HIPAA & Compliance HIPAApatient messagingSMS compliancepatient communicationtext messaging

HIPAA-Compliant Patient Messaging: What You Can (and Can't) Send

PatientPulse Care Team · · 10 min read

For most medical practices, the question isn’t whether to communicate with patients digitally — it’s how to do it without running into HIPAA trouble. And the rules here are genuinely confusing. Practices get it wrong in both directions: either locking down communication so tightly that patients feel neglected, or sending clinical details over channels that aren’t secure.

This guide cuts through the confusion. It explains exactly what HIPAA requires for patient messaging, what you can and can’t send over each channel, and how to build a compliant communication workflow that doesn’t sacrifice patient experience.

The Core HIPAA Question for Messaging: Is This PHI?

HIPAA’s Privacy Rule protects Protected Health Information (PHI) — any information that could identify a patient and relates to their health condition, treatment, or payment for healthcare.

PHI includes:

  • Name combined with medical information
  • Appointment details that imply a diagnosis or type of care
  • Diagnoses, prescriptions, or test results
  • Billing information tied to clinical services

When you send a message containing PHI over an unsecured channel, you’re potentially in violation — even if the patient consented to receive texts.

The key word is potentially. HIPAA doesn’t ban texting patients. It requires that you manage the risks appropriately. Here’s how that plays out across the most common messaging channels.

SMS Text Messaging

What the rules actually say

HIPAA doesn’t prohibit SMS. It requires reasonable safeguards for any PHI transmission. For SMS, “reasonable safeguards” means:

  1. Limiting PHI in the message content to the minimum necessary
  2. Obtaining patient acknowledgment of the risks of unsecured messaging (or explicit consent)
  3. Using a Business Associate Agreement (BAA) with any third-party SMS platform
  4. Documenting your policies and the patient’s communication preferences

What you CAN send via SMS

  • Appointment reminders: date, time, provider name, practice name, and location
  • “Your lab results are ready — please call us or log in to the patient portal”
  • “We have an important message waiting for you in your patient portal”
  • Payment reminders: “You have a balance due — visit [link] to pay”
  • General health tips or seasonal wellness reminders (not tied to a specific patient condition)
  • Prescription pickup reminders: “Your prescription is ready for pickup at [pharmacy name]“

What you CANNOT send via SMS (unsecured)

  • Test results with specific values or interpretations
  • Diagnosis names or ICD codes
  • Medication names tied to a clinical reason
  • Mental health, substance abuse, or HIV/AIDS information (these have heightened protections)
  • Any message that would reveal what type of care the patient is receiving

The practical rule: If someone found a patient’s phone and read the message, could they determine anything about that patient’s medical condition? If yes, don’t send it via regular SMS.

Best practice is to document explicit patient consent before sending texts. This can be collected:

  • At check-in on a paper or tablet form
  • In your patient portal onboarding
  • Via a texted opt-in confirmation (“Reply YES to receive appointment reminders from [Practice Name]”)

Your consent form should acknowledge: (1) the patient understands texts may not be fully secure, (2) they consent to receive messages at the provided number, and (3) they can opt out at any time.

Email Communication

Unencrypted email = unsecured channel

Standard email — Gmail, Outlook, Yahoo — is not HIPAA-secure. Sending PHI in an unencrypted email is a compliance risk.

However, HIPAA does allow unencrypted email if the patient has been informed of the risks and still requests communication by email. In practice, this means:

  • You inform the patient that unencrypted email carries risk
  • The patient acknowledges the risk and asks you to communicate by email anyway
  • You document that acknowledgment

If the patient requests email communication, you can accommodate that — but you cannot proactively send detailed clinical information via unencrypted email without that documented request.

Encrypted email

Services like Paubox, Proton Mail for Healthcare, or Virtru integrate with Google Workspace and Microsoft 365 to provide end-to-end encrypted email. With encrypted email + a BAA, you can send clinical details securely.

The practical guidance for most practices: Use email for:

  • Appointment confirmations and reminders (with minimal PHI)
  • Links to the patient portal where they can access results securely
  • Post-visit “thank you” and care instructions that link to the portal
  • Health newsletters and educational content not tied to individual patient conditions

Do not use standard email for: results, diagnoses, or anything clinical unless you have documented patient consent and ideally use encrypted delivery.

Patient Portal Messaging

Patient portals are the gold standard for clinical messaging. Messages sent within an EHR-integrated portal are:

  • Encrypted in transit and at rest
  • Access-controlled (only the patient sees their messages)
  • Auditable (you have a log of what was sent and when)
  • Covered under your EHR vendor’s BAA

Via the patient portal, you can safely send:

  • Lab results with interpretations
  • Post-visit summaries and care plans
  • Prescription change notifications
  • Referral instructions and specialist information
  • Responses to patient questions about their care

The limitation: Patient portal messages only work if patients actually log in. Portal adoption is notoriously low — industry average is around 30–40% of patients actively using their portal. This is why many practices use SMS as a delivery mechanism to alert patients that a portal message is waiting for them.

