HIPAA-Compliant Texting for Medical and Dental Practices: What Actually Matters
Patients overwhelmingly prefer texting their healthcare providers — and most front desks are terrified to do it. The fear is understandable but mostly misplaced: HIPAA does not ban texting. It bans being careless with protected health information (PHI). With the right platform configuration and a signed BAA, texting is not just legal — it's become standard of care for patient communication.
What HIPAA actually requires
- ▸ A Business Associate Agreement (BAA) with any vendor that transmits or stores PHI on your behalf — including your communications platform
- ▸ Access controls: only authorized staff can view patient conversations, with unique logins (no shared 'frontdesk' account)
- ▸ Audit logging: a record of who accessed what, when
- ▸ Encryption in transit for messages moving through the platform
- ▸ Reasonable safeguards against misdirected messages (verified numbers, contact matching)
Reminders vs. PHI: the line that matters
Appointment reminders with limited information — name, date, time, provider — are broadly permissible under HIPAA's treatment-communication provisions, and patients can consent to more. The danger zone is clinical detail: diagnoses, test results, medications in an unencrypted SMS body. The practical pattern: use texts for logistics (confirmations, reschedules, balance notices, form links) and pull anything clinical behind a secure link or a phone call.
Patient consent, simply
Get texting consent at intake (a checkbox on your digital forms), honor opt-outs automatically, and document both. Standard SMS is technically unencrypted on the carrier leg — which is why consent plus minimum-necessary content is the compliant pattern the industry has settled on, and why regulators have focused enforcement on breaches and carelessness, not on reminder texts.
Your compliance checklist
- ▸ Signed BAA with your communications vendor (Talk Is Cheap includes one on Real Talk and above)
- ▸ Individual staff logins with role-based access to conversations and recordings
- ▸ Texting consent captured at intake and stored
- ▸ Templates reviewed so automated messages carry logistics, not clinical detail
- ▸ Audit logs enabled; a named person reviews access quarterly
- ▸ Staff trained: clinical content goes to secure channels, not SMS bodies
The bottom line
If your current vendor waves at 'HIPAA-friendly' but won't sign a BAA, that's your answer about them. Compliance is a configuration and a contract, not a premium SKU — and refusing to text patients in 2026 doesn't protect them, it just sends them to a practice that will.