HIPAA-Compliant Texting

HIPAA-compliant texting is patient SMS sent through a platform that signs a Business Associate Agreement, encrypts messages in transit (TLS 1.3) and at rest (AES-256), enforces role-based access controls, and retains audit logs for six or more years. Only 6 of the 13 providers tracked in the 2026 SMB VoIP dataset sign BAAs — DialPhone signs at $34/user/month on the Advanced tier, the lowest non-enterprise price point in the market.

HIPAA-compliant texting — key facts (May 2026)

• DialPhone signs the BAA on Advanced+ plans at $34/user/month — the only non-enterprise BAA in the dataset.
• 6 of 13 providers in the 2026 SMB VoIP pricing dataset will sign a BAA for healthcare.
• Required encryption: TLS 1.3 in transit, AES-256 at rest, on every PHI-bearing message.
• PHI redaction is built into the DialPhone SMS workflow before any campaign send.
• 10DLC compliant — DialPhone is TCR-registered for business messaging in the US.
• HIPAA Tier 4 penalties reach $1.9M per violation category; a mass campaign without a BAA can trigger per-recipient counting.

Texting patients is one of the highest-ROI communication channels in healthcare, but it’s also a HIPAA minefield. A standard iMessage or carrier SMS from a clinician’s phone is not HIPAA-compliant, and casual violations generate thousands of breach notifications every year. This guide covers what HIPAA-compliant texting actually requires, which tools qualify, and how to deploy secure patient messaging at scale.

By 2026, approximately 75% of healthcare providers have adopted some form of compliant patient texting — up from 40% in 2020, according to industry adoption data cited in HHS guidance commentary. The practices that haven’t completed the transition face increasing pressure from patients who expect SMS as a default communication channel, while also carrying the compliance risk of ad-hoc personal phone use by clinical staff.

TL;DR

• Standard SMS and iMessage are not HIPAA-compliant for sending protected health information (PHI).
• HIPAA-compliant texting requires a tool with a signed Business Associate Agreement (BAA), encryption in transit and at rest, access controls, and audit logs.
• You also need patient consent and documentation of minimum-necessary disclosure.
• Most practices use dedicated HIPAA-compliant SMS platforms (DialPhone, Spruce Health, OhMD, TigerConnect) for clinical messaging.
• Appointment reminders with no PHI (just date and time) can be sent over standard SMS if no patient-identifying details are included.

What HIPAA actually says about texting

HIPAA doesn’t mention SMS specifically. It requires covered entities (and business associates) to protect protected health information: any individually identifiable health information, under three safeguard categories:

• Technical safeguards (45 CFR §164.312): encryption, access controls, audit logs, integrity checks
• Administrative safeguards (45 CFR §164.308): risk assessments, workforce training, minimum-necessary access
• Physical safeguards (45 CFR §164.310): device security, workstation security, media disposal

Applied to texting: PHI can be transmitted by SMS only if the SMS platform meets all three safeguard categories AND the covered entity has a signed BAA with the platform provider.

Why standard SMS fails

Standard carrier SMS and iMessage fail HIPAA on multiple fronts:

• No encryption at rest: carriers store SMS in plaintext on backend systems.
• No access controls: anyone with physical access to a phone can read the messages.
• No audit logs: no record of who read which message when.
• No BAA: Verizon, AT&T, T-Mobile do not sign BAAs for standard SMS traffic.
• No minimum-necessary enforcement: can’t restrict who at a practice sees what.
• No retention control: messages live indefinitely, undelete possible.

Sending “Mary’s lab results came back positive, call her tomorrow” from a clinician’s personal iPhone to a colleague is a textbook HIPAA violation.

What HIPAA-compliant texting requires

1. A BAA with the SMS platform

A Business Associate Agreement is a legal contract between the covered entity (your practice) and the technology vendor (the SMS platform). It binds the vendor to the same HIPAA standards as the covered entity.

Check before signing up: does the vendor sign a BAA on your plan tier? Some vendors only sign BAAs on enterprise plans. DialPhone signs BAAs at no additional cost on Advanced ($34/user/mo) and higher.

