HIPAA-compliant texting and encrypted messaging: what the rules actually require

Standard SMS is not encrypted and has no audit trail — two requirements HIPAA imposes on any system that transmits ePHI. Here is what the Security Rule, Privacy Rule, and 2026 NPRM mean for your messaging workflow.

By CoreFolio

Published June 16, 2026Verified June 16, 202619-minute read

Clinicians and staff text constantly. A nurse confirms a medication change with the attending physician. A hospice social worker sends the case manager an update from a patient's home. A dental office manager texts the treatment coordinator about a patient's insurance issue. These are normal, useful communications — and in most practices they happen over standard SMS, which is not encrypted and has no audit trail.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) does not mention text messaging. The law was enacted before the first smartphone existed. But the Security Rule's technical safeguard requirements apply to every electronic system that creates, receives, maintains, or transmits electronic protected health information (ePHI) — and courts, the Office for Civil Rights (OCR), and the Centers for Medicare & Medicaid Services (CMS) have consistently interpreted that to include text messages containing patient data.

This article explains what the rules require, what standard SMS lacks, what a defensible messaging setup looks like, and what the proposed 2026 updates would change.

Why HIPAA applies to text messages

The Health Insurance Portability and Accountability Act imposes requirements through three main rules: the Privacy Rule, the Security Rule, and the Breach Notification Rule. All three can apply when a practice uses text messaging.

The Security Rule (45 CFR Part 164, Subpart C) requires covered entities and business associates to implement administrative, physical, and technical safeguards to protect ePHI. The technical safeguards standard at 45 CFR § 164.312 explicitly governs "transmission security" — the requirement to guard against unauthorized access to ePHI transmitted over an electronic communications network. A text message transmitted over a cellular or wireless network falls within this requirement.

The Privacy Rule (45 CFR Part 164, Subpart E) governs how protected health information (PHI) — the broader category that includes both electronic and non-electronic records — may be used and disclosed. Sending a patient's diagnosis, treatment, or appointment information to an unauthorized recipient via any channel, including SMS, is an impermissible disclosure under 45 CFR § 164.502.

The Breach Notification Rule (45 CFR Part 164, Subpart D) requires covered entities to notify affected individuals, OCR, and in some cases the media when unsecured PHI is breached. A misdirected text message containing PHI — sent to the wrong number, accessible on a lost phone, or intercepted in transit — may trigger breach notification obligations.

What makes standard SMS non-compliant for ePHI

Standard SMS — the built-in text messaging protocol that carriers use to deliver "green bubble" messages — was designed for convenience, not security. It fails the Security Rule's technical safeguard requirements in several distinct ways.

No encryption in transit. Standard SMS travels over cellular networks using the Signaling System No. 7 (SS7) protocol. SS7 was designed in 1975 and has known vulnerabilities that allow interception. The Security Rule's transmission security standard at 45 CFR § 164.312(e)(1) requires technical security measures to guard against unauthorized access to ePHI transmitted over electronic networks. While encryption is currently listed as an "addressable" specification — meaning a covered entity can document why it chose an alternative approach — for most practices in 2026, no documented alternative to encryption is defensible for messaging ePHI over a public network.

No encryption at rest. SMS messages stored on a device are accessible to anyone who picks up the phone. The Security Rule's encryption and decryption specification at 45 CFR § 164.312(a)(2)(iv) (also currently addressable) requires implementing a mechanism to encrypt and decrypt ePHI. Messages stored in a phone's native SMS app are not encrypted at rest and are available to anyone with physical access to the device.

No access controls or unique user identification. Under 45 CFR § 164.312(a)(1), covered entities must implement technical policies and procedures that allow access to ePHI only to authorized persons. SMS does not require authentication to read a received message — anyone with access to the device can read every thread. There is no concept of role-based access or individual user identification.

