HIPAA Text Messaging Policy: Requirements, Compliance Checklist & Sample Language

Texting can accelerate care coordination, but it must be done within a HIPAA-compliant framework. This guide explains the requirements, gives you a practical compliance checklist, and provides sample policy language you can adapt for your organization.

HIPAA Compliance for Text Messaging

HIPAA permits texting of PHI when you implement administrative, physical, and technical safeguards that appropriately protect ePHI. Your HIPAA Text Messaging Policy should flow from a documented risk analysis, cover permitted uses, and define controls across people, processes, and technology.

Core elements include secure platforms, user access controls, device protections, workforce training, and signed Business Associate Agreements with any vendor that creates, receives, maintains, or transmits PHI on your behalf.

Compliance Checklist

• Complete and document an enterprise risk analysis focused on texting workflows and devices.
• Select a secure platform with End-to-End Encryption, robust Audit Logs, Role-Based Access Control, and Multi-Factor Authentication.
• Obtain and record patient consent and communication preferences; maintain an opt-out process.
• Enforce the Minimum Necessary Standard for message content and recipients.
• Implement access controls, SSO where feasible, session timeouts, and device binding.
• Apply device safeguards (MDM, Remote Wipe Capability, encryption at rest, screen lock policies).
• Retain required documentation and message/audit records per policy; monitor and review logs.
• Execute and maintain a Business Associate Agreement with texting vendors and subcontractors.
• Train staff, test understanding, and enforce sanctions for policy violations.

Secure Text Messaging Platforms

Choose a platform built for healthcare and HIPAA. At minimum, require End-to-End Encryption in transit and strong encryption at rest, plus granular administrative controls and reporting.

Platform Evaluation Criteria

• Security: End-to-End Encryption, certificate pinning, key management, and message-level controls (expiration, recall, screenshot restrictions where available).
• Identity and access: Directory sync, Role-Based Access Control, Multi-Factor Authentication, device binding, and SSO (SAML/OIDC).
• Compliance: Immutable Audit Logs capturing sender, recipient, timestamps, delivery/read status, and administrative actions.
• Data lifecycle: Configurable retention, export to EHR or archive, legal hold support, and clear deletion semantics.
• Device management: MDM integration, Remote Wipe Capability for app containers, jailbreak/root detection, and offline caching controls.
• Operational readiness: High availability, disaster recovery, incident response SLAs, and a signed Business Associate Agreement.

Patient Consent and Authorization

Before texting PHI, document the patient’s preferred contact number and obtain consent that acknowledges texting risks and message types. For treatment-related communications, consent is generally sufficient; marketing uses typically require a separate authorization.

Best Practices

• Capture consent in writing or electronically; log date, scope (e.g., appointment reminders, care instructions), and any restrictions.
• Provide clear opt-out instructions in initial messages and honor opt-out requests promptly.
• Avoid including highly sensitive details in SMS; where possible, send a secure link that requires authentication.
• Verify the destination number at registration and during significant changes (e.g., number porting).

Minimum Necessary Information

Apply the Minimum Necessary Standard to every text. Share only what is essential for the immediate purpose, with the fewest recipients needed to act.

Practical Guidelines

• Use de-identified or limited information when possible (e.g., “Your lab results are available in the portal” rather than specific values).
• Exclude diagnoses, full medical histories, and financial identifiers from routine texts.
• For internal care coordination, keep messages concise and reference the chart for details.
• Route complex discussions to secure portals or calls after verifying identity.

Access Controls and Authentication

Strong access controls prevent unauthorized viewing and misuse of PHI. Combine Role-Based Access Control with unique user IDs and least-privilege permissions.

Required Controls

• Authentication: Multi-Factor Authentication, strong passcodes/biometrics, and automatic session timeouts.
• Authorization: Role-Based Access Control aligned to job duties and separation of duties for administrators.
• Account lifecycle: Rapid provisioning/deprovisioning tied to HR events; periodic access reviews and reattestations.
• Emergency access: Controlled “break-glass” procedures with alerting and post-event review.

Audit Trails and Record Retention

Maintain comprehensive Audit Logs for accountability and investigations. Logs should be tamper-evident and retained per policy.

What to Capture

• Message metadata: sender, recipients, timestamps, delivery/read status, and channel.
• Administrative actions: user creation, role changes, policy updates, Remote Wipe actions, and integrations.
• Security events: failed logins, MFA challenges, device changes, and anomalous access.

Retention

• Retain required HIPAA documentation and related security records for at least six years from creation or last effective date.
• If message content is part of the designated medical record, follow your medical record retention schedule and applicable state laws.
• Ensure timely retrieval for audits, legal holds, and patient access requests.

