Is Texting Your Patients HIPAA Compliant? A 2026 Guide for Medical Practices

More and more medical practices text their patients: appointment reminders, results notifications, billing nudges, intake links. It is fast, patients love it, and it cuts no-shows. But every practice should be able to answer one question: is texting patients HIPAA compliant? It can be, but only if you set it up correctly. Plain texts from a personal phone are not.

The short answer

Texting patients is HIPAA compliant when the message, the platform, and your process all protect electronic protected health information (ePHI). A reminder with no health detail carries little risk. A text with a diagnosis, a result, or a treatment detail is ePHI, and sending that over standard SMS, with no encryption, no business associate agreement, and no audit trail, is a HIPAA problem.

When texting patients is (and is not) compliant

Two factors decide it: what is in the message, and how it is sent.

• Low risk: appointment reminders and logistics with no clinical information, sent with the patient's prior agreement to be texted.
• Higher risk: anything with health details, results, or content that identifies a condition. This is ePHI and needs a secure channel.
• Not compliant: ePHI sent over ordinary SMS or a staff member's personal phone, with no BAA, encryption, or access controls.

What makes patient texting compliant

If you want to text patients safely, these are the controls that matter:

• A signed BAA with your texting or messaging vendor. No BAA means no compliant texting.
• A secure, encrypted platform built for healthcare, not consumer SMS. Messages should be encrypted in transit and at rest.
• Patient consent to be contacted by text, documented in your records.
• Minimum necessary: keep clinical detail behind a secure portal login, not in the text itself.
• Access controls and audit logs so only authorized staff send messages and every message is traceable.
• No PHI on personal devices. Staff use the practice's approved platform, not their own phones.

Standard SMS vs secure messaging

Regular SMS travels unencrypted through carrier networks, cannot be recalled, and your carrier will not sign a BAA. That makes it fine for "your appointment is confirmed" but unsafe for anything clinical. HIPAA-compliant messaging platforms solve this with encryption, BAAs, access controls, and logging, and many integrate directly with your EHR and phone system so reminders and secure messages run from one place.

Practical rules for your front desk

• Use your approved platform for all patient texting, never personal phones.
• Keep reminders generic; never put results or diagnoses in a text.
• Get and record consent before texting a patient.
• Send clinical information through the secure portal, not SMS.
• Make sure a BAA is in place with every vendor that touches a message.

How ACS helps practices text patients safely

We set up patient communication that is both convenient and compliant: a secure, BAA-backed messaging platform, integrated with your EHR and phone system, with the access controls, encryption, and audit logging HIPAA expects. We document it as part of your HIPAA compliance program and train your team so the rules are easy to follow. It is one piece of the managed IT and cybersecurity we run for medical practices every day.

Frequently asked questions

Can we text appointment reminders to patients?

Yes. Reminders that contain no clinical detail are low risk, especially when the patient has agreed to be texted. Keep them generic and leave out any health information.

Is regular SMS ever okay for patient communication?

Only for non-clinical logistics, and ideally with consent. Anything involving health details should go through a secure, BAA-backed platform, not standard SMS.

Do we need a BAA with our texting provider?

Yes. Any vendor that transmits or stores messages containing ePHI is a business associate and must sign a BAA. If they will not, do not use them for anything clinical.

What is the safest way to send a patient their results?

Send a generic notification that results are ready and direct the patient to log in to the secure portal to view them. Keep the clinical detail out of the text itself.