Texting patients is no longer optional. SMS open rates hover around 98%, and patients increasingly expect appointment communication on their phone, not their voicemail. The question is not whether to text — it is what you are allowed to text, and through what channel.
The short answer: appointment reminders, scheduling, and generic logistics over standard SMS are fine if the patient has consented. Treatment details, diagnoses, lab results, and clinical advice are not — those need a secure messaging channel.
Here is the longer answer.
What HIPAA actually says about texting
HIPAA does not specifically address SMS. It addresses PHI — Protected Health Information — which is any individually identifiable health information transmitted or maintained in any form. The question is not “is texting HIPAA-compliant?” but “does this specific text contain PHI, and does the channel meet the Security Rule requirements?”
Standard SMS is not encrypted end-to-end. The message passes through carrier systems and is stored on the patient’s device (and potentially the cloud backup of that device). For most appointment logistics, that exposure is minimal. For clinical content, it is a violation.
What you can safely send over standard SMS (with consent)
Once the patient has opted in (we will get to that):
- Appointment reminders. “Hi Sarah, this is a reminder of your appointment Tuesday at 2pm. Reply Y to confirm or C to cancel.”
- Scheduling logistics. “Your provider is running 15 minutes behind.”
- Confirmation of receipt. “We received your intake forms — see you Tuesday.”
- General office information. “We will be closed Memorial Day. Regular hours resume Tuesday.”
- Review requests. “Thanks for visiting today. Would you mind sharing your experience? [link]”
- Recall outreach (carefully). “It has been a few months since your last visit — want to get something on the calendar?” — fine. “Your last cleaning showed early periodontal disease and we recommend follow-up” — not fine.
The line is: if the message would be embarrassing or harmful if read by the wrong person on a lost phone, it does not belong in standard SMS.
What you cannot send over standard SMS
- Diagnoses, conditions, or symptoms
- Lab or imaging results
- Treatment plans or clinical recommendations
- Prescription details
- Anything that ties a specific clinical fact to the patient’s identity
For any of the above, you need a secure messaging channel: patient portal, encrypted messaging app with BAA, or in-person/phone communication.
Consent: the part nobody handles correctly
Two laws govern consent: HIPAA (for PHI) and TCPA (for SMS in general). Both require the patient to have opted in before you text them. Practical rules:
- Capture explicit consent. Intake forms should have a checkbox: “I consent to receive text messages from [Practice] regarding appointments and care logistics.” Pre-checked boxes do not count.
- Provide an easy opt-out. Every message should respect STOP, END, CANCEL, UNSUBSCRIBE, QUIT — these must immediately end further messaging.
- Honor the channel. If a patient unsubscribes from marketing texts, that does not necessarily kill appointment-reminder texts (treatment-related communication is sometimes covered separately), but the safest stance is to treat opt-out as global unless they re-confirm.
- A2P 10DLC registration. US carriers now require business SMS to be registered through A2P 10DLC. Unregistered traffic is increasingly blocked or surcharged. This is separate from HIPAA but practically required.
Where most practices get tripped up
- Forwarding a patient’s question by text to a colleague. “Hey Dr. M, this patient wants to know about their MRI results — what do I say?” That text contains PHI and just left a controlled environment. Use the EHR’s secure messaging.
- Texting from personal phones. A staff member texting from their personal cell about a specific patient creates an audit and discovery nightmare. Use a business texting system tied to the practice number.
- Group texts with patients. Adding two patients to the same thread is a PHI disclosure between them. Always 1:1.
- Photos. A patient texts a photo of a rash. You now have PHI on a staff phone in standard SMS. Move it to the EHR and delete from the phone.
The practical setup most practices need
- A business SMS system (not personal phones) tied to the practice number.
- A2P 10DLC registration completed.
- Consent captured in intake — recorded, dated, and stored.
- A clear policy on what staff can and cannot text (and training for it).
- A secure messaging fallback (portal, encrypted app with BAA) for anything clinical.
How PatientCopilot fits
PatientCopilot handles the business SMS layer with A2P 10DLC registration done for you, consent capture tied to intake, automatic opt-out handling, and a BAA in place. Clinical content stays in your EHR’s secure messaging — we do not try to replace that.