Medcurity Logo
Login

HIPAA Compliant Text Messaging: Can Healthcare Providers Text About Patients?

Texting is fast, patients love it, and standard SMS is one of the least secure channels a healthcare provider can use. The short answer to “can we text about patients?” is yes — but how you do it, and who is on each end of the message, changes the rules completely.

Why standard SMS is risky

Ordinary text messages travel unencrypted, are stored on carrier servers outside your control, and land on lock screens anyone holding the phone can read. Your mobile carrier will not sign a Business Associate Agreement for consumer SMS, which means routing PHI through it is a disclosure to a vendor with no agreement and no safeguards. For provider-to-provider or staff-to-staff messages about a patient, plain SMS is the wrong tool — the same reasoning that governs HIPAA compliant email.

The compliant path

Compliant texting about patients runs through a secure messaging platform — one that encrypts messages in transit and at rest, authenticates users, lets you remotely wipe or expire messages, logs access for your audit trail, and, critically, comes with a signed BAA. Several established platforms meet this bar. The platform plus its configuration is what makes texting compliant; no consumer messaging app does it on its own.

The patient-initiated exception

There is an important distinction for messages with patients themselves. Under the Privacy Rule, individuals have the right to receive communications by the method they request, including ordinary text, after being warned of the risks. If a patient asks you to text appointment reminders or results to their personal phone and you have made them aware that SMS is not secure, you may honor that request — the patient is exercising a right, not a vendor mishandling data. That is different from your staff texting each other PHI, which always needs the secure channel. This connects to the patient’s HIPAA right of access. Keep the warning and the patient’s stated preference documented. Separately, texting patients can also implicate the Telephone Consumer Protection Act, so capture consent to be contacted by text as well.

It starts with a Security Risk Analysis

A Security Risk Analysis — the foundational requirement at 45 CFR § 164.308(a)(1)(ii)(A) — is where texting belongs on paper: which staff text about patients, on which devices, through which platform, and where the gaps are. Texting that grew up informally, outside any assessment, is a common and avoidable finding.

The proposed 2026 Security Rule update

The proposed 2026 update to the HIPAA Security Rule would push mobile and messaging safeguards further. Published as a Notice of Proposed Rulemaking in December 2024, it is not final — a proposal still, with a 240-day compliance window once a final rule is published. It leans toward making encryption and device controls — exactly what separates a secure messaging platform from consumer SMS — more explicitly required.

How Medcurity helps

Medcurity’s guided Security Risk Analysis captures how your team texts about patients — the devices, the platforms, and the BAAs behind them — so messaging is assessed and documented instead of happening in the shadows. Plans start at $499/year (about $42/month); larger organizations can request a quote.

Frequently Asked Questions

Can healthcare providers text patients about their care?

Yes, with conditions. Staff texting each other about a patient must use a secure, BAA-backed messaging platform. A patient who asks to receive texts on their own phone can be accommodated under their right to choose a communication method, provided you have warned them that SMS is not secure and documented the preference.

Is standard SMS HIPAA compliant?

No. Ordinary SMS is unencrypted, stored on carrier servers, and visible on lock screens, and carriers will not sign a BAA for it. It should not be used for provider-to-provider or staff messages containing PHI.

What makes a texting platform HIPAA compliant?

Encryption in transit and at rest, user authentication, message expiration or remote wipe, access logging for your audit trail, and a signed Business Associate Agreement with the vendor — plus configuring and using it correctly.

Can we text a patient an appointment reminder?

Yes. Appointment reminders are permitted, and a patient may receive them by text if that is their stated preference and they have been informed of the security risks. Keep the PHI in the message to the minimum necessary.