Now more than ever, it’s critical that healthcare practices and organizations go the extra mile to keep their patients’ information private and secure.

That’s because in 2021, healthcare cybersecurity data breaches reached an all-time high impacting more than 45 million patients. And that number has tripled in the last three years.

Why HIPAA Matters

Regulations like the Health Insurance Portability and Accountability Act (HIPAA) help you ensure that your patient communications—including text messages and emails—are compliant in protecting patient information. HIPAA provides rules around the uses and disclosures to keep protected health information (PHI) private.

The HIPAA Privacy Rule defines PHI as individually identifiable information transmitted or maintained in any form or medium by a covered entity or business associate.

HIPAA regulates:

  • How and when to disclose PHI
  • Ways you have to protect PHI
  • Patient rights to access their own information

Who Is Impacted by HIPAA?

Both healthcare practices and their business associates are required to follow HIPAA regulations. Business associates are any vendors or contractors that work with your practice. This would include a vendor who assists with patient communication like text and email.

When entering into a relationship with any business associate, practices must obtain written assurances that the business associate will adequately protect and safeguard PHI. This is mostly done using a business associate agreement. This agreement may also set limits on how much information will be exchanged between the practice and that business associate.

The amount of PHI provided should be the minimum amount necessary to complete the necessary functions of that business associate. However, it is the responsibility of the practice to make sure a business associate agreement is completed.

Guide to HIPAA Compliance in Patient Communication

Where you have to be more careful to stay HIPAA compliant when it comes to texting is when you are two-way texting patients.

Let’s say a patient texts you a question about a health issue they are facing. Now what? Patients are allowed to send you any PHI that they want. It is their information and they have the right to do with as they please.

Things are not quite so easy for the practice. If you would like to enter into a conversation about a patient’s health, you need to make sure you’re covered. You are not allowed to forward that information or continue an electronic conversation (text messages) about PHI in a non-secure way unless you have the patient’s consent.

The best thing to do in a situation like this is to reply with a message requesting the patient’s consent to discuss their PHI.

For example:

“Hi John. It looks like you’d like to discuss your health in a little more detail. Text and email is not a secure way to do that. Do you still want to carry on the conversation?”

Once the patient gives you consent, you are then allowed to continue the conversation without concern of violating HIPAA. The law requires that you make patients aware of the risk of communicating their PHI via an unsecured channel and to obtain their consent prior to doing so.

If the patient is not comfortable discussing their PHI over text or email, you should invite them to move the conversation to a secure method, such as a phone call, secure patient portal, or in-office visit.

Remember, your obligation is to make patients aware of unsecured communication and to receive authorization before discussing PHI on an unsecured channel.

Tools for Managing HIPAA-Compliant Reminders

The good news is that the Department of Health and Human Services have said that automated appointment reminders are HIPAA compliant. That is because they are considered part of treatment of an individual and, therefore, can be made without an authorization.

Using an automated reminder tool to send patient text messages helps you more efficiently and effectively reach patients about their scheduled care. They also help you stay HIPAA compliant by only including necessary information about their appointment such as the date and time and location of the visit.

In one study, practices that used automated reminder software to send patients multiple text reminders at a proven cadence found they increased confirmations by 156 percent.

Not only do patients love the ease and convenience of receiving text reminders but practices benefit greatly from the automation. Manual staff workloads spent on phone calls and manual reminders is greatly reduced, freeing up short-staffed front offices to attend to more complex and higher priority tasks. The operational efficiencies created by an automated reminder system help a practice lower costs and see greater revenue.

Similarly, a two-way texting tool enables you to connect with patients in real-time for them to answer questions or reschedule, while keeping the communication HIPAA compliant. The tool provides greater convenience for your patients to reach you anytime without having to make a call while reducing call volumes for your front office.

Key Takeaways

  • HIPAA helps ensure you keep your patients’ PHI protected and private.
  • Remember to stay HIPAA compliant when two-way texting patients and get consent to discuss PHI.
  • Automated appointment reminders and other text messages are allowed.
  • Software tools like automated appointment reminders and two-way texting can help keep you compliant while offering a significant benefit to patients and staff.


To learn more about HIPAA compliance and other patient communications laws like TCPA, CAN-SPAM, and CASL, download the guide, “Become a Text and Email Guru.”