Is Texting HIPAA Compliant? HIPAA Compliant Texting Guide
Is Texting HIPAA Compliant? HIPAA Compliant Texting Guide

Guide to HIPAA Texting Rules & HIPAA Compliant Texting Apps + HIPAA Text Message Templates

There’s a lot of confusion around HIPAA compliant texting. I often hear questions like:

  • Is texting a patient name a HIPAA violation?
  • Can you send HIPAA compliant appointment reminders?
  • When is texting patient information allowed?
  • Are WhatsApp or Google Voice HIPAA compliant?

My goal is to eliminate confusion and answer these text messaging questions and more.

So this article is for healthcare professionals, medical offices, medical staff, and any other practitioner that needs to understand:

  1. What HIPPA and protected health information (PHI) are
  2. If SMS text messaging is HIPAA compliant
  3. HIPPA compliant texting vs. HIPAA secure texting
  4. How to send HIPAA compliant text messages
  5. The best HIPAA compliant texting apps and services
  6. HIPAA compliant text message templates for medical offices and practitioners
  7. Frequently asked HIPAA compliance text message questions

By the end, you’ll have a clear understanding of HIPAA rules and requirements and how to text patients.

Read on for more.

Add SMS Superpowers to Any Business Phone
No switching carriers. Just add texting. Talk to Sales to get started.
inbox team conversation
Note: There aren’t definitive guidelines or certifications that officially recognize a texting product as “HIPAA Secure”. HIPAA demands compliance with the general rules as stated in the Security Rule, the Privacy Rule, and the Breach Notification Rule.

HIPPA Compliant Texting vs. HIPAA Secure Texting

The difference between HIPAA compliant texting and secure texting comes down to addressable vs. required HIPAA implementation specifications.

Almost every business texting service for healthcare organizations can be HIPAA compliant when used properly. But very few texting platforms are HIPAA secure.

HIPAA compliance isn’t about texting software. It's about users.

Texting software can support HIPAA compliance and incorporate all the necessary safeguards for confidentiality, integrity, and availability of PHI. But users can easily undo those controls.

Does your practice or office need to send or receive protected health information via text?

If the answer is no, then you can use many texting apps (like MessageDesk) in a HIPAA compliant way for:

  • Appointment reminders and confirmations
  • Pre-operative instructions
  • “You’re checked in” office text messages
  • No-show or missed appointment text messages
  • Post-discharge follow-up messages
  • Lab test results ready text messages
  • Prescription ready notifications
  • Changes in office hours or availability
  • Feedback requests
  • Review asks
Note: All of the above text message examples are only HIPAA compliant if they omit protected health information. Check out my list of HIPAA compliant text templates below for specific examples.

Most HIPAA compliant texting apps come with all of the tools and features you need to comply with HIPAA. This includes features for getting express written consent and patient opt-in and opt-out (more on this below).

So the caveat for HIPAA compliance is that you have to use your texting platform in the right ways:

  1. You can’t text any protected health information.
  2. You have to sign a business associate agreement (BAA) with your text messaging provider.

But what if you do need to text PHI?

Then you need a HIPAA secure texting app. These are different because they offer:

These are all addressable HIPAA compliant texting requirements. They apply specifically to healthcare professionals that absolutely need to handle PHI at rest and in transit when communicating with patients.

They’re not required for baseline HIPAA compliance, but they’re absolutely essential if you ever need to text PHI.

{{appointment_reschedule="/media"}}

How to Send HIPAA Compliant Text Messages

A common mistake many medical offices make is assuming that they can text patients from their personal phones and personal numbers.

This doesn’t work because:

  • Texting from personal phones isn’t covered under most Business Associate Agreements (BAAs).
  • You can’t manage consent, opt-in, and opt-out compliance.
  • You don’t have advanced password protection for all users.
  • You can’t limit access to protected health information.

So you need an SMS service with advanced tools and features to text patients.

Here’s how to get started.

1. Choose a HIPAA compliant texting app

The best HIPAA compliant text messaging apps save time, increase messaging efficiency, and extend your messaging reach.

But you and your staff have many business text messaging services to choose from. So consider what features you need before you buy.

Do you need to send a high volume of texts or send text alerts?

You’ll want a HIPAA compliant text messaging app that comes with A2P carrier-verified delivery and bulk texting features. Without these tools, you can’t text at scale and your text messages won’t get delivered.

