Is Texting in Violation of HIPAA?
There are many factors that determine whether a message sent via a text service is texting in violation of HIPAA. The factors include who the text is being sent by, the content of the message, the service the text is sent via, and the measures in place to prevent unauthorized access to the content of the message. It may also be the case that the recipient of the text has requested or authorized an otherwise impermissible disclosure.
For many years, when a member of a healthcare provider’s workforce sent a text message to a patient containing Protected Health Information (PHI), it was assumed the workforce member was texting in violation of HIPAA because the most commonly used text service (at the time) was “Short Message Service” (SMS) texting which lacks the controls necessary to support compliance with the Administrative and Technical Safeguards of the HIPAA Security Rule.
Although the assumption was incorrect (because a patient may have requested or authorized an otherwise impermissible disclosure), many sources still claim that texting is in violation of HIPAA – despite SMS texting rarely being used any more. In fact, there are now many text services that support HIPAA compliant text messaging, plus alternatives such as HIPAA compliant email that are just as versatile and secure as HIPAA compliant text messaging.
When is Texting in Violation of HIPAA?
To best explain when texting is in violation of HIPAA, it is helpful to review the circumstances that determine whether a text message communication is permitted or prohibited by HIPAA.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Is the sender of the text message required to comply with HIPAA?
Not all healthcare providers are required to comply with HIPAA. Healthcare providers that bill patients directly, that do not conduct healthcare transaction for which the Department of Health and Human Services (HHS) has adopted standards, or who conduct healthcare transactions electronically do not qualify as HIPAA covered entities. If a text message originates from one of these sources, it is not possible for the text message to violate HIPAA.
Only text messages that originate from a healthcare provider (or pharmacy or health plan) that qualifies as a HIPAA covered entity – or from a business associate providing a service on behalf of a HIPAA covered entity – can violate HIPAA. However, before assuming that a HIPAA covered entity or business associate is texting in violation of HIPAA, it is necessary to consider the content of the message and whether it contains information that is protected by HIPAA.
Does the text message contain information that is protected by HIPAA?
Even when a text message is sent by a HIPAA regulated entity via SMS, it is not a HIPAA violation if the content of the message does not contain information that is protected by HIPAA. This means it is permissible to send (for example) appointment reminders to patients by text, provided the content of the message does not include health, treatment, or payment information. A text message containing just a name, venue, and time does not violate HIPAA.
Some sources misinterpret what is considered Protected Health Information under HIPAA and suggest all patient identifiers are protected by HIPAA. However, identifiers are only protected by HIPAA when they are maintained in the same designated record set as health, treatment, or payment information. If the identifiers are maintained or transmitted separately, they are not protected by HIPAA – although state privacy and security regulations may apply in the event of a breach.
Why it may matter what service is used to send text messages
It was mentioned previously that many text services support HIPAA compliant text messaging – but not all do. Therefore, unless a patient has requested or authorized an otherwise impermissible disclosure (discussed below), any communication of Protected Health Information transmitted by text by a HIPAA-regulated entity, must be conducted via a HIPAA compliant text messaging service covered by a HIPAA Business Associate Agreement.
The requirement for the service to be covered by a HIPAA Business Associate Agreement is important because although some services tick the box for secure messaging (i.e., WhatsApp), they may not fulfill all the criteria to be HIPAA compliant. Only when a service vendor is willing to enter into a HIPAA Business Associate Agreement can a HIPAA regulated entity meet the requirement to obtain satisfactory assurances that the vendor will safeguard PHI (§164.308(b)).
What measures need to be in place to prevent unauthorized access?
When a HIPAA regulated entity uses a HIPAA compliant text messaging (or email) service, it is important the service is configured to support compliance with the Administrative and Technical Safeguards of the HIPAA Security Rule. Members of the workforce who will use the service must be trained on how to use the service in compliance with HIPAA and measures such as access controls and encryption must be in place to prevent unauthorized access to PHI.
An important consideration when training members of the workforce is that security awareness training must be provided according to the General Requirements of the HIPAA Security Rule (§164.306(a)). The General Requirements stipulate that HIPAA regulated entities must protect against any reasonably anticipated uses or disclosures of PHI that are not permitted by the HIPAA Privacy Rule. Therefore, it may also be necessary to provide HIPAA awareness training.
Patients’ rights to request or authorize otherwise impermissible disclosures
Under §164.522(b) of the HIPAA Privacy Rule, patients have the right to request confidential communications by “alternative means” – including SMS text. If the request is “reasonable”, HIPAA regulated entities must agree to the request even if the alternative means introduces risks to the confidentiality, integrity, and availability of PHI. In such cases, the patient should be warned of the risks and offered a compliant alternative and the warning should be documented.
Technically, a patient can also authorize a disclosure of PHI via SMS text. As this would be an unusual circumstance, as well as warning the patient of the risks and offering a HIPAA compliant alternative for the transmission of PHI, HIPAA regulated entities should verify the identity of the patient making the request (if they is not already known to the sender or the authorization is requested remotely) and the identity of the recipient of the SMS text.
