Guide to HIPAA Texting Rules & HIPAA Compliant Texting Apps + HIPAA Text Message Templates

There’s a lot of confusion around HIPAA compliant texting. I often hear questions like:

• Is texting a patient name a HIPAA violation?
• Can you send HIPAA compliant appointment reminders?
• When is texting patient information allowed?
• Are WhatsApp or Google Voice HIPAA compliant?

My goal is to eliminate confusion and answer these text messaging questions and more.

So this article is for healthcare professionals, medical offices, medical staff, and any other practitioner that needs to understand:

1. What HIPPA and protected health information (PHI) are
2. If SMS text messaging is HIPAA compliant
3. HIPPA compliant texting vs. HIPAA secure texting
4. How to send HIPAA compliant text messages
5. The best HIPAA compliant texting apps and services
6. HIPAA compliant text message templates for medical offices and practitioners
7. Frequently asked HIPAA compliance text message questions

By the end, you’ll have a clear understanding of HIPAA rules and requirements and how to text patients.

Read on for more.

Note: There aren’t definitive guidelines or certifications that officially recognize a texting product as “HIPAA Secure”. HIPAA demands compliance with the general rules as stated in the Security Rule, the Privacy Rule, and the Breach Notification Rule.

The difference between HIPAA compliant texting and secure texting comes down to addressable vs. required HIPAA implementation specifications.

Almost every business texting service for healthcare organizations can be HIPAA compliant when used properly. But very few texting platforms are HIPAA secure.

HIPAA compliance isn’t about texting software. It's about users.

Texting software can support HIPAA compliance and incorporate all the necessary safeguards for confidentiality, integrity, and availability of PHI. But users can easily undo those controls.

Does your practice or office need to send or receive protected health information via text?

If the answer is no, then you can use many texting apps (like MessageDesk) in a HIPAA compliant way for:

• Appointment reminders and confirmations
• Pre-operative instructions
• “You’re checked in” office text messages
• No-show or missed appointment text messages
• Post-discharge follow-up messages
• Lab test results ready text messages
• Prescription ready notifications
• Changes in office hours or availability
• Feedback requests
• Review asks

Note: All of the above text message examples are only HIPAA compliant if they omit protected health information. Check out my list of HIPAA compliant text templates below for specific examples.

Most HIPAA compliant texting apps come with all of the tools and features you need to comply with HIPAA. This includes features for getting express written consent and patient opt-in and opt-out (more on this below).

So the caveat for HIPAA compliance is that you have to use your texting platform in the right ways:

1. You can’t text any protected health information.
2. You have to sign a business associate agreement (BAA) with your text messaging provider.

But what if you do need to text PHI?

Then you need a HIPAA secure texting app. These are different because they offer:

• Message encryption
• Data controls
• User access permissions
• Secure databases

These are all addressable HIPAA compliant texting requirements. They apply specifically to healthcare professionals that absolutely need to handle PHI at rest and in transit when communicating with patients.

They’re not required for baseline HIPAA compliance, but they’re absolutely essential if you ever need to text PHI.

A common mistake many medical offices make is assuming that they can text patients from their personal phones and personal numbers.

This doesn’t work because:

• Texting from personal phones isn’t covered under most Business Associate Agreements (BAAs).
• You can’t manage consent, opt-in, and opt-out compliance.
• You don’t have advanced password protection for all users.
• You can’t limit access to protected health information.

So you need an SMS service with advanced tools and features to text patients.

Here’s how to get started.

1. Choose a HIPAA compliant texting app

The best HIPAA compliant text messaging apps save time, increase messaging efficiency, and extend your messaging reach.

But you and your staff have many business text messaging services to choose from. So consider what features you need before you buy.

Do you need to send a high volume of texts or send text alerts?

You’ll want a HIPAA compliant text messaging app that comes with A2P carrier-verified delivery and bulk texting features. Without these tools, you can’t text at scale and your text messages won’t get delivered.

Do you need one-on-one, two-way, HIPAA compliant patient communication and reminders? Then you’ll want a text service with a shared team SMS inbox.

An SMS inbox allows you and other staff to route, organize, and manage inbound and outbound text conversations. You can even add comments and tag and mention other admins or staff within individual text threads.

