HIPAA-Compliant SMS for Therapists, Doctors & Small Healthcare Practices

Healthcare practices come up surprisingly often in our SMS conversations, and almost every time the question is some version of: "is texting my patients about their appointment going to get me in trouble with HIPAA?"

The honest answer is more nuanced than the marketing copy from texting platforms suggests. SMS itself is not HIPAA-compliant; it's an unencrypted protocol. What makes a workflow compliant is a combination of what you choose to send, how you got the patient's permission, and the agreements you have with the platform you're using. Get those three right and you can use SMS confidently for the things it's good at — appointment reminders, intake confirmations, simple time-sensitive updates — without exposing your practice to a violation.

This is general guidance, not legal advice. Compliance content like this gets reviewed by our founder before publishing.

The thing nobody tells you upfront

There's no such thing as "HIPAA-compliant SMS" as a product feature. SMS is plaintext. Each carrier handles the message in transit and stores logs of it. The protocol predates HIPAA by a couple of decades, and the fix isn't really at the protocol level — the fix is at the workflow level.

What HIPAA actually requires:

1. A business associate agreement (BAA) with any vendor that creates, receives, maintains, or transmits Protected Health Information on your behalf. Your messaging provider stores phone numbers and message contents, which can be PHI in context. You need a BAA.
2. Reasonable safeguards appropriate to the channel and what you're sending through it. SMS's reasonable safeguard is mostly what you don't send.
3. Patient consent — and an option to opt out — for ongoing communications, particularly for marketing. Treatment-related communications are more permissive but still need to give patients an opt-out.
4. Documentation — records that you got consent, that you respect opt-outs, and that your minimum-necessary practice is documented somewhere.

Get those four boxes checked and SMS is fine for the things SMS is fine for.

What's safe to send (and what isn't)

A useful distinction: identifying that there is an appointment is generally OK; describing what the appointment is for is risky. The minimum-necessary rule means you should send the smallest amount of identifying detail required to accomplish the legitimate purpose.

Generally safe:

• Appointment reminders with date, time, location, and provider name. "You have an appointment with Dr. Patel on Friday at 2:00 PM at our Main St. office."
• Confirmation that an appointment was booked.
• Reminders to call the office.
• Telehealth video link delivery (the link itself, when the patient initiated the appointment).
• Practice closure or reschedule notices.

Avoid in plaintext SMS:

• Diagnoses, conditions, or treatment specifics. "Reminder: your mammogram is at 2 PM" is more sensitive than "Reminder: appointment with Dr. Patel at 2 PM." The first reveals a screening type, which is itself PHI.
• Lab results or test outcomes.
• Therapy session content or specific topic.
• Medication names and dosages.
• Any combination of name + condition + date that creates a record of treatment.

The reframing: "would I be comfortable if this exact message were forwarded to a third party by accident?" If yes, it's fine for SMS. If not, send it through your patient portal.

What you actually need to set up

For a small practice (solo therapist, single-provider clinic, small dental or chiropractic office), the practical setup is more straightforward than the compliance literature makes it sound:

1. Choose a messaging vendor that signs BAAs. Not every platform will. Ask before signing up. Get the BAA in writing before you send your first PHI-adjacent message.
2. Document patient consent. A line in your intake paperwork — "You agree to receive appointment reminders, communications about your care, and practice notifications via SMS to the number provided. Standard message and data rates may apply. Reply STOP at any time to opt out." — does the work for treatment-related messaging. Keep the signed intake forms.
3. Set up your appointment-reminder content carefully. Use templates that include only the minimum necessary information. Configure your scheduling system or messaging platform to populate templates from data; don't rely on staff typing PHI into a chat tool.
4. Honor STOP requests immediately and log them. Most platforms automate this. Verify yours does, and check the opt-out list periodically.
5. Train any staff who use the messaging tool. Don't let well-meaning office staff "explain" via text what's better explained on the phone or in the portal. The most common HIPAA SMS missteps are well-intentioned over-sharing.

Marketing messages are different

If you're sending healthcare-related marketing messages — promoting a new service, sharing wellness content, soliciting reviews — the rules tighten:

• HIPAA's marketing definition is specific. Communications about your own products and services to current patients are generally OK; communications subsidized by a third party (a pharmaceutical company, a medical device manufacturer) require explicit written authorization.
• You also need to comply with TCPA for any marketing SMS to existing patients. That's prior express written consent on top of HIPAA's authorization. Read our pillar guide on business SMS for the TCPA piece.
• 10DLC carrier review for healthcare marketing campaigns is also stricter — expect more questions about your opt-in flow and to provide proof that recipients consented to marketing specifically (not just to appointment reminders).

The cleanest separation: register two campaigns — one for transactional/treatment communications (appointment reminders, confirmations, telehealth links) and one for marketing (newsletters, promotions, review requests). Send each from a clearly-labeled flow. Don't blur them.

A note on patient-initiated communications

HHS has been increasingly clear that patients have a right to communicate with their providers via the channel they choose, including SMS, even if SMS is unencrypted. If a patient texts you first asking about their care, you can respond — provided you've made them aware (usually via a one-time disclosure) that SMS isn't a secure channel.

Practical implementation: when a new patient first texts your practice, send a one-time response: "Thanks for reaching out. SMS isn't encrypted — for sensitive details, please use our patient portal at [link] or call us at [number]. Otherwise, we're happy to help with quick questions here. Reply STOP to opt out." Save that as a template; it covers the disclosure requirement and the opt-out language in one go.

What about voice?

Worth a mention because healthcare practices often forget: voice has its own HIPAA implications. Voicemails left for patients should follow the same minimum-necessary rule (don't leave a message that says "please call us about your test results" — say "please call us back at [number]"). Recorded calls (if you record any) are PHI and need to be retained and protected accordingly.

We have more on small-practice phone setup in our guide to small-business phone systems — many of the same considerations apply, just to voice rather than text.

The shortest version

If you only remember three things:

1. Don't put PHI in the body of SMS messages. Send identifying details (date, time, who) but not clinical content.
2. Have a BAA with your messaging provider.
3. Document consent and respect opt-outs.

That's most of HIPAA SMS compliance for a small practice. The rest is about being thoughtful when content gets close to the line, and using your patient portal for anything that doesn't need to be in a text.