Texting HIPAA Compliant: What Your Organization Must Know

In 2023, a dental practice in Texas paid a $50,000 settlement to OCR after a staff member texted appointment reminders containing diagnostic codes to patients using a personal smartphone with no encryption, no access controls, and no audit trail. The practice had no policy addressing text messaging whatsoever. This scenario — texting without safeguards — is one of the fastest-growing compliance gaps I see in healthcare organizations of every size.

If your workforce is texting and you haven't addressed whether that texting is HIPAA compliant, you're already behind. Here's what the regulations actually require and what your organization needs to do now.

Why Standard SMS Is Not Texting HIPAA Compliant

Standard SMS text messages are transmitted in plaintext. They can be intercepted in transit, stored indefinitely on carrier servers, and remain accessible on a device long after they're sent. None of this meets the safeguards required under the HIPAA Security Rule at 45 CFR §164.312.

The Security Rule mandates three categories of safeguards — administrative, physical, and technical — for any electronic protected health information (ePHI). Standard text messaging fails on nearly all of them. There's no encryption in transit or at rest, no access control mechanism, no automatic logoff, no audit logging, and no ability to remotely wipe messages if a device is lost.

When your staff sends a patient's name, diagnosis, medication, or treatment plan via unencrypted SMS, your covered entity is creating an uncontrolled copy of PHI with no accountability trail. OCR has been clear: convenience does not override compliance.

The Security Rule Requirements That Apply to Text Messaging

To make texting HIPAA compliant, your organization must satisfy specific provisions under the Security Rule. These aren't optional best practices — they're regulatory requirements.

• Encryption (§164.312(a)(2)(iv) and §164.312(e)(2)(ii)): ePHI must be encrypted both in transit and at rest. This is listed as an "addressable" specification, but that doesn't mean optional. If you don't encrypt, you must document why and implement an equivalent alternative measure.
• Access Controls (§164.312(a)(1)): Only authorized individuals should be able to access messages containing PHI. This requires authentication — at minimum, unique user IDs and passwords.
• Audit Controls (§164.312(b)): Your organization must be able to track who sent what, to whom, and when. Standard SMS provides none of this.
• Integrity Controls (§164.312(c)(1)): You need mechanisms to ensure ePHI hasn't been altered or destroyed improperly.
• Automatic Logoff (§164.312(a)(2)(iii)): Sessions must terminate after a period of inactivity to prevent unauthorized access.

If your texting platform doesn't satisfy every one of these requirements, it's not compliant — regardless of what a vendor's marketing materials claim.

What a HIPAA-Compliant Texting Solution Actually Looks Like

Several secure messaging platforms are designed specifically for healthcare. They typically offer end-to-end encryption, message expiration, remote wipe capability, user authentication, and server-side audit logs. Products like TigerConnect, Imprivata Cortext, and OhMD are commonly used, though your organization must still conduct its own risk analysis before adopting any solution.

That risk analysis — required under 45 CFR §164.308(a)(1)(ii)(A) — must evaluate how the texting platform handles ePHI across its entire lifecycle: creation, transmission, storage, and disposal. If you're relying on a third-party platform, that vendor is a business associate and must sign a Business Associate Agreement (BAA) before any PHI touches their servers.

No BAA, no compliance. I've seen organizations adopt a "HIPAA-compliant" texting app and never execute a BAA with the vendor — which itself constitutes a HIPAA violation.

Texting Patients Requires Additional Privacy Rule Considerations

Texting between clinicians is one challenge. Texting patients introduces additional obligations under the Privacy Rule at 45 CFR §164.522.

Patients have the right to request confidential communications through alternative means or at alternative locations. If a patient asks you not to text them, you must honor that request if it's reasonable. Your Notice of Privacy Practices should address how your organization uses electronic communications, including text messaging.

The minimum necessary standard also applies. If you're texting a patient, include only the information essential to the communication. A text reminder that says "See you Thursday at 2pm" is very different from one that includes the provider's specialty, diagnosis, or treatment details.

The Workforce Training Gap That Creates the Most Risk

Technology alone won't make your organization compliant. The single biggest texting risk I encounter is an untrained workforce making ad hoc decisions about when and how to text PHI.

The HIPAA Security Rule at §164.308(a)(5) requires security awareness and training for all workforce members. This must cover your organization's specific texting policies — not just generic HIPAA principles. Every employee who has access to PHI needs to understand which platforms are approved, what information can and cannot be transmitted via text, and what to do if a message is sent in error.

If your workforce hasn't completed focused HIPAA training and certification that addresses current communication technologies, you have a gap that no software can fill. Training must be documented, repeated, and updated as your policies evolve.

Build a Texting Policy Before OCR Comes Asking

Your compliance program needs a written policy that specifically addresses text messaging. At minimum, this policy should cover:

• Which platforms are authorized for texting PHI
• Who is authorized to send and receive text messages containing PHI
• What categories of information may be included in text messages
• Device requirements — encryption, passcodes, remote wipe enrollment
• Procedures for reporting a text sent to the wrong recipient (which may trigger the Breach Notification Rule at 45 CFR §§164.400-414)
• Sanctions for policy violations under §164.308(a)(1)(ii)(C)

This policy must be part of your broader risk management framework and reviewed annually. OCR investigators look for written policies, evidence of workforce training, and documentation that your organization evaluated and addressed messaging risks.

Take Action Before a Breach Forces Your Hand

OCR enforcement data shows that impermissible disclosures — including those via text message — consistently rank among the top reported HIPAA violations. In 2023 alone, OCR received over 30,000 complaints and initiated hundreds of investigations. Organizations without documented texting policies and trained staff are the easiest targets.

Making your texting HIPAA compliant isn't a one-time project. It requires the right technology, a signed BAA with your messaging vendor, a written policy, a completed risk analysis, and a workforce that understands exactly what's expected of them. Start by ensuring every member of your team has completed current compliance education through a program like HIPAA Certify's workforce compliance platform — then build your texting policy on that foundation.

The organizations that get ahead of this issue avoid the breaches, the penalties, and the reputational damage. The ones that don't end up in OCR's resolution agreements.