Is Texting HIPAA Compliant? Standard SMS and What to Use Instead
TLDR
Standard SMS text messaging is not HIPAA compliant. SMS messages travel unencrypted over carrier networks using the SS7 protocol. Mobile carriers cannot sign healthcare BAAs. For clinical messaging, practices use encrypted platforms like TigerConnect, Klara, or Spruce Health, which look like texting but operate over encrypted channels and include BAAs.
The short answer
Standard SMS text messaging is not HIPAA compliant. The technology was not built for healthcare, carriers do not sign BAAs, and messages travel without end-to-end encryption.
This applies to every standard messaging app that routes through SMS: the built-in Messages app on iPhones and Android phones, carrier-based texting, and MMS. The platform does not matter if it uses the SMS or MMS protocol underneath.
Why SMS fails HIPAA requirements
The technical problem is the SS7 protocol. SS7 was designed in 1975 to route voice calls and later extended for SMS. It does not support end-to-end encryption. Messages pass through carrier switching networks where carrier employees can read them, law enforcement can access them with a subpoena, and third parties can intercept them through known SS7 vulnerabilities.
Carriers store SMS message content on their servers. AT&T, Verizon, and T-Mobile retain message data for law enforcement compliance purposes. None of these carriers will sign a HIPAA BAA for standard SMS routing.
Even if encryption were layered on top, the BAA problem remains. HIPAA requires a signed BAA with every vendor that handles PHI. Your mobile carrier handles every text your staff sends. No major US carrier has built the BAA, breach notification, and audit infrastructure required to serve as a healthcare business associate.
The staff-to-staff texting problem
Most HIPAA training focuses on patient-facing communications. The staff-to-staff texting problem gets less attention and causes more violations.
A nurse texts a physician about a patient’s lab results. A front desk coordinator texts a provider about a patient’s no-show and rescheduling reason. An office manager sends a group text to the care team about a patient requiring follow-up. All of these are common, everyday clinic communications. All of them are HIPAA violations when sent over standard SMS.
Personal phones compound this. Staff using personal devices for work texting means PHI passes through personal carrier accounts with no organizational oversight, no audit trail, and no ability to remotely wipe the data if a phone is lost or stolen.
The patient consent exception
HIPAA does include a narrow patient-initiated exception. If a patient explicitly requests to receive communications by standard text, is informed in writing of the security risks, and provides documented consent, a practice may send appointment-only reminders via SMS.
This exception has limits. It covers appointment reminders, not clinical content. It requires documented consent on file before any message is sent. It does not cover test results, prescription instructions, billing disputes, or any other PHI. And it requires the practice to document that the patient’s request was informed and voluntary.
Most practices find the documentation burden and compliance risk outweigh the convenience. A secure messaging platform removes the exception question entirely.
What compliant clinics use
Several platforms are built specifically to replace clinical texting. They look similar to standard messaging apps but use encrypted protocols and sign healthcare BAAs.
TigerConnect is the most widely used in larger practices and health systems, covering secure messaging, voice, and video with a BAA. Klara focuses on patient-facing communication: appointment reminders, form collection, and secure messaging with patients, also with a BAA. Spruce Health covers both patient and internal staff messaging and is used more often by smaller practices. Doximity Messenger handles clinician-to-clinician messaging and is common for referral communications between physicians.
These platforms cost money. Standard texting is free, which is why the violation rate for clinical texting remains high. The business decision is whether the cost of a messaging platform is less than the risk of a HIPAA investigation. Office for Civil Rights fines for texting-related violations have reached seven figures in confirmed cases.
Where task coordination fits
Secure messaging platforms handle real-time communication. They do not handle structured task assignment, compliance tracking, or workflow management. That coordination layer runs separately from messaging.
PHIGuard covers that layer. When a fax comes in with a prior authorization request, someone needs to be assigned to follow up, there needs to be a due date, and there needs to be a record of who completed it and when. That workflow does not belong in a messaging app. PHIGuard includes a BAA at every tier starting at $20/month, and the task and compliance dashboard is designed specifically for small clinic staff who do not have time to configure a general-purpose tool.
Like what you're reading?
Try PHIGuard free — no credit card required.
- SS7 (Signaling System No. 7)
- The protocol used by mobile carriers to route SMS messages. SS7 was designed in 1975 and does not include end-to-end encryption. Messages can be intercepted in transit, and carriers store message content on their servers.
DEFINITION
- Business Associate Agreement (BAA)
- A contract required by HIPAA between a covered entity (your practice) and any vendor that handles protected health information. Mobile carriers (AT&T, Verizon, T-Mobile) do not sign healthcare BAAs for standard SMS.
DEFINITION
- Secure Clinical Messaging
- Encrypted messaging platforms built specifically for healthcare. Unlike standard SMS, these platforms use end-to-end encryption, maintain audit logs, and sign BAAs with healthcare organizations.
DEFINITION
Q&A
Is text messaging HIPAA compliant?
Standard SMS text messaging is not HIPAA compliant. The SS7 protocol does not encrypt messages, carriers cannot sign BAAs, and SMS lacks the audit controls HIPAA requires.
Q&A
Can a clinic text patients appointment reminders?
With documented patient consent and proper disclosures, appointment-only SMS reminders may be permissible. This exception is narrow, requires documented authorization, and does not extend to any clinical content. Most practices use a HIPAA-compliant messaging platform to avoid the risk.
Q&A
What do compliant clinics use for messaging?
TigerConnect, Klara, Spruce Health, and Doximity Messenger are the most commonly used platforms. All sign BAAs and use encrypted messaging protocols. They are designed to replace standard texting for clinical communications.
Want to learn more?
Is texting HIPAA compliant?
Is it OK to text patients?
What's the alternative to texting for healthcare?
Can staff text each other about patients?
What if a patient sends me a text with health information?
Keep reading
5 HIPAA Compliant Messaging Apps for Medical Practices (2026)
WhatsApp and standard SMS are not HIPAA compliant. These five apps sign a BAA and encrypt messages at rest and in transit — compared by price, features, and practice size fit.
Is WhatsApp HIPAA Compliant?
WhatsApp does not offer a HIPAA BAA and cannot be made compliant. Learn why encryption alone is not enough and what compliant alternatives exist for small clinics.
Is Signal HIPAA Compliant? No — And Encryption Isn't the Reason
Signal is not HIPAA compliant. Despite strong end-to-end encryption, Signal does not offer a BAA, has no audit logs, and its disappearing messages feature conflicts directly with HIPAA's 6-year records retention requirement.
10 HIPAA Violation Examples Small Practices Actually Encounter
Real HIPAA violation examples that small medical practices run into — from emailing PHI to the wrong patient to using task management tools without a BAA. What each one means and how to avoid it.