Texting is how most people communicate in 2026. Your patients text their doctors, their dentists, their accountants. So naturally, they want to text you. The question is: can you text them back without violating HIPAA?

The short answer: standard SMS text messaging is not HIPAA compliant. But there are compliant ways to communicate with patients via text-like channels.

What's Changed in 2026

If you last looked at this question a year or two ago, a few things have shifted that make getting your messaging right more pressing than it used to be:

The 2026 Security Rule updates raised the bar on encryption and access controls. Multi-factor authentication and 256-bit encryption are now treated as expected safeguards rather than optional best practices. Standard SMS has neither — which makes the gap between "what people actually do" and "what the rule expects" wider and harder to defend.

The February 2026 Notice of Privacy Practices deadline put messaging policy in scope. Practices were required to refresh their Notice of Privacy Practices this year. How you communicate electronically — including texting — is exactly the kind of thing patients should be told about, so if you updated your NPP without addressing messaging, that's a loose end worth closing.

OCR's enforcement focus hasn't moved off the Security Risk Analysis. Every recent resolution agreement has come back to the same root cause: a practice couldn't show a current, written risk analysis covering how it actually handles patient information. Texting PHI over a channel with no BAA, no encryption, and no audit trail is precisely the kind of unaddressed risk that surfaces once an investigation starts.

HIPAA-compliant messaging is no longer a niche add-on. Secure messaging is now built into every major therapy EHR, and the standalone platforms (Spruce, OhMD, Klara, Hushmail) have matured into established options with signed BAAs. There's no longer a good "there wasn't a practical compliant option" excuse — the tooling is mainstream and affordable.

The takeaway: the rules around texting haven't fundamentally changed, but the expectations around encryption, documentation, and patient notice have tightened, and the compliant alternatives have gotten easier. If your texting setup is still informal, 2026 is the year to formalise it.

Why Standard SMS Isn't HIPAA Compliant

Standard SMS (the text messages you send through your phone's built-in Messages app) fails HIPAA requirements in several ways:

No encryption in transit. SMS messages are transmitted in plaintext across carrier networks. Anyone with access to the network infrastructure could intercept them.

No encryption at rest. Messages are stored unencrypted on the phone, in carrier logs, and potentially in cloud backups (iCloud, Google).

No access controls. If someone picks up your phone or the patient's phone, they can read the messages. There's no authentication beyond the phone's lock screen.

No audit trail. You can't demonstrate who accessed which messages, when, or whether messages were modified.

No BAA with carriers. Your phone carrier (Verizon, AT&T, T-Mobile) will not sign a Business Associate Agreement for SMS services.

What About iMessage, WhatsApp, Signal?

iMessage: End-to-end encrypted between Apple devices, but Apple does not sign BAAs for iMessage. Messages are also stored in iCloud backups (which don't have a BAA). Not HIPAA compliant.

WhatsApp: End-to-end encrypted, but Meta (the parent company) does not sign BAAs. Not HIPAA compliant.

Signal: End-to-end encrypted with excellent security, but Signal Foundation does not sign BAAs. Not HIPAA compliant.

The pattern is clear: encryption alone isn't enough. HIPAA requires a BAA with any service that handles PHI, and none of these consumer messaging platforms offer one.

What You CAN Text

Even without a HIPAA-compliant messaging platform, you can send certain texts via standard SMS as long as they don't contain PHI:

OK to text:

"Your appointment is confirmed for Thursday at 2pm" (no clinical details)
"Please call our office when you have a moment"
"Your statement is ready" (without amounts or services)
General practice announcements (holiday hours, new address)

NOT OK to text:

"Your lab results are in" (implies healthcare relationship)
"Remember to take your medication" (implies treatment)
"Following up on our discussion about your anxiety" (clinical content)
"Your diagnosis code for insurance is..." (PHI)
Any message that includes the patient's full name + health information in the same thread

The grey area is narrow. When in doubt, don't include clinical content in a standard text.

HIPAA-Compliant Messaging Options

Several platforms offer HIPAA-compliant secure messaging with signed BAAs:

EHR-integrated messaging. Most therapy EHRs (SimplePractice, TherapyNotes, Jane App) include a secure messaging portal. Messages are sent within the EHR platform, encrypted, and covered under your existing BAA. This is the simplest option for most solo therapists.

