All articles
Compliance 8 min read

HIPAA-Compliant Texting for Medical and Dental Practices: What Actually Matters

Patients overwhelmingly prefer texting their healthcare providers — and most front desks are terrified to do it. The fear is understandable but mostly misplaced: HIPAA does not ban texting. It bans being careless with protected health information (PHI). With the right platform configuration and a signed BAA, texting is not just legal — it's become standard of care for patient communication.

What HIPAA actually requires

  • A Business Associate Agreement (BAA) with any vendor that transmits or stores PHI on your behalf — including your communications platform
  • Access controls: only authorized staff can view patient conversations, with unique logins (no shared 'frontdesk' account)
  • Audit logging: a record of who accessed what, when
  • Encryption in transit for messages moving through the platform
  • Reasonable safeguards against misdirected messages (verified numbers, contact matching)

Reminders vs. PHI: the line that matters

Appointment reminders with limited information — name, date, time, provider — are broadly permissible under HIPAA's treatment-communication provisions, and patients can consent to more. The danger zone is clinical detail: diagnoses, test results, medications in an unencrypted SMS body. The practical pattern: use texts for logistics (confirmations, reschedules, balance notices, form links) and pull anything clinical behind a secure link or a phone call.

Patient consent, simply

Get texting consent at intake (a checkbox on your digital forms), honor opt-outs automatically, and document both. Standard SMS is technically unencrypted on the carrier leg — which is why consent plus minimum-necessary content is the compliant pattern the industry has settled on, and why regulators have focused enforcement on breaches and carelessness, not on reminder texts.

Your compliance checklist

  • Signed BAA with your communications vendor (Talk Is Cheap includes one on Real Talk and above)
  • Individual staff logins with role-based access to conversations and recordings
  • Texting consent captured at intake and stored
  • Templates reviewed so automated messages carry logistics, not clinical detail
  • Audit logs enabled; a named person reviews access quarterly
  • Staff trained: clinical content goes to secure channels, not SMS bodies

The bottom line

If your current vendor waves at 'HIPAA-friendly' but won't sign a BAA, that's your answer about them. Compliance is a configuration and a contract, not a premium SKU — and refusing to text patients in 2026 doesn't protect them, it just sends them to a practice that will.

Ready to stop overpaying for dial tone?

Get the whole platform — voice, text, video, AI — from $14.99 per user. Set up today, port your number free, cancel whenever. Talk is cheap; switching is even cheaper.