Penalties for Texting in Violation of HIPAA
If none of the above exclusions or conditions apply, sending a text message that contains PHI via a non-compliant text messaging service is a violation of HIPAA. If the non-compliant activity is conducted by a member of the workforce, the penalty for texting in violation of HIPAA most often depends on the content of the HIPAA regulated entity’s sanction policy, the scale or repeated nature of the violation, and the motive behind texting in violation of HIPAA.
If the workforce member sent an SMS text message due to a lack of knowledge and it is their first violation of this nature, the likely sanction will be a verbal warning and refresher training. However, if the violation was widespread or repeated, the sanction could be more serious. If the motive behind texting in violation of HIPAA was the wrongful disclosure of PHI, the workforce member could also be criminally investigated for violating §1177 of the Social Security Act.
If a HIPAA regulated entity is responsible for a workforce member texting in violation of HIPAA and a compliant is made to HHS’ Office for Civil Rights, the consequences will also depend on the scale or repeated nature of the violation and the level of culpability. Most often, the HIPAA regulated entity will be required to comply with a Corrective Action Plan, but if an investigation uncovers a cultural norm of non-compliance, the entity could be fined for non-compliance.
| Penalty Tier | Level of Culpability | Min. Penalty per Violation | Max. Penalty per Violation | Annual Penalty Limit |
| Tier 1 | Lack of Knowledge | $141 | $35,581 | $35,581 |
| Tier 2 | Reasonable Cause | $1,424 | $71,162 | $142,355 |
| Tier 3 | Willful Neglect | $14,232 | $71,162 | $355,808 |
| Tier 4 | Willful Neglect not Corrected within 30 days | $71,162 | $2,134,831 | $2,134,831 |
Penalties correct as of December 6, 2025.
Other Considerations when Texting Patients
In addition to HHS’ Office for Civil Rights penalties for texting in violation of HIPAA, state Attorneys General can also impose fines on HIPAA regulated entities – especially if the state has adopted regulations requiring patients to affirmatively opt-in to email and text communications. Compliance with HIPAA may also be used as the expected standard of care in lawsuits brought by individuals or a class action following a breach of Protected Health Information.
With this in mind, it is important to document requests for confidential communications and authorizations for otherwise impermissible disclosures of Protected Health Information via text – and keep the documentation up to date. The failure to monitor the status of patient requests and authorizations could result in a workforce member inadvertently texting in violation of HIPAA after a request for confidential communications has been amended or an authorization revoked.
It is also worth noting that HHS’ recent Notice of Proposed Rulemaking to strengthen cybersecurity for electronic Protected Health Information proposes annual HIPAA audits to ensure compliance with all applicable HIPAA Security Rule requirements. This will likely have an impact on the ways in which electronic Protected Health Information is communicated between providers and patients and may require the implementation of additional safeguards to protect health data.
HIPAA covered entities and business associates unsure about the HIPAA texting rules and whether a message sent via a text service is texting in violation of HIPAA are advised to speak with a HIPAA compliance expert. HIPAA regulated entities looking for alternatives to text messaging platforms should seek advice from a HIPAA compliant email provider.
Texting in Violation of HIPAA – FAQs
What are the HIPAA texting rules?
The HIPAA texting rules are that if an organization qualifies as a HIPAA covered entity or business associate, it is permissible to send text messages containing PHI provided a HIPAA compliant texting service covered by a Business Associate Agreement is used, and the service is configured and used in compliance with HIPAA. However, exclusions and conditions may apply, and it may ne necessary to obtain an affirmative opt-in before texting patients.
Is texting HIPAA compliant?
Texting can be HIPAA compliant depending on the content of the text message(s) and the service used for texting patient information. HIPAA regulated entities are advised to implement a HIPAA text messaging policy and provide training to all members of the workforce likely to engage in HIPAA compliant texting with patients. It is also advisable to train applicable members of the workforce on documenting patient requests and authorizations.
Is texting patient names a HIPAA violation?
Texting patient names is not a HIPAA violation if there is no health, treatment, or payment information contained within the text messages. If patient names are combined in text messages with health, treatment, or payment information, whether or not texting patient names is a HIPAA violation depends on the context of the text messages, the service used for sending text messages and any patient requests or authorizations that cover the text messages.
What are HIPAA compliant text messaging services?
HIPAA compliant text messaging services vary from dedicated healthcare texting services such as Tigerconnect and Rocket Chat, to enterprise productivity tools such as Google Chat and Microsoft Teams. In all circumstances it is necessary to enter into a Business Associate Agreement with the service vendors before using any HIPAA compliant text messaging service to send text messages containing Protected Health Information unless an exception applies.
What are the HIPAA rules for text messaging when a patient initiates contact by text?
There are no HIPAA rules for text messaging when a patient initiates contact by text. However, in 2008, HHS published guidance stating that if a patient initiates communications with a provider via email, the provider can assume that email communications are acceptable to the patient. This can be interpreted to apply to text messaging patients, however it will still be necessary to advise the patient of the risks of communicating by text and to document the warning.