MessageDesk comes with all of the above texting features and more for offices and medical practices.

2. Create a free account

Regardless of the HIPAA compliant messaging app you choose, create a free account first. This gives you a chance to test drive and understand how things work.

You’re always free to sign up for a free trial if you’re interested in MessageDesk. You can also meet with a messaging expert to answer questions. They can help you get started.

3. Set up your SMS phone number

Next, you’ll need to get a business text number.

You’ve got a range of SMS phone number options to choose from. These include:

• 10-digit local phone numbers
• Toll-free 800 area code phone numbers

You can also text-enable your existing business landline or another number with number hosting.

MessageDesk even gives you a way to text-enable phone number extensions and set up call forwarding.

4. Explain your messaging policies and set up opt-in and opt-out controls

You need to be clear about your text messaging policies to send HIPAA compliant texts to patients.

This means never texting protected health information and explaining that patients can opt-out of messaging at any time.

There are several ways to do this:

1. Clearly explain your texting policies and terms to patients in-office and on your website
2. Use your text messaging provider to set up opt-in and opt-out controls

Opt-in and opt-out controls are part of the TCPA compliance guidelines and professional text messaging etiquette. This is a requirement for any business that wants to text.

Many business text messaging services like MessageDesk offer text message autoresponders for opt-in and opt-out.

Autoresponders are a versatile texting feature. They make it easy to send an automated text when someone texts STOP or HELP.

If your office texts a patient for the first time, MessageDesk will automatically send an autoresponder opt-out message. This text message explains your messaging policies. It also instructs the patient on how to opt out of text messages by responding, STOP at any time.

Additionally, if a patient opts-out and texts STOP, a guard is placed on their phone number. This prevents you and your office from texting the patient until they opt back into messaging.

And if a patient texts HELP, then they’re directed to additional resources.

MessageDesk supports both STOP and HELP keywords out of the box. There’s no setup required to maintain TCPA compliance.

5. Get express written consent with opt-in keywords, website forms, and website chatbots

You need a written record of consent from patients that gives you their permission to receive texts. You can’t text a patient unless they clearly understand your messaging policies and opt-in.

This is called express written consent.

Some of the best ways to establish express written consent include:

• Website contact forms
• Website chatbots
• Opt-in autoresponder keywords

All of these tools can help you start text conversations in HIPAA compliant ways. They can opt patients into texting and make your messaging policies clear.

Here’s an example of how to use autoresponders to explain messaging terms and establish express written consent:

📲 A patient texts a keyword to your business phone number ✨

Once you’ve established express written consent, you can manage active and inactive patients as “subscribers” with an SMS subscriber list.

MessageDesk’s subscriber list management features even include smart groups and custom fields.

These features are essential for timely messaging. They help you manage consent and stay compliant by:

• Automatically filtering patients into groups and lists
• Actively recording which patients opt in and out of receiving text messages
• Maintaining an active patient do-not-contact list (DNC)

6. Enable advanced password protection and limit access to PHI

Not everyone in your office needs access to patient health information.

Business text messaging platforms like MessageDesk come with user permissions and access controls. Access controls give each employee unique login credentials and a designated level of access to perform their job function.

This means you can make any protected health information inaccessible to certain staff members and employees.

There’s no need to include patient health information if your text messages are administrative. Staff texting appointment reminders and confirmations don’t need access to a patient’s medical information.

7. Get a signed business associate agreement (BAA)

As part of your HIPAA text messaging policy, you need a signed business associate agreement (BAA).

A BAA specifies “covered entities” e.g. your medical office, practice, and staff. It states that you’ll use the text messaging provider in a secure way to protect patient health information.

BAAs mandates that both entities stay within HIPAA compliance. Without a signed BAA, you can’t text patients.

8. Connect your HIPAA compliant texting software to your appointment scheduling, payments, and EHR software through integrations like Zapier

Need to connect appointment scheduling, payments, or your EHR software? You can use services like Zapier to automate your appointment reminders, appointment confirmations, and payment reminders.

There are three ways you can use Zapier with MessageDesk to trigger events, automate your reminder messages, and more.

Add or update a contact

Whenever a new contact requests an appointment, you can sync their phone number with MessageDesk. Or update contact info when a contact reschedules an appointment in an app like Calendly or Google Calendar.

