SMS for Healthcare: HIPAA-Compliant Messaging Guide

Your front desk staff spends 90 minutes every morning calling patients to confirm appointments. Half the calls go to voicemail. Of the patients they reach, a third say they forgot about the appointment and need to reschedule. Meanwhile, 15 percent of your afternoon appointments will be no-shows because the reminder call got lost in a sea of voicemails that nobody checks.

‍

You know text messaging would fix this. Patients read texts within minutes. Confirmation reply rates are dramatically higher than phone answer rates. Automated reminders would free your front desk to handle the patients who actually walk through the door.

‍

But every time the conversation comes up, someone mentions HIPAA, and the project stalls. The concern is legitimate. Sending patient information over text messaging raises real compliance questions. But the assumption that HIPAA prohibits all text messaging is wrong. HIPAA does not ban SMS. It sets conditions for how protected health information can be communicated, and there are clear, documented ways to meet those conditions.

‍

This guide explains what HIPAA actually requires for healthcare text messaging, which types of messages are safe to send, and how to build a compliant SMS program that reduces no-shows without creating compliance exposure.

What HIPAA Actually Says About Text Messaging

HIPAA does not mention text messaging by name. The Health Insurance Portability and Accountability Act was passed in 1996, long before SMS was a common communication channel. Instead, HIPAA establishes broad requirements for how covered entities handle protected health information (PHI) across any medium, including electronic communications.

‍

The relevant HIPAA rules for text messaging are the Privacy Rule, the Security Rule, and the Breach Notification Rule.

• The Privacy Rule governs when and how you can share PHI. It requires that you only share the minimum necessary information for a given purpose and that you have the patient's authorization when required.
• ‍The Security Rule requires administrative, physical, and technical safeguards for electronic PHI (ePHI). For text messaging, this means encryption in transit and at rest, access controls, and audit trails.
• ‍The Breach Notification Rule requires you to notify affected individuals, HHS, and potentially the media if unsecured PHI is compromised. A text message containing PHI sent to the wrong number is technically a breach.

The practical takeaway: you can send text messages in a healthcare context, but what you include in those messages and how you handle the messaging platform matters.

Which Healthcare Messages Can You Send via SMS?

The safest approach is to categorize your healthcare messages by their PHI content and handle each category appropriately.

Low Risk: Messages Without PHI

These messages contain no protected health information and carry minimal HIPAA risk:

• General appointment reminders that do not specify the type of appointment or the provider's specialty. For example: "Reminder: You have an appointment on Tuesday at 2:00 PM. Reply C to confirm or R to reschedule."
• Office hour notifications, holiday closures, and general practice updates.
• Patient satisfaction survey links without identifying information in the message itself.
• Billing reminders that reference a balance due date without specifying services rendered.

These messages follow standard TCPA consent rules and do not require additional HIPAA-specific safeguards in the message content.

Medium Risk: Messages with Limited PHI

These messages reference the patient by name or include limited clinical context:

• Appointment reminders that mention a provider name or specialty. For example: "Hi Sarah, your appointment with Dr. Chen is Tuesday at 2 PM." The patient name and provider name are both PHI.
• Medication refill reminders that name the medication.
• Lab result notifications that indicate results are ready without sharing the results themselves. For example: "Your lab results are available. Log in to the patient portal to view them."

These messages require patient consent for communication via text, and the minimum necessary standard should be applied. Include only the information needed for the patient to take action.

High Risk: Messages with Detailed PHI

These messages should generally not be sent via standard SMS:

• Specific test results, diagnoses, or treatment details.
• Detailed billing information that reveals the nature of services.
• Mental health, substance abuse, or HIV-related information, which often carries additional state-level protections.

For these messages, direct the patient to a secure portal rather than including the information in the text itself. The text serves as a notification: "New results are available in your patient portal." The portal handles the secure delivery.