Device Security Measures

Because texts are often read on mobile devices, your policy must enforce device-level protections for both BYOD and corporate devices.

Minimum Controls

• Encryption at rest, screen lock with short auto-lock, and biometric or strong passcode.
• MDM or secure container with Remote Wipe Capability for lost/stolen devices and upon termination.
• OS and app patching, malware protection where applicable, and jailbreak/root detection.
• Disable unapproved backups and cloud sync for PHI; restrict copy/paste and notification previews.
• Report lost or stolen devices immediately; document incident handling steps.

Business Associate Agreements

Execute a Business Associate Agreement with any vendor that handles PHI within your texting workflows. The BAA should define permitted uses/disclosures and require safeguards consistent with HIPAA.

Key BAA Provisions

• Security controls: End-to-End Encryption, access controls, and continuous monitoring.
• Breach notification timelines, investigation cooperation, and documentation requirements.
• Subcontractor flow-down obligations and right to audit or obtain independent assessments.
• Return/disposal of PHI at termination and data export assistance.
• Indemnification and allocation of responsibilities for compliance tasks.

Staff Training and Policies

Effective policies work only when staff understand and apply them. Provide role-specific training at hire and at least annually, with practical scenarios and attestations.

Training Focus Areas

• Identifying PHI, applying the Minimum Necessary Standard, and verifying patient identity.
• Using the approved texting platform, including MFA and message-level controls.
• Handling sensitive topics, using secure alternatives, and documenting consent.
• Incident reporting, phishing awareness, and sanctions for non-compliance.

Sample Text Messaging Policy Language

Purpose

This policy establishes requirements for HIPAA-compliant text messaging to protect PHI while enabling efficient communication for treatment, payment, and healthcare operations.

Scope

This policy applies to all workforce members, contractors, volunteers, and third parties who create, receive, maintain, or transmit PHI via the organization’s approved texting platform.

Policy

1) Only the approved secure messaging platform may be used to send or receive PHI by text. Unsecured SMS or consumer apps are prohibited for PHI.

2) Users must authenticate with Multi-Factor Authentication and are granted Role-Based Access Control aligned to job duties.

3) All messages containing PHI must comply with the Minimum Necessary Standard and be limited to recipients with a need to know.

4) Patients must provide documented consent before receiving PHI by text and may opt out at any time.

5) The platform must implement End-to-End Encryption, maintain immutable Audit Logs, and support Remote Wipe Capability.

6) Mobile devices accessing PHI must meet device security requirements (encryption, screen lock, MDM/containerization, timely updates).

7) Message metadata and required records are retained per the organization’s retention schedule; exports to the EHR or archive are performed when appropriate.

8) The organization maintains a current Business Associate Agreement with the messaging vendor and requires subcontractor compliance.

9) Suspected breaches or misdirected messages are reported immediately to Compliance/Privacy for investigation and mitigation.

10) Violations of this policy may result in disciplinary action up to and including termination.

Definitions

PHI: Protected Health Information. ePHI: Electronic PHI. Minimum Necessary Standard: Requirement to limit PHI use/disclosure to the least amount needed for the purpose.

Responsibilities

• Workforce Members: Follow this policy, complete training, and report incidents promptly.
• Managers: Enforce compliance, validate access needs, and ensure device adherence.
• Compliance/Privacy/Security: Maintain policy, conduct audits, manage incidents, and oversee BAAs.

Review

This policy is reviewed at least annually and upon material changes to regulations, technology, or risk.

Adopting the controls above enables fast, safe communication while protecting patients and meeting HIPAA requirements.

FAQs

What constitutes a HIPAA-compliant text messaging platform?

A HIPAA-compliant platform provides End-to-End Encryption, strong authentication (including Multi-Factor Authentication), Role-Based Access Control, detailed Audit Logs, administrative oversight, configurable retention, device management with Remote Wipe Capability, and is covered by a signed Business Associate Agreement.

How do I obtain patient consent for texting PHI?

Present a clear consent that explains what messages may include, the associated risks, and how to opt out. Capture consent in writing or electronically, record date and scope in the record, verify the phone number, and honor opt-out requests in all future communications.

What are the required security measures for devices used in HIPAA texting?

Require encryption at rest, screen lock with short auto-lock, biometric or strong passcode, current OS and app updates, MDM or secure container with Remote Wipe Capability, jailbreak/root detection, restricted notification previews, and disabled unapproved cloud backups for PHI.

How long must audit trails of text messages be retained?

Retention should be at least six years for required HIPAA documentation and associated security records. If message content or metadata form part of the medical record, follow your medical record retention policy and applicable state requirements, which may exceed six years.