Do you need one-on-one, two-way, HIPAA compliant patient communication and reminders? Then you’ll want a text service with a shared team SMS inbox.

An SMS inbox allows you and other staff to route, organize, and manage inbound and outbound text conversations. You can even add comments and tag and mention other admins or staff within individual text threads.

{{inbox_annotated="/media"}}

2. Set up your SMS phone number

Next, you’ll need to get a business text number.

You’ve got a range of SMS phone number options to choose from. These include:

  • 10-digit local phone numbers
  • Toll-free 800 area code phone numbers

You can also text-enable your existing business landline or another number with number hosting.

MessageDesk even gives you a way to text-enable phone number extensions and set up call forwarding.

{{sms_phone_number="/media"}}

3. Explain your messaging policies and set up opt-in and opt-out controls

You need to be clear about your text messaging policies to send HIPAA compliant texts to patients.

This means never texting protected health information and explaining that patients can opt-out of messaging at any time.

There are several ways to do this:

  1. Clearly explain your texting policies and terms to patients in-office and on your website
  2. Use your text messaging provider to set up opt-in and opt-out controls

Opt-in and opt-out controls are part of the TCPA compliance guidelines and professional text messaging etiquette. This is a requirement for any business that wants to text.

Many business text messaging services like MessageDesk offer text message autoresponders for opt-in and opt-out.

Autoresponders are a versatile texting feature. They make it easy to send an automated text when someone texts STOP or HELP.

If your office texts a patient for the first time, MessageDesk will automatically send an autoresponder opt-out message. This text message explains your messaging policies. It also instructs the patient on how to opt out of text messages by responding, STOP at any time.

Additionally, if a patient opts-out and texts STOP, a guard is placed on their phone number. This prevents you and your office from texting the patient until they opt back into messaging.

And if a patient texts HELP, then they’re directed to additional resources.

MessageDesk supports both STOP and HELP keywords out of the box. There’s no setup required to maintain TCPA compliance.

{{automation_opt_in_out="/media"}}

4. Get express written consent with opt-in keywords, website forms, and website chatbots

You need a written record of consent from patients that gives you their permission to receive texts. You can’t text a patient unless they clearly understand your messaging policies and opt-in.

This is called express written consent.

Some of the best ways to establish express written consent include:

  • Website contact forms
  • Website chatbots
  • Opt-in autoresponder keywords

All of these tools can help you start text conversations in HIPAA compliant ways. They can opt patients into texting and make your messaging policies clear.

Here’s an example of how to use autoresponders to explain messaging terms and establish express written consent:

📲 A patient texts a keyword to your business phone number

SUBSCRIBE

Recieved 01/06/23, 07:01 am

The following are {{ OrganizationName }} text messaging policies. 1. We will never include protected health information in any text messages. 2. We will only send you text messages directly related to appointment reminders and confirmations. 3. Opt out at any time by texting STOP. Get more info by texting HELP. Respond CONFIRM to consent to receive text messages and accept our messaging terms.

Delivered 01/06/23, 07:01 am

CONFIRM

Recieved 01/06/23, 07:01 am

Thanks for confirming! You’re opted in to receive text messages from {{ OrganizationName }}.

Delivered 01/06/23, 07:01 am

Once you’ve established express written consent, you can manage active and inactive patients as “subscribers” with an SMS subscriber list.

MessageDesk’s subscriber list management features even include smart groups and custom fields.

These features are essential for timely messaging. They help you manage consent and stay compliant by:

  • Automatically filtering patients into groups and lists
  • Actively recording which patients opt in and out of receiving text messages
  • Maintaining an active patient do-not-contact list (DNC)

{{inbox_filters="/media"}}

6. Enable advanced password protection and limit access to PHI

Not everyone in your office needs access to patient health information.

Business text messaging platforms like MessageDesk come with user permissions and access controls. Access controls give each employee unique login credentials and a designated level of access to perform their job function.

This means you can make any protected health information inaccessible to certain staff members and employees.

There’s no need to include patient health information if your text messages are administrative. Staff texting appointment reminders and confirmations don’t need access to a patient’s medical information.

{{confirmation_medical="/media"}}

7. Get a signed business associate agreement (BAA)

As part of your HIPAA text messaging policy, you need a signed business associate agreement (BAA).