Building a HIPAA-Compliant SMS Program: Step by Step

Step 1: Get Patient Consent for Text Communication

Before sending any text messages, obtain the patient's consent to communicate via SMS. This consent should be documented in your EHR or practice management system and should specify that the patient acknowledges the inherent limitations of text messaging as a communication medium.

‍

A sample consent statement: "I consent to receive text messages from [Practice Name] for appointment reminders, general health information, and practice updates. I understand that text messages may not be encrypted and that there are risks associated with electronic communication. I will not include sensitive health information in text replies."

‍

Include this in your patient intake paperwork or as part of your patient portal registration. Store the signed consent as part of the patient's medical record.

Step 2: Apply the Minimum Necessary Standard

Every text message should include only the minimum information necessary for the patient to take the intended action. An appointment reminder does not need to include the reason for the visit. A lab notification does not need to include the result. A billing reminder does not need to itemize the services.

‍

Train your staff on what can and cannot be included in a text message. Create approved message templates and require staff to use them rather than composing free-form texts.

Step 3: Ensure Your Messaging Platform Has Appropriate Safeguards

Your messaging provider should offer audit logging that records every message sent and received, with timestamps and recipient information. Access to the messaging platform should be restricted to authorized personnel through role-based access controls. Messages should be encrypted in transit between the platform and carrier networks.

‍

If your messaging platform qualifies as a Business Associate under HIPAA, you need a Business Associate Agreement (BAA) in place with the provider. This is a legal contract that requires the vendor to handle PHI in compliance with HIPAA requirements.

Step 4: Implement Proper Opt-Out Handling

Beyond TCPA requirements, healthcare opt-out processing should be configured to suppress the patient's number from all non-critical message types. A patient who opts out of marketing messages should still receive critical clinical notifications if they have separately consented to those.

‍

Maintain clear records of which message types each patient has consented to and opted out of.

Step 5: Create Staff Training and Policies

Document your organization's text messaging policy, including what types of messages can be sent, who is authorized to send them, what templates must be used, and how consent records are maintained. Train every staff member who has access to the messaging platform, and include text messaging compliance in your annual HIPAA training.

‍

The policy should explicitly prohibit sending detailed clinical information via SMS. When in doubt, the message should direct the patient to the secure portal.

Reducing No-Shows with Compliant Messaging

The primary ROI for healthcare SMS is no-show reduction. Patient no-shows cost the US healthcare system an estimated $150 billion annually. Individual practices report no-show rates ranging from 5 percent to over 30 percent, depending on the specialty and patient population.

‍

Automated SMS reminders consistently reduce no-shows by 25 to 40 percent. A two-touch reminder sequence, sending one message 48 hours before the appointment and another the morning of, with a simple confirm or reschedule reply option is the standard approach.

‍

For a practice scheduling 30 patients per day with a 20 percent no-show rate, that is 6 empty slots daily. At an average revenue of $200 per visit, that is $1,200 per day or roughly $26,400 per month in lost revenue. A 30 percent reduction in no-shows through SMS reminders recovers approximately $7,900 per month.

‍

The cost of running a compliant SMS program through a provider like Signalmash is a small fraction of the revenue it recovers.

Choosing a Messaging Provider for Healthcare

Healthcare practices need a messaging provider that understands both the technical requirements and the regulatory environment. When evaluating providers, ask:

• Do they offer a Business Associate Agreement? If you are sending any messages that touch PHI, this is required.
• Do they provide audit logging and access controls? Your compliance team needs the ability to review messaging activity and restrict platform access to authorized personnel.
• Do they handle TCPA compliance, including STOP processing and consent management? Healthcare messaging must comply with both HIPAA and TCPA, and the requirements overlap in some areas.
• Do they support 10DLC registration for healthcare use cases? Carrier approval for healthcare messaging campaigns requires specific campaign descriptions and sample messages.

Signalmash provides hands-on support for healthcare messaging programs, including guidance on compliant message templates, 10DLC campaign registration for healthcare-specific use cases, and the technical safeguards your compliance team requires. Their dedicated support model means your practice works with real people who understand the regulatory nuances, not a ticket queue.