Guide to HIPAA Texting Rules & HIPAA Compliant Texting Apps + HIPAA Text Message Templates
There’s a lot of confusion around HIPAA compliant texting. I often hear questions like:
- Is texting a patient name a HIPAA violation?
- Can you send HIPAA compliant appointment reminders?
- When is texting patient information allowed?
- Are WhatsApp or Google Voice HIPAA compliant?
My goal is to eliminate confusion and answer these text messaging questions and more.
So this article is for healthcare professionals, medical offices, medical staff, and any other practitioner that needs to understand:
- What HIPPA and protected health information (PHI) are
- If SMS text messaging is HIPAA compliant
- HIPPA compliant texting vs. HIPAA secure texting
- How to send HIPAA compliant text messages
- The best HIPAA compliant texting apps and services
- HIPAA compliant text message templates for medical offices and practitioners
- Frequently asked HIPAA compliance text message questions
By the end, you’ll have a clear understanding of HIPAA rules and requirements and how to text patients.
Read on for more.
What is HIPAA?
HIPAA stands for the Health Insurance Portability and Accountability Act (1996). HIPAA is a federal law designed to keep protected health information (PHI) and patient privacy safe. The HIPAA Privacy and Security Rules require appropriate safeguards to protect the privacy of protected health information (PHI). HIPAA sets limits and conditions on the uses and disclosures of PHI without an individual’s authorization.
What is Protected Health Information (PHI)?
PHI stands for Protected Health Information. The HIPAA Privacy Rule establishes federal protections for personal health information. This gives patients numerous rights with respect to that information. PHI constitutes all individually identifiable health information. Any identifiers or information like name, birthday, or address are all considered PHI.
Is SMS Text Messaging HIPAA Compliant?
Text messaging is HIPAA compliant under certain conditions. Healthcare professionals can text patients if they establish patient consent, set opt-out controls, and sign a business associate agreement (BAA) with a HIPAA compliant texting app. This agreement sets guidelines and establishes that PHI won’t be exchanged via SMS text message. But keep in mind, SMS text messages aren’t considered HIPAA secure because:
- SMS text messages can’t be encrypted.
- Telecom carriers store all text messages as data on a server.
- When a text message is “at rest” the data is stored locally on the recipient’s phone.
- Bad actors can intercept text messages on public Wi-Fi networks.
- You can’t recall or cancel a text message after it's sent.
- Most personal phones don’t have strong password protections.
- Mobile devices can get lost or stolen, which increases the risk of PHI identity theft.
Note: There aren’t definitive guidelines or certifications that officially recognize a texting product as “HIPAA Secure”. HIPAA demands compliance with the general rules as stated in the Security Rule, the Privacy Rule, and the Breach Notification Rule.
HIPPA Compliant Texting vs. HIPAA Secure Texting
The difference between HIPAA compliant texting and secure texting comes down to addressable vs. required HIPAA implementation specifications.
Almost every business texting service for healthcare organizations can be HIPAA compliant when used properly. But very few texting platforms are HIPAA secure.
HIPAA compliance isn’t about texting software. It's about users.
Texting software can support HIPAA compliance and incorporate all the necessary safeguards for confidentiality, integrity, and availability of PHI. But users can easily undo those controls.
Does your practice or office need to send or receive protected health information via text?
If the answer is no, then you can use many texting apps (like MessageDesk) in a HIPAA compliant way for:
- Appointment reminders and confirmations
- Pre-operative instructions
- “You’re checked in” office text messages
- No-show or missed appointment text messages
- Post-discharge follow-up messages
- Lab test results ready text messages
- Prescription ready notifications
- Changes in office hours or availability
- Feedback requests
- Review asks
Note: All of the above text message examples are only HIPAA compliant if they omit protected health information. Check out my list of HIPAA compliant text templates below for specific examples.
Most HIPAA compliant texting apps come with all of the tools and features you need to comply with HIPAA. This includes features for getting express written consent and patient opt-in and opt-out (more on this below).
So the caveat for HIPAA compliance is that you have to use your texting platform in the right ways:
- You can’t text any protected health information.
- You have to sign a business associate agreement (BAA) with your text messaging provider.
But what if you do need to text PHI?