A BAA specifies “covered entities” e.g. your medical office, practice, and staff. It states that you’ll use the text messaging provider in a secure way to protect patient health information.

BAAs mandates that both entities stay within HIPAA compliance. Without a signed BAA, you can’t text patients.

Note: MessageDesk does not currently offer, support, or sign BAAs. We intend to offer this capability and other HIPPA compliant features in the near future.

{{reminders_medical="/media"}}

8. Connect your HIPAA compliant texting software to your appointment scheduling, payments, and EHR software through integrations like Zapier

Need to connect appointment scheduling, payments, or your EHR software? You can use services like Zapier to automate your appointment reminders, appointment confirmations, and payment reminders.

There are three ways you can use Zapier with MessageDesk to trigger events, automate your reminder messages, and more.

Add or update a contact

Whenever a new contact requests an appointment, you can sync their phone number with MessageDesk. Or update contact info when a contact reschedules an appointment in an app like Calendly or Google Calendar.

Add contact to a group

You can also add outside contacts to groups in MessageDesk as well.

Send a message

Trigger a text message to be sent when an action happens in another app. You can automatically send a message to a customer any number of days before an event and much more.

Google Calendar:

{{zapier_google_calendar="/components"}}

Calendly:

{{zapier_calendly="/components"}}

SimplyBook.me:

{{zapier_simplybook_me="/components"}}

Acuity Scheduling:

{{zapier_acuity="/components"}}

MeetFox:

{{zapier_meet_fox="/components"}}

Add SMS Superpowers to Any Business Phone
No switching carriers. Just add texting. Talk to Sales to get started.
inbox team conversation

HIPAA Compliant Text Message Templates for Medical Offices

The most common use of HIPAA compliant texting for medical professionals is reminding and confirming appointments. This is great for:

However, the only way to keep your texting HIPAA compliant is to never text protected health information.

You’re also free to check out my list of 100+ text message templates, examples, and samples for more.

Note: The following HIPAA compliant text message templates don’t include the patient’s name. Reasons for the appointment or the treatment and all other PHI are also omitted.

HIPAA compliant appointment reminder text message template

You have an appointment with {{ OrganizationName }} on {{ Date }}. Reply “yes” to confirm or “no” to cancel. Feel free to respond to this text with questions. When you arrive, you may come in or reply to this text to check in. Please call {{ OrganizationPhone }} if you do not receive a response.

Delivered 01/06/23, 07:01 am

HIPAA compliant appointment confirmation text template

Please reply ‘Y’ to confirm your dental appointment on {{ Date }} {{ Time }}. Thank you.

Delivered 01/06/23, 07:01 am

HIPAA compliant pre-operative instructions text template

Hi there. Here are some instructions {{ OrganizationName }} would like you to follow before your appointment: [ Link ]. If you have any questions, please call our office at {{ OrganizationPhone }} or text HELP for assistance.

Delivered 01/06/23, 07:01 am

HIPAA compliant checked-in text message template

Thank you! We have you checked In. We will let you know as soon as your room is ready.

Delivered 01/06/23, 07:01 am

HIPAA compliant no-show or missed appointment text

We missed you today! This is {{ OrganizationName }} notifying you that you missed your appointment with us on {{ Date }} at {{ time }}. Please call us at {{ OrganizationPhone }} to reschedule.

Delivered 01/06/23, 07:01 am

HIPAA compliant office hours text template

Hi there. Normal office hours are {{ OfficeHours }}. In the meantime, you can reach us directly at {{ OrganizationPhone }} for assistance or text HELP.

Delivered 01/06/23, 07:01 am

HIPAA compliant post-discharge follow-up text template

Hi there. Please call our office at {{ OrganizationPhone }} for your post-discharge follow-up.

Delivered 01/06/23, 07:01 am

HIPAA compliant lab test results ready text template

Hi there, your lab results from {{ OrganizaitonName }} are now ready. Please call {{ OrganizaitonPhone }} for further assistance or text HELP.

Delivered 01/06/23, 07:01 am

Notifications about prescriptions

Hi there, your prescription at {{ OrganizaitonName }} is now ready. Please call {{ OrganizationPhone }} for further assistance or text HELP.