2. Encryption

• In transit: TLS 1.2+ for messages from platform to patient device
• At rest: AES-256 for stored messages, transcripts, attachments

3. Access controls

• Unique user IDs for every staff member
• Role-based permissions: nurses see their patients, not all patients
• Automatic logoff after inactivity
• MFA / SSO enforcement
• Two-factor authentication for admin accounts — required under §164.308(a)(5) workforce security

4. Audit logs

• Every message read, every message sent, every attachment downloaded
• Retained for 6+ years (HIPAA §164.316(b)(2)(i))
• Exportable to SIEM
• Tamper-evident storage

5. Integrity controls

• Tamper-evident message storage
• Signed records for compliance audits

6. Patient consent

HIPAA and the Telephone Consumer Protection Act (TCPA) both apply:

• HIPAA permits PHI disclosure for treatment, payment, and operations without separate consent, but the patient must be the intended recipient.
• TCPA requires prior express consent to send SMS to a mobile number (unless the practice has an established treatment relationship, which exempts some messaging).

Best practice: document consent at intake. A checkbox on new-patient forms: “I consent to receive appointment reminders, billing notifications, and care communications by SMS at the phone number I provided.”

7. Minimum-necessary disclosure (45 CFR §164.502(b))

HIPAA’s minimum-necessary rule says: disclose only what’s needed for the purpose. Applied to SMS:

• Appointment reminder: “Your appointment with Dr. Smith is tomorrow at 2pm.” (Permitted, minimum necessary.)
• Test result notification: “Your recent lab results are ready. Log in to the patient portal to view.” (Permitted, no PHI in the SMS itself.)
• Full result in SMS: “Your HbA1c is 7.2, indicating poorly-controlled diabetes.” (HIPAA allows with consent + BAA, but most practices avoid this level of detail in SMS.)

HIPAA violation penalty tiers — what non-compliance actually costs

HIPAA violations involving improper disclosure via SMS fall under the Privacy Rule and Security Rule. HHS Office for Civil Rights (OCR) applies a four-tier penalty structure based on culpability level:

Tier	Description	Per-violation minimum	Per-violation maximum	Annual cap
1	Did not know (reasonable diligence)	$100	$50,000	$25,000
2	Reasonable cause (not willful)	$1,000	$50,000	$100,000
3	Willful neglect — corrected within 30 days	$10,000	$50,000	$250,000
4	Willful neglect — not corrected	$50,000	$250,000	$1,900,000

Source: HHS OCR HIPAA Enforcement (45 CFR §160.404). A “violation” under OCR’s interpretation can be each patient record improperly disclosed — meaning a single SMS sent to the wrong patient contact can be one violation, but a mass texting campaign without a BAA could be counted per-recipient.

Practical examples of texting violations and their likely tier:

• A clinician texts a patient’s lab result from their personal iPhone (Tier 3 or 4 — willful, phone is clearly not HIPAA-covered infrastructure)
• A front desk sends appointment reminders that include the provider’s specialty, revealing the patient’s condition type (Tier 2 — reasonable cause; PHI in reminder is common and often not recognized as PHI)
• An organization uses a non-BAA SMS platform for bulk appointment reminders because it is cheaper (Tier 3 if they corrected it on notification; Tier 4 if they continued after knowing)

The $1.9M annual cap per violation category means a large texting campaign without a BAA is not a nuisance fine — it is an existential compliance event.

What happens if you text without a BAA — 3 penalty scenarios

Scenario 1: A dental practice sends monthly recall SMS via standard Twilio without a BAA. The recall campaign texts 800 patients per month with messages like “Hi [Name], it’s time for your 6-month cleaning at [Practice Name].” The patient name + dental appointment context = PHI. This continues for 18 months before a compliance review catches it.

Under Tier 3 (willful, if corrected within 30 days of discovery), the penalty is $10,000–$50,000 per violation. With 800 messages/month × 18 months = 14,400 messages, the potential per-violation count is large. OCR typically negotiates a settlement amount rather than maximum per-violation, but resolution agreements in similar cases have ranged from $50,000 to $1.5M.