Then you need a HIPAA secure texting app. These are different because they offer:
- Message encryption
- Data controls
- User access permissions
- Secure databases
These are all addressable HIPAA compliant texting requirements. They apply specifically to healthcare professionals that absolutely need to handle PHI at rest and in transit when communicating with patients.
They’re not required for baseline HIPAA compliance, but they’re absolutely essential if you ever need to text PHI.
{{appointment_reschedule="/media"}}
How to Send HIPAA Compliant Text Messages
A common mistake many medical offices make is assuming that they can text patients from their personal phones and personal numbers.
This doesn’t work because:
- Texting from personal phones isn’t covered under most Business Associate Agreements (BAAs).
- You can’t manage consent, opt-in, and opt-out compliance.
- You don’t have advanced password protection for all users.
- You can’t limit access to protected health information.
So you need an SMS service with advanced tools and features to text patients.
Here’s how to get started.
1. Choose a HIPAA compliant texting app
The best HIPAA compliant text messaging apps save time, increase messaging efficiency, and extend your messaging reach.
But you and your staff have many business text messaging services to choose from. So consider what features you need before you buy.
Do you need to send a high volume of texts or send text alerts?
You’ll want a HIPAA compliant text messaging app that comes with A2P carrier-verified delivery and bulk texting features. Without these tools, you can’t text at scale and your text messages won’t get delivered.
Do you need one-on-one, two-way, HIPAA compliant patient communication and reminders? Then you’ll want a text service with a shared team SMS inbox.
An SMS inbox allows you and other staff to route, organize, and manage inbound and outbound text conversations. You can even add comments and tag and mention other admins or staff within individual text threads.
{{inbox_annotated="/media"}}
2. Set up your SMS phone number
Next, you’ll need to get a business text number.
You’ve got a range of SMS phone number options to choose from. These include:
- 10-digit local phone numbers
- Toll-free 800 area code phone numbers
You can also text-enable your existing business landline or another number with number hosting.
MessageDesk even gives you a way to text-enable phone number extensions and set up call forwarding.
{{sms_phone_number="/media"}}
3. Explain your messaging policies and set up opt-in and opt-out controls
You need to be clear about your text messaging policies to send HIPAA compliant texts to patients.
This means never texting protected health information and explaining that patients can opt-out of messaging at any time.
There are several ways to do this:
- Clearly explain your texting policies and terms to patients in-office and on your website
- Use your text messaging provider to set up opt-in and opt-out controls
Opt-in and opt-out controls are part of the TCPA compliance guidelines and professional text messaging etiquette. This is a requirement for any business that wants to text.
Many business text messaging services like MessageDesk offer text message autoresponders for opt-in and opt-out.
Autoresponders are a versatile texting feature. They make it easy to send an automated text when someone texts STOP or HELP.
If your office texts a patient for the first time, MessageDesk will automatically send an autoresponder opt-out message. This text message explains your messaging policies. It also instructs the patient on how to opt out of text messages by responding, STOP at any time.
Additionally, if a patient opts-out and texts STOP, a guard is placed on their phone number. This prevents you and your office from texting the patient until they opt back into messaging.
And if a patient texts HELP, then they’re directed to additional resources.
MessageDesk supports both STOP and HELP keywords out of the box. There’s no setup required to maintain TCPA compliance.
{{automation_opt_in_out="/media"}}
4. Get express written consent with opt-in keywords, website forms, and website chatbots
You need a written record of consent from patients that gives you their permission to receive texts. You can’t text a patient unless they clearly understand your messaging policies and opt-in.
This is called express written consent.
Some of the best ways to establish express written consent include:
- Website contact forms
- Website chatbots
- Opt-in autoresponder keywords
All of these tools can help you start text conversations in HIPAA compliant ways. They can opt patients into texting and make your messaging policies clear.
Here’s an example of how to use autoresponders to explain messaging terms and establish express written consent:
📲 A patient texts a keyword to your business phone number ✨
SUBSCRIBE
The following are {{ OrganizationName }} text messaging policies. 1. We will never include protected health information in any text messages. 2. We will only send you text messages directly related to appointment reminders and confirmations. 3. Opt out at any time by texting STOP. Get more info by texting HELP. Respond CONFIRM to consent to receive text messages and accept our messaging terms.
CONFIRM
Thanks for confirming! You’re opted in to receive text messages from {{ OrganizationName }}.
