In December 2023, a small dental practice in Texas agreed to a $50,000 settlement with OCR after an investigation revealed staff members had been texting patient appointment details, diagnoses, and insurance information through standard SMS on personal phones — with no encryption, no access controls, and no written policy. The practice had assumed that brief, informal texts didn't count as transmitting protected health information. OCR disagreed. If your workforce communicates via text, understanding the rules around texting patient information HIPAA compliance is not optional — it's a regulatory requirement.

Why Standard Text Messages Violate HIPAA by Default

Standard SMS and MMS messages are not encrypted in transit or at rest. They sit on carrier servers, back up to cloud accounts, and remain accessible on unlocked devices indefinitely. Under the HIPAA Security Rule (45 CFR § 164.312), covered entities and business associates must implement technical safeguards — including encryption and access controls — for all electronic protected health information (ePHI) in transmission.

A regular text message meets none of these requirements. The message can be intercepted, read by anyone who picks up an unlocked phone, and stored in backups the organization doesn't control. OCR has repeatedly stated that unencrypted transmission of PHI is a known risk that organizations must address through their required risk analysis.

This doesn't mean texting is categorically prohibited. It means texting patient information under HIPAA requires specific technical and administrative safeguards that standard SMS simply cannot provide.

The Technical Safeguards Required for HIPAA-Compliant Texting

If your organization wants to permit texting that involves PHI, you need a platform or solution that meets these Security Rule requirements:

  • Encryption in transit and at rest: Messages must be encrypted using standards like AES-256 so that intercepted data is unreadable.
  • Access controls: Only authorized users should access the messaging platform, with unique user identification and automatic logoff (45 CFR § 164.312(a) and (d)).
  • Audit controls: The system must log who sent what, to whom, and when — creating the audit trail required under 45 CFR § 164.312(b).
  • Remote wipe capability: If a device is lost or stolen, you need the ability to remotely erase PHI from it.
  • Message expiration: Many compliant platforms allow messages to auto-delete after a set period, reducing the window of exposure.

Several HIPAA-compliant messaging platforms exist — TigerConnect, OhMD, Imprivata Cortext, and others. But the technology alone isn't enough. Without proper policies and workforce training, even the best platform won't keep you compliant.

Administrative Safeguards: The Policy Framework Most Organizations Skip

In my work with covered entities, I've seen organizations purchase a compliant texting solution and then fail to create the policies that govern its use. The Security Rule requires administrative safeguards (45 CFR § 164.308) that include documented policies and procedures for ePHI handling. For texting, your policies must address:

  • Who is authorized to send and receive PHI via text
  • What categories of information may be communicated (and what must not)
  • Which devices and platforms are approved
  • How the minimum necessary standard applies — staff should share only the minimum PHI needed for the intended purpose
  • Consequences for using unapproved channels like personal SMS, iMessage, or WhatsApp

These policies must be accessible to your entire workforce. They should also be reviewed during your annual risk analysis and updated whenever you change platforms or workflows.

Texting Patient Information HIPAA Risks with Personal Devices

BYOD (Bring Your Own Device) environments amplify the risk of non-compliant texting. When staff use personal smartphones, the organization has limited control over device security, app installations, and screen lock settings. A lost personal phone with unencrypted patient texts becomes a reportable breach under the Breach Notification Rule (45 CFR §§ 164.400-414).

If your organization permits personal devices, you need a formal BYOD policy that mandates mobile device management (MDM) software, enforced passcodes, and containerization of work-related apps. Without these controls, every personal phone in your practice is a potential breach vector.

Patient-Initiated Texts: A Common Compliance Gray Area

Healthcare organizations consistently struggle with this scenario: a patient texts your front desk asking about test results. Can you respond?

Under the Privacy Rule, a covered entity may communicate with patients via their preferred method — but only after informing the patient of the risks and obtaining their acknowledgment. Your Notice of Privacy Practices should address electronic communications. If a patient requests text communication and you document that preference, you have more flexibility — but you must still apply the minimum necessary standard and use a secure platform on your end.

Simply replying to a patient text from a personal phone with diagnostic details is a HIPAA violation regardless of who initiated the conversation.

OCR Enforcement and the Real Cost of Non-Compliance

OCR enforcement actions increasingly scrutinize electronic communication practices. Between 2020 and 2024, OCR investigated hundreds of complaints involving unauthorized disclosure of PHI through electronic messaging. Penalties under the HITECH Act's tiered structure can range from $141 per violation (for unknowing violations) to over $2 million per violation category per year for willful neglect.

But the financial penalty is only part of the cost. A breach involving unsecured text messages triggers notification to affected patients, HHS, and potentially the media — damaging the trust your organization depends on.

Build a Compliant Texting Program: Where to Start

Getting texting patient information HIPAA-compliant requires action on three fronts simultaneously:

  • Conduct a risk analysis that specifically evaluates mobile communication and texting workflows. Identify every point where PHI could be transmitted via text.
  • Deploy a compliant platform with encryption, access controls, and audit logging. Ensure you have a business associate agreement with the vendor, as required under the Omnibus Rule.
  • Train your workforce — not once, but continuously. Every staff member, contractor, and volunteer who handles PHI needs to understand what they can and cannot text, on what device, using what platform.

Workforce training is where compliance either holds or collapses. The best policy in the world fails if your staff doesn't know it exists. Organizations looking to build this foundation should invest in HIPAA training and certification that covers real-world scenarios like mobile device use and electronic communication.

At HIPAA Certify, we help covered entities and business associates build workforce compliance programs that address exactly these challenges — from texting patient information HIPAA requirements to breach prevention and risk analysis documentation.

The text message your staff sends in 10 seconds can take your organization months to remediate. Build the safeguards now.