In 2023, a small dental practice in Texas received a $50,000 settlement with OCR after a staff member routinely texted patient appointment details, diagnoses, and insurance information to colleagues using standard SMS on personal phones. No encryption. No access controls. No policy in place. The practice assumed texting was simply faster — and that convenience equaled compliance. It doesn't. Understanding when texting patient information is allowed requires more than good intentions; it requires specific technical and administrative safeguards mandated by HIPAA.

Texting Patient Information Is Allowed When Proper Safeguards Exist

HIPAA does not outright ban texting protected health information (PHI). This is the misconception I encounter most often in my work with covered entities and business associates. The Security Rule under 45 CFR Part 164, Subpart C, requires that electronic PHI (ePHI) be protected during transmission with appropriate technical safeguards — but it does not prescribe specific technologies.

What this means in practice: your organization can text PHI, but only when you implement safeguards that meet the Security Rule's requirements for transmission security (§164.312(e)(1)), access controls (§164.312(a)(1)), and audit controls (§164.312(b)).

Standard SMS and consumer messaging apps like iMessage, WhatsApp, or Facebook Messenger do not meet these requirements out of the box. They lack enterprise audit logging, administrative access controls, and — in many cases — the ability to remotely wipe messages from a lost or stolen device.

The Five Conditions That Must Be Met Before Texting PHI

Based on OCR guidance and the Security Rule's technical specifications, texting patient information is allowed when all of the following conditions are satisfied:

  • End-to-end encryption in transit and at rest. The messaging platform must encrypt PHI both while it's being sent and while stored on the device. Standard SMS is transmitted in plaintext across carrier networks — a clear transmission security failure.
  • User authentication and access controls. Each workforce member must log in with unique credentials. Shared logins or devices without password protection violate the access control standard at §164.312(a)(1).
  • Audit controls and message logging. Your organization must be able to track who sent what, to whom, and when. This is critical for breach investigations and for meeting the audit control standard at §164.312(b).
  • Remote wipe capability. If a device is lost or stolen, your organization needs the ability to remotely erase PHI from that device. This ties directly to the device and media controls standard at §164.310(d)(1).
  • A written policy governing secure texting. Administrative safeguards under §164.308(a)(1) require documented policies. Your workforce must know exactly when, how, and on what platforms texting PHI is permitted.

Why a Risk Analysis Must Come First

Before deploying any secure texting platform, the Security Rule requires your organization to conduct a thorough risk analysis under §164.308(a)(1)(ii)(A). This isn't optional — it's the single most-cited deficiency in OCR enforcement actions. Between 2016 and 2023, failure to perform an adequate risk analysis appeared in the majority of HIPAA settlements exceeding $100,000.

Your risk analysis must identify how PHI flows through text messages, what devices are used, who has access, and what vulnerabilities exist. Only after completing this analysis can you select and implement a texting solution that adequately addresses the risks specific to your organization.

Choosing a HIPAA-Compliant Texting Platform

Several platforms are specifically designed for HIPAA-compliant secure messaging — TigerConnect, OhMD, Imprivata Cortext, and Halo Health among them. When evaluating a platform, verify that the vendor will sign a business associate agreement (BAA). Under the Omnibus Rule, any vendor that transmits, stores, or processes PHI on your behalf qualifies as a business associate and must have a BAA in place before you share any patient data.

If a texting vendor refuses to sign a BAA, walk away immediately. Using their platform to transmit PHI without a BAA exposes your covered entity to significant liability — regardless of how secure the technology claims to be.

The Minimum Necessary Standard Applies to Texts, Too

Even on a fully encrypted, HIPAA-compliant texting platform, the minimum necessary standard under §164.502(b) still applies. Your workforce should only share the minimum amount of PHI required to accomplish the purpose of the communication.

A physician texting a nurse about a patient's medication adjustment doesn't need to include the patient's full medical history, Social Security number, or insurance details. Train your team to include only what's operationally necessary — and nothing more.

Workforce Training Is Non-Negotiable

Healthcare organizations consistently struggle with the gap between having a secure texting policy and ensuring their workforce actually follows it. The Privacy Rule at §164.530(b) requires training for every workforce member on your organization's policies and procedures regarding PHI — and that includes texting protocols.

A single untrained employee using standard SMS to send lab results can trigger a reportable breach under the Breach Notification Rule. Investing in comprehensive HIPAA training and certification ensures your staff understands not just the rules, but the practical application of those rules to daily communication — including text messaging.

Training shouldn't be a one-time event. OCR expects ongoing education, especially when your organization adopts new technologies or updates its secure messaging policies. Platforms like HIPAA Certify make it straightforward to deliver, track, and document workforce HIPAA compliance training on an ongoing basis.

What About Texting Patients Directly?

Texting PHI to patients adds another layer of complexity. If a patient requests communication via text — and is informed of the risks — HIPAA allows it. Under §164.522(b), patients have the right to request confidential communications by alternative means. Your organization should document the patient's preference and their acknowledgment of the risk.

However, this does not eliminate your obligation to use reasonable safeguards. Sending appointment reminders with minimal information (date, time, provider name) carries lower risk than texting lab results or diagnoses. Your Notice of Privacy Practices should address how your organization handles electronic communications, including text messaging.

The Bottom Line on Texting PHI

Texting patient information is allowed when — and only when — your organization has implemented encryption, access controls, audit capabilities, a signed BAA with the platform vendor, a documented policy, and workforce training that covers all of it. Skip any one of these, and you're operating outside HIPAA's requirements.

OCR has shown no reluctance to enforce against organizations that treat texting as a gray area. It isn't gray. The rules are clear, the technology exists, and the expectation is that your covered entity will use both. Start with a risk analysis, choose a compliant platform, train your workforce, and document everything.