Add contact to a group

You can also add outside contacts to groups in MessageDesk as well.

Send a message

Trigger a text message to be sent when an action happens in another app. You can automatically send a message to a customer any number of days before an event and much more.

Google Calendar:

Calendly:

SimplyBook.me:

Acuity Scheduling:

MeetFox:

The most common use of HIPAA compliant texting for medical professionals is reminding and confirming appointments. This is great for:

• Reducing no-shows and phone tag
• Automatically sending out-of-office messages
• Improving customer service

However, the only way to keep your texting HIPAA compliant is to never text protected health information.

You’re also free to check out my list of 100+ text message templates, examples, and samples for more.

Note: The following HIPAA compliant text message templates don’t include the patient’s name. Reasons for the appointment or the treatment and all other PHI are also omitted.

HIPAA compliant appointment reminder text message template

HIPAA compliant appointment confirmation text template

HIPAA compliant pre-operative instructions text template

HIPAA compliant checked-in text message template

HIPAA compliant no-show or missed appointment text

HIPAA compliant office hours text template

HIPAA compliant post-discharge follow-up text template

HIPAA compliant lab test results ready text template

Notifications about prescriptions

HIPAA compliant out-of-office text message template

HIPAA compliant text alert template

HIPAA compliant invoice or payment reminder

HIPAA compliant COVID-19 guidelines text message template

HIPAA compliant feedback ask template

HIPAA compliant review ask template

Below is a list of frequently asked questions relating to text messaging and HIPAA compliance.

Can text messages be encrypted?

Texting doesn’t allow for encryption because of the way carriers handle texts. Texting (as a technology) can’t be encrypted. This means you can’t use texts to transmit personal health information.

Is texting HIPAA compliant?

SMS text messaging is not HIPAA compliant if your text contains protected health information (PHI). But HIPAA doesn’t prohibit healthcare professionals from sending text messages (like appointment reminders) to patients. However, there are specific rules, regulations, and best practices to be aware of before you can start texting.

Is Google Voice HIPAA compliant?

The paid version of Google Voice for Google Workspace can be used in a HIPAA compliant way. Google does sign BAAs for healthcare organizations and Google Voice can be used for texting without PHI in accordance with HIPAA regulations.

Google allows healthcare organizations to adopt its services, and they offer a business associate agreement for G Suite. BAA’s did not initially cover Google Voice. But that has now changed. Google Voice for G Suite is covered by the BAA and can be considered a HIPAA compliant service.

Is WhatsApp HIPAA compliant?

WhatsApp is not HIPAA compliant in its current form. It can’t be used to transmit PHI. It doesn't have the proper safeguards in place to protect sensitive patient health information. However, healthcare professionals can use WhatsApp for general communication, or for sending de-identified PHI.

Is texting a patient name a HIPAA violation?

Texting a patient's name or any other personally identifiable health information is a HIPAA violation. If you do need to text PHI, use a HIPAA compliant secure text app. These platforms move conversations from texts over to encrypted and password-protected messaging channels.

What are the penalties for HIPAA violations?

HIPAA violations and penalties can range from $100 to $50,000 per day depending on the severity of the violation.

Are there any special COVID-19 HIPAA regulations?

On March 17, 2020, the US Department of Health and Human Services (HHS) released a statement in response to COVID-19.

This statement announced HIPAA enforcement discretion for healthcare providers.

The statement gives greater discretion and flexibility to healthcare providers. Especially those who serve and contact patients every day through communications technologies like text messaging.

Read More: Statement from the US Department of Health and Human Services

What other regulations do I need to be aware of?

HIPAA compliant messaging apps are also subject to the Health Information Technology for Economic and Clinical Health (HITECH) act.

Final thoughts and next steps

Ready to start texting? MessageDesk is here to help with smarter, simpler text messaging for medical offices, dental offices, and private practices.

If you're ready, feel free to create a free MessageDesk account. Check out our paid plans - pricing starts at just $14 per month. You’re also free to meet with a messaging expert for a demo.

Disclaimer: Please note that the advice contained in this article is for informational purposes only. It’s not meant to substitute for advice from qualified legal counsel.