Yundra
← All articlesTools & Vendors

HIPAA and Text Messaging: Can Therapists Text Patients?

10 min read

Texting is how most people communicate in 2026. Your patients text their doctors, their dentists, their accountants. So naturally, they want to text you. The question is: can you text them back without violating HIPAA?

The short answer: standard SMS text messaging is not HIPAA compliant. But there are compliant ways to communicate with patients via text-like channels.

Why Standard SMS Isn't HIPAA Compliant

Standard SMS (the text messages you send through your phone's built-in Messages app) fails HIPAA requirements in several ways:

No encryption in transit. SMS messages are transmitted in plaintext across carrier networks. Anyone with access to the network infrastructure could intercept them.

No encryption at rest. Messages are stored unencrypted on the phone, in carrier logs, and potentially in cloud backups (iCloud, Google).

No access controls. If someone picks up your phone or the patient's phone, they can read the messages. There's no authentication beyond the phone's lock screen.

No audit trail. You can't demonstrate who accessed which messages, when, or whether messages were modified.

No BAA with carriers. Your phone carrier (Verizon, AT&T, T-Mobile) will not sign a Business Associate Agreement for SMS services.

What About iMessage, WhatsApp, Signal?

iMessage: End-to-end encrypted between Apple devices, but Apple does not sign BAAs for iMessage. Messages are also stored in iCloud backups (which don't have a BAA). Not HIPAA compliant.

WhatsApp: End-to-end encrypted, but Meta (the parent company) does not sign BAAs. Not HIPAA compliant.

Signal: End-to-end encrypted with excellent security, but Signal Foundation does not sign BAAs. Not HIPAA compliant.

The pattern is clear: encryption alone isn't enough. HIPAA requires a BAA with any service that handles PHI, and none of these consumer messaging platforms offer one.

What You CAN Text

Even without a HIPAA-compliant messaging platform, you can send certain texts via standard SMS as long as they don't contain PHI:

OK to text:

  • "Your appointment is confirmed for Thursday at 2pm" (no clinical details)
  • "Please call our office when you have a moment"
  • "Your statement is ready" (without amounts or services)
  • General practice announcements (holiday hours, new address)

NOT OK to text:

  • "Your lab results are in" (implies healthcare relationship)
  • "Remember to take your medication" (implies treatment)
  • "Following up on our discussion about your anxiety" (clinical content)
  • "Your diagnosis code for insurance is..." (PHI)
  • Any message that includes the patient's full name + health information in the same thread

The grey area is narrow. When in doubt, don't include clinical content in a standard text.

HIPAA-Compliant Messaging Options

Several platforms offer HIPAA-compliant secure messaging with signed BAAs:

EHR-integrated messaging. Most therapy EHRs (SimplePractice, TherapyNotes, Jane App) include a secure messaging portal. Messages are sent within the EHR platform, encrypted, and covered under your existing BAA. This is the simplest option for most solo therapists.

Spruce Health. A HIPAA-compliant communication platform that offers secure messaging, phone, and fax. BAA available. Popular with solo and small practices.

OhMD. HIPAA-compliant texting platform designed for healthcare. Messages look like texts to the patient but are transmitted through a secure channel. BAA available.

Klara. Patient communication platform with secure messaging. BAA available. Integrates with several EHRs.

Hushmail. Primarily known for secure email, but also offers secure forms and messaging capabilities. BAA available.

Patient Consent for Texting

Even with a HIPAA-compliant platform, best practices include:

  1. Get written consent. Have patients sign a communication preferences form that acknowledges they've been informed about the risks and benefits of electronic communication.

  2. Document the consent. Keep the signed form in the patient's record.

  3. Explain the limitations. Patients should understand that texting (even via secure channels) may not be appropriate for emergencies.

  4. Offer alternatives. Not every patient wants to communicate electronically. Always offer phone and in-person options.

Practical Recommendations

For most solo therapists, the simplest compliant approach is:

  1. Use your EHR's secure messaging for clinical communications (appointment details, treatment-related messages, document sharing)
  2. Use standard SMS only for non-PHI (appointment time confirmations without clinical detail, "please call the office" messages)
  3. Get written patient consent for all electronic communication
  4. Document your messaging policy in your HIPAA policies and procedures

Your HIPAA risk assessment checks your communication practices alongside 39 other compliance areas. If your current texting setup has gaps, the assessment will identify them.

Take the free HIPAA Risk Assessment →

Not sure if your vendors are HIPAA compliant?

Our assessment checks your EHR, email, telehealth, and cloud storage against HIPAA requirements. Free, 25 minutes, results are instant.

Free · See your score instantly