Messenger fail this test. Even when a platform offers end-to-end encryption, it typically lacks audit controls, automatic message expiration, and centralized administrative oversight — all of which are critical for HIPAA compliance.
HIPAA-compliant messaging platforms exist specifically to fill this gap. Solutions like TigerConnect, Imprivata Cortext, and OhMD provide encrypted messaging with access controls, remote wipe capabilities, and audit logs. If your workforce needs to communicate about patients via text, these tools are the compliant path.
Patient-Initiated Texting: A Common Misconception
Many covered entities believe that if a patient texts them first, they're free to respond with PHI over standard SMS. This is a dangerous oversimplification.
The HIPAA Privacy Rule does allow healthcare providers to communicate with patients via the patient's preferred method — including text — if the patient has been informed of the risks and hasn't objected. This falls under 45 CFR § 164.522(b). But your organization still carries the obligation to apply the minimum necessary standard, limit what's shared, and document the patient's preference.
Texting a patient a simple appointment reminder is very different from texting lab results, diagnoses, or treatment plans. The more sensitive the PHI, the greater the risk — and the stronger OCR's expectation that you used a secure channel.
What You Must Document for Patient Text Communication
- The patient's written or verbal consent to receive text communications
- A clear warning that standard texting is not secure — typically included in your Notice of Privacy Practices
- The specific types of information the patient has agreed to receive via text
- Any patient request to opt out of text communication
Staff-to-Staff Texting Is Where Violations Multiply
In my work with covered entities, the highest-risk texting scenario isn't patient communication — it's internal. Nurses texting physicians about patient conditions. Front desk staff sending appointment details to providers. Billing teams sharing insurance information with outside business associate contacts.
These exchanges happen dozens of times per day in most healthcare settings. Without a secure, approved messaging platform and clear policies, every one of them is a potential HIPAA violation. And when a device is lost or stolen with unsecured PHI in the message history, it becomes a reportable breach under the Breach Notification Rule at 45 CFR §§ 164.400-414.
OCR's 2024 enforcement data shows that unauthorized disclosure — including through electronic communications — remains one of the top complaint categories. The agency investigates these cases aggressively, especially when the covered entity has no documented policy addressing mobile device use.
Build a Texting Policy Before OCR Builds a Case Against You
A compliant approach to texting and HIPAA starts with three actions your organization should take immediately.
1. Conduct a Risk Analysis That Includes Mobile Communications
Your risk analysis under 45 CFR § 164.308(a)(1) must account for all systems that create, receive, maintain, or transmit ePHI. If your workforce uses smartphones — and they do — text messaging must appear in your risk assessment. Identify the threats, assess the likelihood of a breach, and document your mitigation strategy.
2. Deploy and Enforce a Secure Messaging Platform
Select a HIPAA-compliant messaging solution, execute a business associate agreement with the vendor, and mandate its use for any communication involving PHI. Then enforce it. A policy without enforcement is the same as no policy in OCR's eyes.
3. Train Every Workforce Member — Not Just Clinicians
The Privacy Rule at 45 CFR § 164.530(b) requires training for every workforce member on policies and procedures related to PHI. Your texting policy must be part of that training. Administrative staff, contractors, volunteers — anyone who could encounter PHI needs to understand what they can and cannot text, and on which platform.
If your organization hasn't updated its workforce training to address mobile communication risks, you can close that gap with comprehensive HIPAA training and certification designed to cover modern compliance scenarios including texting, telehealth, and mobile device use.
The Bottom Line for Your Covered Entity
Texting isn't going away in healthcare. It's too fast and too useful. But the rules around texting and HIPAA are non-negotiable: encrypt PHI, document patient preferences, train your workforce, and audit your mobile communication practices.
OCR doesn't need to catch a massive data breach to penalize your organization. A single unencrypted text to the wrong number can trigger an investigation that exposes systemic policy failures. The organizations that avoid this outcome are the ones that built their policies before the complaint arrived.
Start by ensuring your entire team understands the requirements. HIPAA Certify's workforce compliance program gives your organization the training foundation to handle texting, mobile device management, and every other modern PHI risk with confidence.