Once you’ve established express written consent, you can manage active and inactive patients as “subscribers” with an SMS subscriber list.
MessageDesk’s subscriber list management features even include smart groups and custom fields.
These features are essential for timely messaging. They help you manage consent and stay compliant by:
- Automatically filtering patients into groups and lists
- Actively recording which patients opt in and out of receiving text messages
- Maintaining an active patient do-not-contact list (DNC)
{{inbox_filters="/media"}}
6. Enable advanced password protection and limit access to PHI
Not everyone in your office needs access to patient health information.
Business text messaging platforms like MessageDesk come with user permissions and access controls. Access controls give each employee unique login credentials and a designated level of access to perform their job function.
This means you can make any protected health information inaccessible to certain staff members and employees.
There’s no need to include patient health information if your text messages are administrative. Staff texting appointment reminders and confirmations don’t need access to a patient’s medical information.
{{confirmation_medical="/media"}}
7. Get a signed business associate agreement (BAA)
As part of your HIPAA text messaging policy, you need a signed business associate agreement (BAA).
A BAA specifies “covered entities” e.g. your medical office, practice, and staff. It states that you’ll use the text messaging provider in a secure way to protect patient health information.
BAAs mandates that both entities stay within HIPAA compliance. Without a signed BAA, you can’t text patients.
Note: MessageDesk does not currently offer, support, or sign BAAs. We intend to offer this capability and other HIPPA compliant features in the near future.
{{reminders_medical="/media"}}
8. Connect your HIPAA compliant texting software to your appointment scheduling, payments, and EHR software through integrations like Zapier
Need to connect appointment scheduling, payments, or your EHR software? You can use services like Zapier to automate your appointment reminders, appointment confirmations, and payment reminders.
There are three ways you can use Zapier with MessageDesk to trigger events, automate your reminder messages, and more.
Add or update a contact
Whenever a new contact requests an appointment, you can sync their phone number with MessageDesk. Or update contact info when a contact reschedules an appointment in an app like Calendly or Google Calendar.
Add contact to a group
You can also add outside contacts to groups in MessageDesk as well.
Send a message
Trigger a text message to be sent when an action happens in another app. You can automatically send a message to a customer any number of days before an event and much more.
Google Calendar:
{{zapier_google_calendar="/components"}}
Calendly:
{{zapier_calendly="/components"}}
SimplyBook.me:
{{zapier_simplybook_me="/components"}}
Acuity Scheduling:
{{zapier_acuity="/components"}}
MeetFox:
{{zapier_meet_fox="/components"}}
HIPAA Compliant Text Message Templates for Medical Offices
The most common use of HIPAA compliant texting for medical professionals is reminding and confirming appointments. This is great for:
- Reducing no-shows and phone tag
- Automatically sending out-of-office messages
- Improving customer service
However, the only way to keep your texting HIPAA compliant is to never text protected health information.
You’re also free to check out my list of 100+ text message templates, examples, and samples for more.
Note: The following HIPAA compliant text message templates don’t include the patient’s name. Reasons for the appointment or the treatment and all other PHI are also omitted.
HIPAA compliant appointment reminder text message template
You have an appointment with {{ OrganizationName }} on {{ Date }}. Reply “yes” to confirm or “no” to cancel. Feel free to respond to this text with questions. When you arrive, you may come in or reply to this text to check in. Please call {{ OrganizationPhone }} if you do not receive a response.
HIPAA compliant appointment confirmation text template
Please reply ‘Y’ to confirm your dental appointment on {{ Date }} {{ Time }}. Thank you.
HIPAA compliant pre-operative instructions text template
Hi there. Here are some instructions {{ OrganizationName }} would like you to follow before your appointment: [ Link ]. If you have any questions, please call our office at {{ OrganizationPhone }} or text HELP for assistance.
HIPAA compliant checked-in text message template
Thank you! We have you checked In. We will let you know as soon as your room is ready.
HIPAA compliant no-show or missed appointment text
We missed you today! This is {{ OrganizationName }} notifying you that you missed your appointment with us on {{ Date }} at {{ time }}. Please call us at {{ OrganizationPhone }} to reschedule.
HIPAA compliant office hours text template
Hi there. Normal office hours are {{ OfficeHours }}. In the meantime, you can reach us directly at {{ OrganizationPhone }} for assistance or text HELP.
