Are Text Messages HIPAA Compliant? What You Can and Can’t Do Under HIPAA

Overview of HIPAA Compliance for Text Messaging

HIPAA does not ban texting, but it requires you to safeguard Protected Health Information (PHI) wherever it travels. A text message can be HIPAA compliant when the people, processes, and technology around it meet the Privacy Rule’s Minimum Necessary Standard and the Security Rule’s safeguards.

Think of “texting” as two categories: standard SMS/MMS and secure messaging platforms. Standard SMS lacks the controls HIPAA expects. Secure platforms can provide the controls—encryption, identity verification, access management, and auditability—needed to keep PHI protected.

What you can do

• Use secure messaging platforms to exchange PHI for treatment, payment, and operations with appropriate safeguards.
• Apply the Minimum Necessary Standard—only include the details required to achieve the purpose.
• Send limited, low-risk notices (for example, appointment reminders) while avoiding unnecessary identifiers.
• Honor a patient’s request to receive unsecure texts after you warn about risks and document informed preference.
• Capture relevant messages in the designated record set when they inform care or decisions.

What you can’t do

• Assume consumer chat apps or SMS are compliant without controls, a risk analysis, and appropriate agreements.
• Transmit more PHI than necessary or ignore identity verification and wrong-number risks.
• Skip documentation, retention, and audit processes when texts affect care.

Security Requirements for HIPAA-Compliant Messaging

The Security Rule expects you to implement administrative, physical, and technical safeguards scaled to risk. For texting workflows, this means formal policies, workforce training, and technology that enforces access control, transmission protection, and monitoring.

Administrative safeguards

• Conduct and update a risk analysis covering texting, BYOD, and remote access.
• Define usage policies (when texting is allowed, content limits, escalation paths, after-hours rules).
• Train staff on identity verification, the Minimum Necessary Standard, and how to handle misdirected messages.
• Establish incident response and breach notification procedures specific to mobile messaging.

Technical and physical safeguards

• Access controls: unique user IDs, role-based permissions, automatic lockouts, and Multi-Factor Authentication.
• Data Encryption in transit and at rest, supported by strong key management.
• Integrity and availability: message integrity checks, secure backups for required records.
• Audit Trails that log who sent/received what and when, with immutable timestamps and export capability.
• Device protections: device encryption, remote wipe, jailbreak/root detection, and screen-lock policies.

Business Associate Agreements in Text Communication

If a vendor creates, receives, maintains, or transmits PHI for you—most secure messaging platforms do—you must have a Business Associate Agreement (BAA). The BAA sets responsibilities such as safeguarding PHI, breach reporting, and ensuring subcontractors protect PHI too.

Do not transmit PHI through a service that refuses to sign a BAA or cannot support required safeguards. A BAA does not make an insecure tool safe by itself; you still need policies, training, and technical controls to reduce risk.

Key BAA considerations

• Scope of services and where messages/media are stored.
• Security commitments: encryption, access control, and Audit Trails.
• Incident handling: detection, timelines, cooperation, and evidence preservation.
• Data management: retention, return, and secure destruction on termination.

Best Practices for Protecting Protected Health Information

• Prefer secure messaging platforms with end-to-end protection, strong authentication, and administrator controls.
• Design message templates that minimize identifiers and avoid sensitive details unless strictly necessary.
• Verify identity before sharing PHI—use callbacks, patient-known passphrases, or portal-based authentication.
• Set retention rules: archive messages that inform care; purge transitory chatter per policy.
• Enable alert hygiene: suppress full message previews on lock screens to limit shoulder-surfing risk.
• Implement BYOD policies: device encryption, remote wipe, prohibition on local screenshots for PHI where enforceable.
• Review Audit Trails routinely to detect anomalies and support investigations.

Implementing Encryption and Authentication

Encryption should protect messages in transit and at rest. For modern texting workflows, end-to-end encryption with strong key management reduces interception risk and supports confidentiality across networks and devices.

Encryption essentials

• Transport protection for network hops, plus message-level encryption so only intended endpoints can read content.
• Secure key generation, storage, rotation, and revocation with least-privilege access to keys.
• Encrypted media handling for images, voice notes, and attachments.

Authentication and session security

• Multi-Factor Authentication for all workforce users; step-up authentication for high-risk actions.
• Automatic session timeouts, device-based PIN/biometrics, and re-authentication after inactivity.
• Controls to block unknown or jailbroken devices and to enforce remote wipe on termination or loss.

Limitations of Standard SMS Texting

Standard SMS/MMS lacks end-to-end encryption, robust identity verification, centralized access control, and comprehensive logging. Messages can be exposed in transit, stored by carriers, backed up to consumer clouds, or previewed on lock screens.

• No reliable way to enforce Minimum Necessary content or prevent forwarding and screenshots.
• No native Audit Trails, retention governance, or administrative oversight.
• Vendors that power consumer texting typically will not sign a Business Associate Agreement.
• Attachments and group texts expand exposure and misdirection risks.

Because of these gaps, standard SMS is generally unsuitable for workforce-to-workforce PHI exchange. If a patient specifically requests SMS, limit content, warn about risks, verify the number, and document consent.

Patient Consent and Record Keeping Obligations

Before texting patients, confirm their preferred contact method, explain risks, and record consent. Offer a secure alternative. Document opt-ins and opt-outs, changes to phone numbers, and any restrictions the patient requests.

• Capture informed preference: plain-language notice of risks for unsecure texting and acknowledgment.
• Verify ownership of the number and re-verify after changes or long inactivity.
• Use content rules: avoid diagnoses, test details, or images unless necessary and requested.
• Record keeping: store clinically relevant messages and metadata in the designated record set; follow retention laws.
• Operational safeguards: include non-urgent use notices and direct emergencies to appropriate channels.
• Consider other laws (for example, consent rules for automated texts in the United States) alongside HIPAA.

Conclusion

Text messages can meet HIPAA expectations when you pair secure messaging platforms with sound policies, Data Encryption, Multi-Factor Authentication, and Audit Trails—always guided by the Minimum Necessary Standard. Reserve standard SMS for patient-requested, low-risk communications with documented consent, and keep records when texts inform care.

FAQs.

Can standard SMS be used for transmitting PHI under HIPAA?

Generally no for workforce communications because SMS lacks encryption, access controls, and auditability. If a patient insists on SMS after you explain risks and you document informed preference, limit content to the minimum necessary and verify the number before sending.

What security measures are required for HIPAA-compliant texting?

Implement risk-based safeguards, including Data Encryption in transit and at rest, access controls with Multi-Factor Authentication, device protections, message retention governance, and comprehensive Audit Trails. Pair technology with policies, training, and incident response procedures.

How does a Business Associate Agreement affect text message compliance?

A Business Associate Agreement is required with any vendor that creates, receives, maintains, or transmits PHI for you. It contractually obligates the vendor to safeguard PHI, report breaches, and manage subcontractors, but you must still enforce internal policies and technical controls.

What are the patient consent requirements for text messaging?

Confirm the patient’s preferred channel, explain the risks of unsecure texting, and document informed consent or opt-out. Verify phone ownership, keep consent up to date, and retain messages that inform care in the medical record while applying the Minimum Necessary Standard.