Scenario 2: A behavioral health practice uses a clinical SMS tool but did not sign the BAA during signup. They use the platform’s HIPAA-compliant features (encryption, access controls) but never executed the BAA. If investigated, the absence of a BAA makes the entire relationship legally non-compliant regardless of the technical safeguards in place. Likely Tier 2 (reasonable cause — they chose a compliant-capable platform but failed to formalize the relationship). Resolution: sign the BAA retroactively and document a corrective action plan.

Scenario 3: A solo primary care physician texts patients from an iMessage account for convenience. iMessage has no BAA available. If a patient complaint triggers an OCR complaint, and the investigation reveals systematic use of iMessage for PHI, Tier 3 or 4 applies. Solo-practitioner OCR settlements have run $10,000–$100,000 even for small-scale violations, particularly when the behavior was knowing and continuous.

Which SMS tools qualify as HIPAA-compliant

A comparison of platforms that sign BAAs and meet technical safeguards:

Platform	BAA available	Price	Best for	Limitations
DialPhone	Yes — Advanced ($34/user)	From $34/user/mo	Practices needing VoIP + SMS in one platform	BAA at Advanced tier, not entry $24
Spruce Health	Yes	~$24/user/mo	Small practices, direct patient messaging	Limited CRM integration
OhMD	Yes	~$99–$299/mo flat	Clinical SMS and secure messaging	No VoIP included
TigerConnect	Yes	Custom pricing	Clinician-to-clinician messaging	Enterprise-focused, complex setup
Klara	Yes	~$199/mo+	Dental, primary care	Limited to patient-facing channels
Updox	Yes	~$149/mo+	Multi-provider practices	Owned by EverCommerce; integration depth varies
Twilio (with BAA)	Yes — enterprise customers	Usage-based	Developers building custom solutions	Requires custom development; BAA for qualifying customers only

Standard consumer SMS tools (iMessage, Google Messages, basic cell carrier SMS) do not qualify regardless of how careful the clinician is.

Two patterns: secure messaging vs standard SMS with no PHI

There are two common patterns for HIPAA-compliant patient communication.

Pattern A: Secure messaging (in-app)

Patients download an app or access a patient portal. Messages stay inside the secure platform, requiring authentication to read. Full PHI can be exchanged.

• Pros: true PHI support, full clinical context
• Cons: patient adoption friction (another app)
• Vendors: TigerConnect, Spruce, OhMD, MyChart messaging

Pattern B: Standard SMS with no PHI

Use regular SMS with a HIPAA-BAA-backed platform, but restrict message content to no-PHI minimum necessary:

• “Your appointment is tomorrow at 2pm. Reply YES to confirm.”
• “You have a new message in your patient portal. Log in to view.”
• “Your prescription is ready for pickup.”

The patient gets the notification via SMS; anything sensitive stays in the portal.

• Pros: no app adoption friction, works on every phone
• Cons: can’t carry full clinical content in the SMS
• Vendors: DialPhone, Twilio with BAA, Klara

Most practices use Pattern B for appointment reminders and general operations, and Pattern A for clinical dialog.

HIPAA-compliant texting by specialty

Dental practices. The highest-volume use case for patient SMS in primary care settings. Recall campaigns, appointment reminders, and treatment plan follow-up are the three main message types. Key rule: appointment reminders that include the procedure type (e.g., “your crown prep is tomorrow”) disclose PHI. Use Pattern B (no-PHI content) for reminders; send clinical details through a secure patient portal link.

Practical dental example: A 3-dentist practice runs 800 patient recalls per month. Under a BAA-covered platform at $199/month, the cost per message is under $0.25 — compared to the compliance exposure of a Tier 3 penalty for doing the same campaign without a BAA.

Mental health / therapy. Most sensitive SMS context in healthcare. A text that mentions the provider’s specialty (“Your appointment with Dr. [Name] at [Practice Name] Behavioral Health”) reveals that the patient has a mental health relationship — PHI under HIPAA. Therapist practices should use no-PHI appointment reminders only, with no reference to the practice specialty. Consent documentation is especially important: patients seeking mental health care may not want their family members aware of the appointment.

