HIPAA regulations for SMS require HIPAA Covered Entities and Business Associates to treat any text message that contains protected health information as a regulated disclosure and to apply HIPAA Privacy Rule permissions and safeguards, HIPAA Security Rule safeguards for electronic protected health information, and HIPAA Breach Notification Rule response and notification duties when unsecured protected health information is impermissibly used or disclosed.
SMS is a transport method rather than a HIPAA specific standard, so compliance is determined by the content of the message, the parties to the communication, and the controls used to protect the message and the devices that access it. Standard SMS typically lacks enterprise controls for access restriction, auditing, and centralized retention, and it may store message content on mobile devices and carrier systems outside organizational control. When protected health information is included, these characteristics create compliance and security gaps that must be addressed through policy and technical controls or avoided through alternative messaging methods.
The HIPAA Privacy Rule governs whether a text message disclosure is permitted. Texting protected health information for treatment, payment, or healthcare operations can be permissible when the disclosure is within HIPAA Privacy Rule limits, the recipient is verified, and reasonable safeguards are used to reduce the risk of incidental disclosure. The HIPAA Minimum Necessary Rule applies to many non-treatment disclosures, which requires limiting the amount of protected health information in the text message to the minimum needed for the purpose. Privacy controls for texting also include workforce rules that prohibit sending protected health information to the wrong number, prohibit using personal messaging applications for protected health information when not approved, and require confirmation of patient contact information before sending protected health information.
The HIPAA Security Rule applies when protected health information is created, received, maintained, or transmitted in electronic form, including when it is sent by text. Security compliance for texting is implemented through administrative safeguards, physical safeguards, and technical safeguards. Administrative safeguards include a documented risk analysis that covers texting workflows, defined policies for approved messaging methods, role-based authorization rules, workforce training, and sanctions for violations. Physical safeguards include device security controls for phones that receive messages, such as screen lock, workstation and device use rules, and procedures for lost or stolen devices. Technical safeguards include unique user identification, authentication controls, access controls that limit who can view messages, audit controls that support monitoring and investigation, integrity protections that reduce unauthorized alteration, and transmission security measures selected through risk analysis and risk management.
A secure messaging platform is often used when organizations need the technical controls that standard SMS does not provide. A compliant platform can support authenticated access, encryption or equivalent documented safeguards for transmission security, centralized administrative control, and audit logging. It can also support message lifecycle management, such as limiting forwarding, controlling screenshots where supported, restricting local storage, and retaining messages in a controlled archive when required by organizational recordkeeping requirements.
Vendor status matters for SMS related services. If a texting platform provider creates, receives, maintains, or transmits protected health information on behalf of a covered entity, the provider is typically a business associate and a Business Associate Agreement is required before protected health information is shared. The agreement should align with the HIPAA Privacy Rule and HIPAA Security Rule requirements and address incident reporting and breach coordination responsibilities. Organizations should confirm which product features are included under the agreement and restrict protected health information to in-scope services.
Patient requested texting requires controlled handling. HIPAA permits communicating with patients by unencrypted methods when the patient has been advised of risk and still prefers that method, and the organization documents and honors the preference. This does not remove the obligation to apply reasonable safeguards, such as verifying the number, limiting message content, avoiding sensitive details when not needed, and using alternative methods for higher-risk communications when feasible under policy. Texting a patient without validating the contact number or sending detailed clinical information through standard SMS can create an avoidable disclosure risk.
The HIPAA Breach Notification Rule becomes relevant when a texting related event results in an impermissible use or disclosure of unsecured protected health information and the event meets the definition of a breach. Common events include texting the wrong recipient, device loss with accessible messages, compromised credentials that allow message access, and use of unapproved messaging applications that store messages insecurely. Incident response procedures should require rapid reporting, investigation, documentation, and notification steps when required.
A compliant SMS approach relies on a risk-based decision. Organizations can prohibit protected health information in standard SMS and require secure messaging for protected health information, or they can permit limited patient directed texting under documented safeguards, while maintaining workforce rules, device controls, auditing where available, vendor agreements where required, and breach response procedures aligned with HIPAA obligations.