Messaging Apps (WhatsApp, Facebook Messenger, iMessage)

Direct answer: Do not use consumer messaging apps for PHI. WhatsApp, Facebook Messenger, standard iMessage, and similar apps are not HIPAA-compliant by default. They lack BAAs with healthcare providers, and message data may be stored on third-party servers with no guarantee of security.

Some secure messaging solutions designed specifically for healthcare (like Spruce, Klara, or PatientPulse Care’s secure messaging module) use a messaging-style interface while routing messages through encrypted, BAA-covered infrastructure. These are appropriate for clinical communication.

The consumer apps are not, regardless of how patients prefer them.

Building a Compliant Messaging Workflow

The tiered approach

The most practical compliance framework treats channels differently based on content sensitivity:

Tier 1 — Scheduling and Administrative (SMS + Email) Appointment reminders, confirmations, cancellations, billing reminders, general health content. Minimal or no PHI. These can go via SMS and email freely with basic consent.

Tier 2 — Notification (SMS + Email → Portal) “You have a new message / result / document waiting in your portal.” The alert is sent via SMS or email; the actual content lives in the portal. This protects clinical details while still reaching patients where they actually read messages.

Tier 3 — Clinical (Secure Portal or Encrypted Channel Only) Lab results, diagnoses, care plan details, prescription changes, referral coordination. These only go through the patient portal or an encrypted healthcare messaging platform with a BAA.

BAA requirements for every vendor

Any third-party service you use to send patient messages must sign a Business Associate Agreement with your practice. This includes:

  • Your SMS/messaging platform
  • Your email marketing tool if it handles patient lists
  • Your patient portal provider (usually part of your EHR BAA)
  • Any scheduling software that sends reminders

No BAA = non-compliant, regardless of the content you’re sending. If a vendor refuses to sign a BAA, find a different vendor.

The Top 5 Compliance Mistakes Practices Make

1. Sending appointment details that reveal the specialty. A reminder to “your dermatology appointment” is relatively low risk. A reminder to “your HIV clinic appointment” or “your addiction treatment visit” reveals sensitive information. Be generic about appointment type in SMS.

2. Using personal phone numbers for patient communication. Staff members texting patients from their personal phones creates an unauditable, unsecured communication channel. All patient communication must go through practice-owned, compliant tools.

3. Assuming patient consent covers all communication. Getting a patient’s cell number doesn’t mean you can send them anything via text. Consent for scheduling reminders doesn’t extend to clinical communications.

4. Not having a BAA with your texting vendor. Many practices sign up for generic SMS services (Twilio, standard Mailchimp, etc.) without getting a BAA. These vendors may offer BAAs if you request them — or they may not. Verify before you use them.

5. Leaving message content in auto-generated confirmations. EHR-generated confirmations sometimes automatically include the visit reason or appointment type from the record. Audit your reminder templates to make sure they’re not pulling clinical fields.

HIPAA Doesn’t Have to Mean Clunky Communication

The practices that handle this well aren’t the ones with the most restrictive communication policies — they’re the ones with the most thoughtful ones. A tiered approach lets you send high-frequency, low-sensitivity messages (reminders, billing) freely and efficiently, while keeping clinical communications in appropriately secure channels.

The result is a patient experience that feels responsive and modern, not locked behind compliance friction.

Key Takeaways

  • SMS is permissible under HIPAA when you limit PHI in message content and have a BAA with your texting vendor
  • Use the “found phone test”: if someone found a patient’s unlocked phone, could they learn anything medical from your message? If yes, it shouldn’t go in SMS
  • Email is acceptable for scheduling and general content; clinical details should route through the patient portal
  • Consumer messaging apps (WhatsApp, Messenger) are not HIPAA-compliant for clinical use
  • Every third-party messaging vendor must sign a BAA
  • The tiered approach — SMS for alerts, portal for clinical content — gives you both compliance and patient reach

PatientPulse Care is built with HIPAA compliance at its core — BAA included, PHI controls built in, and a secure messaging module for clinical communications. Request a demo to see how it works.

See PatientPulse Care in action

Everything covered in this article is built into PatientPulse Care. Request a free demo today.

Request a Demo →

Related Articles

HIPAA & Compliance

How to Send Bulk SMS to Patients Without Violating HIPAA

Bulk SMS campaigns are one of the most effective tools for medical practices — but only if done right. Learn the exact rules, consent requirements, and message types that keep you compliant while reaching your entire patient list.

10 min read