Home health. Home health agencies need to text care coordinators and patients across multiple care episodes. The high frequency of communication (daily check-ins, medication reminders, visit schedules) and the sensitivity of the PHI (diagnosis, care plan details) makes a BAA-covered platform non-optional. All agency staff communicating patient information via SMS must use the approved platform — not personal phones.

Urgent care and emergency medicine. Urgent care centers have high patient throughput — 80–200 visits per day in a busy location — and a narrow communication window per patient (before-visit registration, post-visit follow-up, test result notification). The BAA-covered SMS platform must support high message volume and integrate with the practice management system (Kareo, Tebra, AdvancedMD) for automated post-visit follow-up triggers.

Specialty practices (oncology, cardiology). The highest PHI sensitivity after behavioral health. Diagnosis references in any message — even indirect ones — reveal sensitive health information. “Your next infusion is scheduled for Tuesday at 9am” may seem benign but implies a cancer diagnosis. Pattern A (secure messaging portal) is recommended for oncology and cardiology patient communication.

Mass texting / bulk SMS under HIPAA

Mass texting for healthcare — recall campaigns, seasonal flu shot reminders, health screenings — is legal and effective under HIPAA when the platform has a BAA and messages follow minimum-necessary rules.

What “bulk SMS with BAA” means in practice:

• The platform maintains a BAA that covers batch/campaign-level sends (confirm this — some BAAs scope to individual messages only)
• Opt-in and opt-out tracking is maintained per-patient (TCPA requirement)
• Messages contain no PHI (Pattern B) OR are sent through a secure portal with authentication
• Message logs (who received, who opened, who replied) are stored in the BAA-covered platform

Volume pricing reference: At 10,000 messages/month, DialPhone’s business SMS pricing works out to approximately $0.012–$0.02 per message, covered under the same BAA as voice calls with no separate compliance fee. Dedicated patient messaging platforms (Klara, OhMD) typically run $149–$299/month flat for unlimited messaging at mid-size practice volumes.

BAA review checklist — 8 questions before you sign

Before executing any HIPAA SMS BAA, verify all 8 items:

1. Does the BAA explicitly name the SMS product? Some BAAs cover the vendor’s platform generally — confirm the specific SMS module is included.
2. Is encryption in transit covered? Confirm TLS 1.2+ for message delivery.
3. Is encryption at rest covered? AES-256 for stored messages and attachments.
4. Are audit logs exportable? You may need to produce them for an OCR audit.
5. What is the retention period? HIPAA requires 6-year documentation retention; confirm the vendor’s default matches your policy.
6. Does the BAA cover bulk/mass texting campaigns? Some BAAs scope narrowly to individual messages and exclude campaign-level batch sends.
7. What are the breach notification terms? HIPAA requires notification within 60 days of discovery. Confirm the vendor’s obligation.
8. Is there a subcontractor BAA chain? Some SMS platforms use third-party SMS gateway providers (e.g., Twilio underlying a branded platform). Confirm the subcontractor is also BAA-covered.

Common HIPAA texting mistakes

• Clinicians texting from personal phones: no encryption, no BAA, no audit logs. Violation.
• Including PHI in “reminders”: “Reminder: your mammogram follow-up is tomorrow.” The diagnosis context is PHI.
• Forwarding patient SMS to a group chat: shares PHI with unauthorized recipients.
• No STOP keyword: TCPA violation even before HIPAA.
• Outdated consent: consent signed 10 years ago may not cover new messaging use cases.
• Texting to numbers that changed hands: patient’s old number went to someone else, still on file. Reminder reveals PHI. This has generated real breach notifications.
• Not having two-factor authentication on admin accounts: §164.308(a)(5) requires workforce security protections; admin access to patient message histories without MFA is an administrative safeguard gap.
• Using platform without verifying subcontractor BAA chain: some SMS platforms use Twilio or another gateway as the underlying carrier. If that gateway doesn’t have a subcontractor BAA, the chain is broken.