Delivered 01/06/23, 07:01 am

HIPAA compliant out-of-office text message template

Hi there. All of our staff are currently away. Please call {{ OrganizationPhone }} for assistance or text HELP.

Delivered 01/06/23, 07:01 am

HIPAA compliant text alert template

Please be advised that parking for {{ OrganizationName }} is currently limited due to roadwork. Please plan ahead accordingly. We apologize for any inconvenience.

Delivered 01/06/23, 07:01 am

HIPAA compliant invoice or payment reminder

Hi there, it’s {{ OrganizationName }}. We just wanted to remind you that your credit card on file will be charged on {{ Date }}. Please call or text our office if you have questions.

Delivered 01/06/23, 07:01 am

HIPAA compliant COVID-19 guidelines text message template

Please review our COVID-19 Guidelines on our website BEFORE your appointment. [ link ]

Delivered 01/06/23, 07:01 am

HIPAA compliant feedback ask template

Hi there! We’d love to know what you thought about your last visit to our office. Did it meet your expectations? Do you have any feedback for us? Submit your feedback here [ Link ]

Delivered 01/06/23, 07:01 am

HIPAA compliant review ask template

We’re happy you had such a great experience with our office today. Would you mind taking some time to leave us a review on Google? [ Link ]

Delivered 01/06/23, 07:01 am

{{reviews_medical="/media"}}

Frequently Asked HIPAA Text Messaging Questions

Below is a list of frequently asked questions relating to text messaging and HIPAA compliance.

Can text messages be encrypted?

Texting doesn’t allow for encryption because of the way carriers handle texts. Texting (as a technology) can’t be encrypted. This means you can’t use texts to transmit personal health information.

Is texting HIPAA compliant?

SMS text messaging is not HIPAA compliant if your text contains protected health information (PHI). But HIPAA doesn’t prohibit healthcare professionals from sending text messages (like appointment reminders) to patients. However, there are specific rules, regulations, and best practices to be aware of before you can start texting.

Is Google Voice HIPAA compliant?

The paid version of Google Voice for Google Workspace can be used in a HIPAA compliant way. Google does sign BAAs for healthcare organizations and Google Voice can be used for texting without PHI in accordance with HIPAA regulations.

Google allows healthcare organizations to adopt its services, and they offer a business associate agreement for G Suite. BAA’s did not initially cover Google Voice. But that has now changed. Google Voice for G Suite is covered by the BAA and can be considered a HIPAA compliant service.

Is WhatsApp HIPAA compliant?

WhatsApp is not HIPAA compliant in its current form. It can’t be used to transmit PHI. It doesn't have the proper safeguards in place to protect sensitive patient health information. However, healthcare professionals can use WhatsApp for general communication, or for sending de-identified PHI.

Is texting a patient name a HIPAA violation?

Texting a patient's name or any other personally identifiable health information is a HIPAA violation. If you do need to text PHI, use a HIPAA compliant secure text app. These platforms move conversations from texts over to encrypted and password-protected messaging channels.

What are the penalties for HIPAA violations?

HIPAA violations and penalties can range from $100 to $50,000 per day depending on the severity of the violation.

Are there any special COVID-19 HIPAA regulations?

On March 17, 2020, the US Department of Health and Human Services (HHS) released a statement in response to COVID-19.

This statement announced HIPAA enforcement discretion for healthcare providers.

The statement gives greater discretion and flexibility to healthcare providers. Especially those who serve and contact patients every day through communications technologies like text messaging.

Read More: Statement from the US Department of Health and Human Services

What other regulations do I need to be aware of?

HIPAA compliant messaging apps are also subject to the Health Information Technology for Economic and Clinical Health (HITECH) act.

Add SMS Superpowers to Any Business Phone
No switching carriers. Just add texting. Talk to Sales to get started.
inbox team conversation

Final thoughts and next steps

Ready to start texting? MessageDesk is here to help with smarter, simpler text messaging for medical offices, dental offices, and private practices.

If you're ready, check out our paid plans - pricing starts at just $14 per month. You’re also free to meet with a messaging expert for a demo.

Disclaimer: Please note that the advice contained in this article is for informational purposes only. It’s not meant to substitute for advice from qualified legal counsel.

MessageDesk Newsletter
Join the 20,000+ people who get business communications tips in their inbox every two weeks.