Yundra
← All articlesCompliance Basics

Can Therapists Text Patients? What HIPAA Actually Says About Messaging

6 min read

"Can a therapist text a patient?" is one of the most common HIPAA questions clinicians ask — and one of the most misunderstood. Clients expect texting. It's fast, it's convenient, and "just send me a text" feels harmless. But the honest answer has some nuance.

Short version: standard SMS text messaging is not HIPAA compliant for clinical communication — but compliant texting is absolutely possible, and limited texting with appropriate safeguards and client consent can be permissible. Here's exactly where the lines are.

Why Regular Texting Isn't HIPAA Compliant

Plain SMS — the default texting app on your phone — has several problems under HIPAA:

  • No encryption. SMS travels in the clear and isn't encrypted end to end.
  • No BAA. Your mobile carrier won't sign a Business Associate Agreement, and they're handling the message. No BAA means no compliant pathway for PHI.
  • Carrier and device logs. Messages are stored on carrier servers and on both devices — including a lost or stolen phone, or a device shared at home.
  • No access controls. Anyone who picks up your phone can read the thread.

So if you text a client something like "Saw your panic symptoms are worse this week — let's adjust the treatment plan" over plain SMS, that's PHI travelling through a channel with no encryption and no BAA. That's a compliance problem.

What IS Allowed

There are three compliant (or defensible) approaches:

1. HIPAA-compliant messaging platforms

Purpose-built secure messaging tools encrypt messages, provide access controls, keep audit logs, and — crucially — will sign a BAA. Common options therapists use include Spruce Health, OhMD, and Klara. Many EHRs (SimplePractice, TherapyNotes, Jane) also include a secure client-portal messaging feature, which is often the simplest compliant route because it's already covered by your EHR's BAA.

With any of these, get the BAA in place before you send PHI.

2. Appointment reminders with no PHI

HIPAA permits appointment reminders, and a reminder that contains no clinical content carries minimal risk. A message like "Reminder: you have an appointment Thursday at 2pm. Reply C to confirm." doesn't disclose a diagnosis or treatment detail. Keep reminders generic — no mention of why the appointment is, no clinical specifics.

3. The client-initiated waiver approach

HIPAA recognises that patients can request to be contacted by a method that carries some risk. If a client initiates texting and you've documented that you informed them of the risks and they chose to proceed anyway, limited texting may be permissible. This is not a blank cheque:

  • The client should initiate the request, ideally in writing.
  • You must explain the risks (unencrypted, could be seen by others, stored on devices).
  • You should document the conversation and their informed consent.
  • Even then, keep clinical content out of texts where you can.

The waiver covers the client's choice to use a risky channel. It doesn't excuse you from reasonable safeguards, and it doesn't make plain SMS a good place for detailed clinical discussion.

What You Can vs Can't Text

| You generally CAN text (with care) | You should NOT text over plain SMS | |------------------------------------|------------------------------------| | Generic appointment reminders | Diagnoses or symptoms | | "Running 5 minutes late" | Treatment details or clinical advice | | "Please check the client portal" | Medication information | | Confirming a time you both know | Anything identifying the nature of care | | Logistics with no clinical content | Crisis/clinical content (use proper channels) |

A simple rule of thumb: if the message reveals that someone is your client or anything about their care, treat it as PHI and use a compliant channel.

A Practical, Compliant Setup

Here's a setup that keeps you on the right side of the line:

  1. Use your EHR's secure portal (or a tool like Spruce/OhMD/Klara) for any messaging that could involve PHI — and sign the BAA.
  2. Limit plain SMS to PHI-free logistics like generic reminders and "running late."
  3. Add consent language to your intake paperwork describing how you communicate, the risks of texting, and the client's options.
  4. If a client insists on texting clinical content, document their initiated request and your risk disclosure, and still steer substantive discussion to a secure channel.
  5. Don't store client numbers and threads on an unsecured personal phone without a passcode, encryption, and the ability to wipe it remotely.

Sample Consent Language

You don't need a lawyer to add a clear communication clause to your intake paperwork. Something along these lines (adapt to your practice and have it reviewed if you're unsure):

"Standard text messages and email are not fully secure and could be read by others. I use [secure portal / platform] for any communication involving your care. I may use text or email only for non-clinical logistics such as appointment reminders. If you ask me to text or email you about clinical matters, I will document your request, but please understand the risks of these channels."

Pair this with a checkbox where the client indicates their preferences. Documenting that the client was informed — and what they chose — is what turns "I text my clients" from a liability into a defensible, consent-based decision.

What About Voicemail and Email?

The same logic extends beyond texting. Voicemails left on a client's phone can be heard by others, so keep them generic (identify yourself minimally and avoid clinical detail). Standard email has the same encryption and BAA problems as SMS — use a HIPAA-compliant email provider with a BAA, or your secure portal, for anything involving PHI. The unifying principle across every channel: encrypt it, get a BAA, limit PHI, and document consent for anything riskier.

A Word on Crisis Communication

Texting is not an appropriate channel for crisis or emergency clinical content, regardless of compliance. Make sure your informed-consent and intake materials clearly explain how clients should seek help in an emergency (e.g., 988, local emergency services) rather than texting you and waiting for a reply. This protects clients and sets realistic expectations about response times.

Common Questions

Can I text appointment reminders? Yes — reminders are permitted as long as they contain no clinical content. Keep them generic: time, date, and a confirmation prompt, with no reason for the visit.

Is WhatsApp or iMessage HIPAA compliant? No. Consumer messaging apps won't sign a BAA for your practice, so they aren't appropriate for PHI even though some offer encryption.

What if a client texts me first with clinical content? Their initiating the contact doesn't automatically make it compliant. Acknowledge briefly, move the substantive conversation to a secure channel, and document the interaction and your redirection.

The Bigger Picture

Texting is just one of many communication channels where PHI can leak — alongside email, voicemail, scheduling tools, and your EHR. HIPAA doesn't ban convenience; it asks you to use reasonable safeguards and to have thought it through, documented your choices, and obtained consent where appropriate.

A practice-wide HIPAA risk assessment checks your communication practices — texting, email, voicemail, portal — alongside the rest of your compliance picture, and flags exactly where PHI could be exposed.

If you're not sure whether your current texting habits would survive scrutiny, take Yundra's free 25-minute HIPAA Risk Assessment. It reviews how you communicate with clients and gives you a clear, prioritised list of any gaps to fix.

Take the free HIPAA Risk Assessment →

Not sure if your vendors are HIPAA compliant?

Our assessment checks your EHR, email, telehealth, and cloud storage against HIPAA requirements. Free, 25 minutes, results are instant.

Free · See your score instantly