TCPA overlap

HIPAA governs PHI protection. TCPA (Telephone Consumer Protection Act) governs SMS consent. Both apply to patient texting.

TCPA requires:

• Consent to text the mobile number
• Clear opt-out method (STOP)
• Honor opt-outs within 10 business days

Most HIPAA-compliant SMS platforms handle TCPA technical enforcement automatically. The practice is still responsible for genuine consent documentation.

The TCPA risk healthcare practices miss: TCPA applies even when HIPAA doesn’t. A patient recall campaign sent through a fully BAA-covered platform but without documented TCPA consent for each recipient is a TCPA violation — with potential damages of $500–$1,500 per message. TCPA class action suits are common in healthcare. Both consent requirements must be met simultaneously.

Starting a HIPAA-compliant SMS program

1. Select a platform that signs a BAA: DialPhone, Spruce, TigerConnect, OhMD, Klara, etc.
2. Sign the BAA: usually e-signed in under 5 minutes in the vendor’s admin portal.
3. Update your Notice of Privacy Practices: disclose SMS as a communication method.
4. Update intake forms: add a clear consent checkbox for SMS.
5. Train staff: only BAA-covered tools for PHI; never personal phones.
6. Set retention policy: default 2 years is common; document the choice; HIPAA requires 6 years for documentation of policies.
7. Pilot with a single clinic/provider: validate consent capture and audit logs.
8. Roll out org-wide: with explicit break-glass access controls.

Frequently asked questions

Is standard SMS HIPAA-compliant for healthcare? +

No. Standard carrier SMS and iMessage fail HIPAA on multiple fronts: no encryption at rest, no access controls, no audit logs, no BAA available from Verizon, AT&T, or T-Mobile, and no minimum-necessary enforcement. Sending protected health information through standard SMS is a HIPAA violation. Healthcare organizations must use a dedicated HIPAA-compliant SMS platform that signs a BAA and meets technical, administrative, and physical safeguard requirements.

What is required for a text message to be HIPAA-compliant? +

HIPAA-compliant texting requires four technical elements: a signed Business Associate Agreement with the SMS platform, encryption in transit (TLS 1.2 or higher) and at rest (AES-256), role-based access controls with unique user IDs and automatic session logoff, and audit logs retained for six or more years. Administrative requirements include patient consent documentation and minimum-necessary disclosure practices for every message containing PHI.

Can appointment reminders be sent by standard SMS under HIPAA? +

Appointment reminders can be sent via standard SMS only if they contain no protected health information. A compliant reminder says 'Your appointment is tomorrow at 2pm' with no patient name, diagnosis, provider specialty, or other identifying health details.

If the reminder includes any PHI — including the provider's specialty or a condition-related reference — it must go through a HIPAA-BAA-covered platform. Most practices use Pattern B: standard SMS for reminders with PHI-free content, and a patient portal for clinical details.

Which SMS platforms sign HIPAA BAAs? +

Platforms that sign HIPAA BAAs and meet technical safeguards include DialPhone (Advanced tier and above), Spruce Health, OhMD, TigerConnect, Klara, Updox, and Twilio for qualifying enterprise customers. Standard consumer messaging tools including iMessage, Google Messages, and basic carrier SMS do not qualify regardless of how carefully they are used. Confirm BAA availability and pricing tier before evaluating features — some vendors only sign BAAs on enterprise plans.

Does TCPA apply to healthcare text messaging? +

Yes. Both HIPAA and the Telephone Consumer Protection Act apply to patient texting. TCPA requires prior express consent to text a mobile number, a clear opt-out mechanism (STOP keyword), and opt-out requests honored within 10 business days. Most HIPAA-compliant SMS platforms handle TCPA technical enforcement automatically. Healthcare practices remain responsible for genuine consent documentation at intake and for updating consent when new messaging use cases are added.

What are the HIPAA penalties for texting patient information without a BAA? +

HIPAA violations for improper PHI disclosure via SMS fall under a four-tier penalty structure. Tier 1 (did not know): $100–$50,000 per violation, $25,000 annual cap. Tier 2 (reasonable cause): $1,000–$50,000 per violation, $100,000 annual cap.