Spruce Health. A HIPAA-compliant communication platform that offers secure messaging, phone, and fax. BAA available. Popular with solo and small practices.

OhMD. HIPAA-compliant texting platform designed for healthcare. Messages look like texts to the patient but are transmitted through a secure channel. BAA available.

Klara. Patient communication platform with secure messaging. BAA available. Integrates with several EHRs.

Hushmail. Primarily known for secure email, but also offers secure forms and messaging capabilities. BAA available.

Comparing the Top HIPAA-Compliant Messaging Platforms

If you'd rather not rely solely on your EHR's built-in messaging, here's how the leading standalone options compare for a solo or small therapy practice. Pricing changes often and usually depends on the number of providers, so treat the figures below as ballpark starting points and confirm current rates with each vendor.

Spruce Health

BAA: Yes — signed as part of onboarding.
Pricing: Paid plans start at roughly $24 per provider/month; higher tiers add phone, fax, and team features.
EHR integration: Offers integrations and an API, but it's a communication hub in its own right rather than something deeply embedded in a therapy EHR.
Best for: Practices that want a single, polished hub for secure text, phone, and fax.

OhMD

BAA: Yes.
Pricing: Free tier for basic use, with paid practice plans (roughly $50+ per provider/month, quote-based at scale).
EHR integration: Strong — advertises two-way integrations with a wide range of EHRs, so messages can sync back to the chart.
Best for: Practices that want texts to feel like normal SMS to the patient while staying on a secure channel.

Klara

BAA: Yes.
Pricing: Custom, quote-based — aimed at practices rather than individuals, so it tends to sit at the higher end.
EHR integration: Integrates with several EHRs and patient-engagement systems.
Best for: Growing group practices that want messaging tied into a broader patient-engagement workflow.

Hushmail for Healthcare

BAA: Yes.
Pricing: The healthcare plan is one of the most affordable, at roughly $11–$12 per user/month.
EHR integration: None to speak of — it's a standalone secure email, web form, and messaging tool rather than an EHR add-on.
Best for: Solo practitioners who mainly need secure email and intake forms, with light messaging on top.

For most solo therapists, your EHR's built-in secure messaging is still the simplest and cheapest route because it's already covered by your existing BAA. Reach for a standalone platform when you want texting that feels like real SMS to the patient, or when you've outgrown what your EHR's portal can do.

Patient Consent for Texting

Even with a HIPAA-compliant platform, best practices include:

Get written consent. Have patients sign a communication preferences form that acknowledges they've been informed about the risks and benefits of electronic communication.
Document the consent. Keep the signed form in the patient's record.
Explain the limitations. Patients should understand that texting (even via secure channels) may not be appropriate for emergencies.
Offer alternatives. Not every patient wants to communicate electronically. Always offer phone and in-person options.

Practical Recommendations

For most solo therapists, the simplest compliant approach is:

Use your EHR's secure messaging for clinical communications (appointment details, treatment-related messages, document sharing)
Use standard SMS only for non-PHI (appointment time confirmations without clinical detail, "please call the office" messages)
Get written patient consent for all electronic communication
Document your messaging policy in your HIPAA policies and procedures

What to Do Right Now

If you only do five things after reading this, make it these:

Stop using standard SMS for anything patient-related. No clinical content, no diagnoses, no "following up on your session" — keep your phone's Messages app to non-PHI logistics only.
Choose a HIPAA-compliant messaging platform. Start with your EHR's built-in secure messaging; if it falls short, pick a standalone option (Spruce, OhMD, Klara, or Hushmail) that fits your size and budget.
Get a signed BAA from your messaging vendor. No BAA, no PHI — full stop. Keep the signed agreement in your compliance file.
Update your Notice of Privacy Practices to reflect how you communicate electronically, including texting and your secure-messaging channel.
Add messaging consent to your intake forms so every patient acknowledges the risks and benefits of electronic communication, and you have it documented in their record.

Your HIPAA risk assessment checks your communication practices alongside 39 other compliance areas. If your current texting setup has gaps, the assessment will identify them.

Take the free HIPAA Risk Assessment →

HIPAA and Text Messaging: Can Therapists Text Patients?