Can I send text messages to patients without violating HIPAA?

Today many patients may want to communicate with their clinical team with text messages. In 2018, Roger Severino, Director of the US Department of Health and Human Services Office for Civil Rights (OCR) announced that texting personal health information (PHI) with patients is permitted if a clinicians 1) informs the patient that texting is not secure; and 2) obtains authorization and written consent from the patient. This is the same policy the OCR uses towards sharing PHI in unprotected emails. There are also today a large number of vendor supported secure text messaging programs that a clinician/clinic can purchase.

Important things to consider:

  1. Consents: Do not text clients or members of the public without their written consent. Consent consists of signing a consent form.
  2. Security: Password protect the phone used for sending the text messages. Confirm that the cell phone number of the client is recorded correctly. Confirm all mobile devices used to send messages are secure at all times, including at home and work.
  3. Storing and deleting messages: Delete text messages after communication is completed and necessary information is documented appropriately.
  4. Message content: SMS text messages must not contain PHI. Do not store first and last names in the address book used for sending text messages. Store first name plus last initial only. Never use first and last name in a text message.
  5. Client generated messages that include PHI: Do not respond to the original text, instead, send a new message that asks the client to call you.


  • Was this Helpful ?
  • YesNo