Tier 3 (willful, corrected within 30 days): $10,000–$50,000 per violation, $250,000 annual cap. Tier 4 (willful, not corrected): $50,000–$250,000 per violation, $1.9 million annual cap. A mass texting campaign without a BAA — where each patient message could be counted as a separate violation — represents significant financial exposure.

Can I use WhatsApp or iMessage for patient communication in healthcare? +

No. WhatsApp, iMessage, Facebook Messenger, and standard carrier SMS are not HIPAA-compliant. WhatsApp's parent company Meta explicitly states it does not sign BAAs. Apple does not offer a BAA for iMessage. These tools use encryption in transit, but they fail the BAA requirement, have no audit log system accessible to covered entities, and have no access control mechanism for healthcare workflows. Using these platforms for PHI — even occasionally — is a HIPAA violation.

What is the minimum-necessary rule for HIPAA texting? +

HIPAA's minimum-necessary standard (45 CFR §164.502(b)) requires that covered entities and business associates disclose only the PHI needed to accomplish the intended purpose.

Applied to texting: an appointment reminder should not include the patient's diagnosis or the nature of the appointment unless clinically necessary. A prescription ready notification should not include the medication name if a generic 'your prescription is ready' message accomplishes the purpose. Apply the minimum-necessary test before composing any SMS that may touch PHI.

How do I set up a HIPAA-compliant SMS program for my practice? +

Eight steps: (1) Select a platform that signs a BAA — DialPhone, Spruce Health, TigerConnect, OhMD, Klara. (2) Sign the BAA before sending any patient messages — usually e-signed in under 5 minutes in the vendor's admin portal. (3) Update your Notice of Privacy Practices to disclose SMS as a communication method. (4) Add a consent checkbox to intake forms: 'I consent to receive appointment reminders and care communications by SMS.'

(5) Train staff — only BAA-covered tools for PHI, never personal phones. (6) Configure role-based access controls before go-live. (7) Set message retention policy (6-year minimum for HIPAA). (8) Pilot with one provider before full rollout.

Do bulk or mass texting campaigns require a BAA? +

Yes. Mass texting campaigns to patients require a BAA if the messages include any PHI. Even a batch reminder that includes a patient's name and appointment time constitutes PHI and must go through a BAA-covered platform. Some BAAs scope narrowly and explicitly exclude campaign-level batch sends — review the BAA language for this before launching a recall campaign. DialPhone's BAA covers both individual messages and bulk campaign sends under the same agreement.

How We Tested

DialPhone re-verifies every comparison in this guide every 90 days. We pull pricing directly from each vendor’s public pricing page on the dates listed in the frontmatter (lastVerifiedAt or updatedAt). Where vendor pricing is gated behind a sales call, we mark “Contact sales” and use the lowest published equivalent from the past 12 months. Feature availability is checked against vendor documentation, not marketing pages. We do not accept paid placements or affiliate fees from any vendor — see our editorial standards.

What We Don’t Like

No platform is perfect, including DialPhone. Honest drawbacks based on user feedback and our own testing:

• Smaller integration catalog than RingCentral (~40 vs 200+). Niche vertical CRM integrations may require API work.
• Newer brand awareness. RingCentral and 8x8 have 15+ years of analyst coverage. Enterprise procurement reviews may take longer.
• Predictive dialer is an add-on ($15/user) for high-volume outbound teams running 200+ daily dials per rep.
• HIPAA BAA starts on Advanced tier ($34/user), not the $24 Core plan. Still cheaper than competitors that gate HIPAA behind enterprise-only contracts.

Related resources

• DialPhone HIPAA compliance
• DialPhone business SMS
• 10DLC registration guide
• TCPA glossary
• DialPhone for healthcare

HIPAA-compliant texting isn’t hard once the platform is in place. The failure modes are process, staff texting from personal phones, untrained front desks forwarding messages, consent not captured. Fix the process, and the platform handles the rest.