Standard text messaging is not HIPAA compliant. Regular SMS lacks encryption, offers no access controls, and leaves messages sitting on devices and carrier servers where unauthorized people can read them. However, healthcare organizations can text about patient health information legally if they use a secure messaging platform that meets HIPAA’s technical requirements, or in limited cases, if a patient knowingly chooses to communicate via unencrypted text.
Why Standard SMS Fails HIPAA Requirements
HIPAA’s Security Rule requires specific technical safeguards for any system that handles electronic protected health information (ePHI). These include access controls that limit who can view the data, audit logs that track every interaction, integrity protections against tampering, and transmission security that prevents interception during delivery. Standard text messaging fails on nearly every count.
A regular SMS message travels from your phone to your carrier’s servers, potentially through an aggregator, then to the recipient’s carrier, and finally to their device. At no point along that chain is the message encrypted in a way that meets HIPAA standards. An analysis published in the American Journal of Public Health found “potential vulnerabilities and risks that PHI could fall into the wrong hands every step of the way” along this path. Once a message leaves the sender’s phone, it passes through carrier systems that the healthcare organization has no contractual agreement with and no control over.
The problems don’t stop at transmission. Text messages persist on devices indefinitely. If a recipient doesn’t use a passcode on their phone, anyone who picks it up can read those messages. There’s no way to remotely delete a sent SMS, no audit trail showing who read it and when, and no mechanism to verify the identity of the person on the other end. These gaps make standard texting incompatible with HIPAA’s access control, audit, and integrity standards.
What HIPAA Actually Requires for Electronic Messaging
The Security Rule lays out several technical safeguards that any messaging system must meet before it can carry patient health information:
- Unique user identification: Every person using the system needs their own login credentials so activity can be tracked to a specific individual.
- Access controls: Only authorized users should be able to view messages containing health information.
- Encryption: Messages need to be encrypted both while being sent and while stored on devices and servers, so intercepted data is unreadable.
- Audit controls: The system must log who sent what, who received it, and when it was read.
- Integrity controls: There must be protections ensuring messages haven’t been altered or destroyed without authorization.
- Automatic logoff: Sessions should time out after a period of inactivity.
Encryption is listed as an “addressable” specification rather than “required,” which causes some confusion. Addressable doesn’t mean optional. It means an organization must implement encryption if it’s reasonable and appropriate. If they decide it isn’t, they must document why and use an equivalent alternative safeguard. For messaging in 2024, encryption is both reasonable and widely available, so there’s effectively no justification for skipping it.
The Business Associate Agreement Problem
Even if a messaging app offers encryption, that alone doesn’t make it compliant. Any third-party platform that transmits, stores, or has access to patient health information on behalf of a healthcare organization is considered a “business associate” under HIPAA. The law requires a signed Business Associate Agreement (BAA) before any health information flows through that service.
A BAA is a written contract where the platform commits to safeguarding patient data, reporting breaches, and following HIPAA rules. Major consumer texting services, including Apple’s iMessage, standard Android messaging, WhatsApp, and Facebook Messenger, do not sign BAAs with healthcare providers. Using them to send patient information violates HIPAA regardless of whether the messages happen to be encrypted.
If a healthcare organization discovers its business associate has violated the agreement, HIPAA requires the organization to take steps to fix the problem or terminate the relationship. Failing to do so, and continuing to use a non-compliant platform, means reporting the situation to the HHS Office for Civil Rights. In practice, this means organizations need to choose their messaging tools carefully from the start.
The Patient Request Exception
There is one scenario where unencrypted communication gets more leeway. HHS guidance on electronic communications states that providers can communicate electronically with patients, even through unencrypted channels, as long as they apply reasonable safeguards. If a patient initiates contact via text or email, the provider can generally assume the patient finds that method acceptable.
That said, HHS recommends providers warn patients about the risks of unencrypted communication and let the patient decide whether to continue. If a patient explicitly requests a more secure method, the provider must accommodate that request. The practical approach many organizations take is to have patients sign an acknowledgment that they understand the risks of receiving health information by text, and to limit what’s shared through that channel. Sending a brief appointment reminder is very different from texting lab results or a diagnosis.
This exception applies to provider-to-patient communication. It does not cover provider-to-provider texting about patients, which must go through a compliant platform.
What Compliant Messaging Looks Like
Secure messaging platforms designed for healthcare fill the gaps that standard SMS can’t. A review published in Applied Clinical Informatics evaluated the features these platforms typically offer, and the list goes well beyond basic encryption.
Core security features include message status tracking (sent, delivered, read), sender and recipient logging, timestamps, usage analytics, and mobile device management capabilities. That last feature is critical: if a phone is lost or stolen, administrators can remotely lock it, locate it, or wipe its data entirely. Messages can also be set to expire or become inaccessible after a defined period.
More advanced platforms integrate with electronic health records, deliver lab results and radiology reports directly into the app, and let users search for colleagues by clinical role rather than just by name. Some support secure photo and video sharing, which is useful for wound assessments or dermatology consults that would be a serious violation over regular SMS.
These platforms also handle the BAA requirement. Vendors in the HIPAA-compliant messaging space sign BAAs as part of their standard onboarding, accepting legal responsibility for protecting the data that passes through their systems.
Staff Devices and Organizational Policies
Technology alone doesn’t create compliance. Organizations also need clear policies governing how staff use messaging, especially when personal phones are involved. A compliant messaging app installed on an unprotected personal phone still creates risk if the device has no passcode, runs outdated software, or is shared with family members.
Effective policies typically address which app to use (and explicitly prohibit standard SMS for patient information), require device-level security like passcodes and biometric locks, establish rules for what types of information can be messaged, and define what happens when a device is lost. Staff training matters too. Many HIPAA violations involving texting stem not from technology failures but from employees defaulting to the fastest, most familiar option, which is usually their regular messaging app.
Organizations that allow personal devices for work communication should ensure the secure messaging app can be remotely managed independently from the rest of the phone. This lets IT wipe organizational data without touching personal photos or apps, which makes employees more willing to comply with reporting a lost device quickly.
Penalties for Getting It Wrong
HIPAA violations carry civil penalties organized into four tiers based on the level of negligence, ranging from cases where the organization didn’t know about the violation (and reasonably couldn’t have) up to willful neglect left uncorrected. Fines can reach into the millions of dollars per violation category per year. Beyond financial penalties, the HHS Office for Civil Rights publishes resolution agreements from enforcement actions, which means the reputational damage is public. For smaller practices, even a single investigation can be disruptive and expensive regardless of the final penalty amount.
The most common enforcement trigger isn’t a sophisticated data breach. It’s a complaint from a patient or employee, or a breach report filed after a lost or stolen device exposes unencrypted messages. Switching to a compliant platform eliminates the most preventable version of this risk.