HIPAA compliant post-discharge follow-up text template
Hi there. Please call our office at {{ OrganizationPhone }} for your post-discharge follow-up.
HIPAA compliant lab test results ready text template
Hi there, your lab results from {{ OrganizaitonName }} are now ready. Please call {{ OrganizaitonPhone }} for further assistance or text HELP.
Notifications about prescriptions
Hi there, your prescription at {{ OrganizaitonName }} is now ready. Please call {{ OrganizationPhone }} for further assistance or text HELP.
HIPAA compliant out-of-office text message template
Hi there. All of our staff are currently away. Please call {{ OrganizationPhone }} for assistance or text HELP.
HIPAA compliant text alert template
Please be advised that parking for {{ OrganizationName }} is currently limited due to roadwork. Please plan ahead accordingly. We apologize for any inconvenience.
HIPAA compliant invoice or payment reminder
Hi there, it’s {{ OrganizationName }}. We just wanted to remind you that your credit card on file will be charged on {{ Date }}. Please call or text our office if you have questions.
HIPAA compliant COVID-19 guidelines text message template
Please review our COVID-19 Guidelines on our website BEFORE your appointment. [ link ]
HIPAA compliant feedback ask template
Hi there! We’d love to know what you thought about your last visit to our office. Did it meet your expectations? Do you have any feedback for us? Submit your feedback here [ Link ]
HIPAA compliant review ask template
We’re happy you had such a great experience with our office today. Would you mind taking some time to leave us a review on Google? [ Link ]
{{reviews_medical="/media"}}
Frequently Asked HIPAA Text Messaging Questions
Below is a list of frequently asked questions relating to text messaging and HIPAA compliance.
Can text messages be encrypted?
Texting doesn’t allow for encryption because of the way carriers handle texts. Texting (as a technology) can’t be encrypted. This means you can’t use texts to transmit personal health information.
Is texting HIPAA compliant?
SMS text messaging is not HIPAA compliant if your text contains protected health information (PHI). But HIPAA doesn’t prohibit healthcare professionals from sending text messages (like appointment reminders) to patients. However, there are specific rules, regulations, and best practices to be aware of before you can start texting.
Is Google Voice HIPAA compliant?
The paid version of Google Voice for Google Workspace can be used in a HIPAA compliant way. Google does sign BAAs for healthcare organizations and Google Voice can be used for texting without PHI in accordance with HIPAA regulations.
Google allows healthcare organizations to adopt its services, and they offer a business associate agreement for G Suite. BAA’s did not initially cover Google Voice. But that has now changed. Google Voice for G Suite is covered by the BAA and can be considered a HIPAA compliant service.
Is WhatsApp HIPAA compliant?
WhatsApp is not HIPAA compliant in its current form. It can’t be used to transmit PHI. It doesn't have the proper safeguards in place to protect sensitive patient health information. However, healthcare professionals can use WhatsApp for general communication, or for sending de-identified PHI.
Is texting a patient name a HIPAA violation?
Texting a patient's name or any other personally identifiable health information is a HIPAA violation. If you do need to text PHI, use a HIPAA compliant secure text app. These platforms move conversations from texts over to encrypted and password-protected messaging channels.
What are the penalties for HIPAA violations?
HIPAA violations and penalties can range from $100 to $50,000 per day depending on the severity of the violation.
Are there any special COVID-19 HIPAA regulations?
On March 17, 2020, the US Department of Health and Human Services (HHS) released a statement in response to COVID-19.
This statement announced HIPAA enforcement discretion for healthcare providers.
The statement gives greater discretion and flexibility to healthcare providers. Especially those who serve and contact patients every day through communications technologies like text messaging.
Read More: Statement from the US Department of Health and Human Services
What other regulations do I need to be aware of?
HIPAA compliant messaging apps are also subject to the Health Information Technology for Economic and Clinical Health (HITECH) act.
Final thoughts and next steps
Ready to start texting? MessageDesk is here to help with smarter, simpler text messaging for medical offices, dental offices, and private practices.
If you're ready, check out our paid plans - pricing starts at just $14 per month. You’re also free to meet with a messaging expert for a demo.
Disclaimer: Please note that the advice contained in this article is for informational purposes only. It’s not meant to substitute for advice from qualified legal counsel.