No audit logs. The audit controls standard at 45 CFR § 164.312(b) requires implementing hardware, software, or procedural mechanisms that record and examine activity involving ePHI. Standard SMS carriers do not maintain logs of who read a message, when it was accessed, or whether it was forwarded.

No automatic logoff. The automatic logoff specification at 45 CFR § 164.312(a)(2)(iii) requires implementing electronic procedures that terminate a session after a predetermined period of inactivity. The native SMS app has no concept of session timeout.

No business associate agreement. Any vendor that handles ePHI on behalf of a covered entity must sign a business associate agreement (BAA) under 45 CFR § 164.308(b). Mobile carriers do not sign BAAs for standard SMS service. Using standard SMS to transmit ePHI therefore lacks the contractual protection the rule requires.

What a compliant secure messaging platform must provide

A secure messaging platform built for healthcare addresses each gap above. When evaluating a platform, the Security Rule's technical safeguard standards provide the checklist.

Encryption in transit and at rest. The platform must encrypt messages while they travel across the network (Transport Layer Security (TLS) 1.2 or higher is the current minimum; TLS 1.3 is preferred) and while they are stored on servers and devices (Advanced Encryption Standard (AES)-256 is the current standard). This addresses both the transmission security standard (§ 164.312(e)(1)) and the encryption-at-rest specification (§ 164.312(a)(2)(iv)).

Unique user identification and access controls. Every person who uses the platform must have a unique username and credential that ties every message to an identified individual. Role-based access controls should restrict which staff can see which patient conversations. This addresses the access control standard at § 164.312(a)(1) and the unique user identification specification at § 164.312(a)(2)(i).

Automatic session logoff. The platform must lock or terminate a session after a configurable period of inactivity on the device. This addresses § 164.312(a)(2)(iii).

Audit logging. The platform must log who sent each message, when it was sent, when it was delivered, and when it was read. Those logs must be retained and accessible for review — under 45 CFR § 164.530(j), most HIPAA records must be retained for six years from the date of creation. This addresses the audit controls standard at § 164.312(b).

A signed business associate agreement. Before using any platform to transmit ePHI, the covered entity must execute a BAA with the vendor. The BAA must specify the vendor's obligations to safeguard PHI, report breaches, and restrict use of the data. Without a BAA, using a platform to transmit ePHI is itself a violation under § 164.308(b)(1).

Device security. Many compliant platforms include mobile device management (MDM) features or require device-level encryption as a condition of use. This addresses the physical safeguards requirements for device and media controls at 45 CFR § 164.310.

Administrative requirements that accompany any messaging workflow

Technical controls are only part of the picture. The administrative safeguard requirements at 45 CFR § 164.308 apply whenever a practice adopts a new messaging workflow.

Conduct a risk analysis. Under § 164.308(a)(1)(ii)(A), covered entities must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to ePHI in their environment. Adopting a secure messaging platform is a new technology that processes ePHI, which means it must be evaluated in the risk analysis before deployment — not after. CMS reinforced this requirement in its February 2024 guidance memorandum on secure texting platforms (CMS QSO-24-05), stating explicitly that risk assessment should precede adoption.

Train your workforce. The workforce training requirement at § 164.308(a)(5) requires covered entities to implement procedures for authorizing access to ePHI and train every member of the workforce who handles it. Training must cover what may and may not be sent, what platform must be used, and what to do if a message is sent to the wrong recipient.

Apply the minimum-necessary standard. The Privacy Rule's minimum-necessary standard at 45 CFR § 164.502(b) requires that ePHI disclosed for any purpose be limited to the minimum necessary to accomplish that purpose. Applied to messaging: an appointment reminder should not include a diagnosis. A "patient in room 4 needs you" alert should not include the patient's full name or condition if those details are not needed for the recipient to act. This standard applies to both the platform and the habit of the person composing the message.

Document your policies and procedures. Under § 164.316(b)(1), covered entities must maintain written policies and procedures for their HIPAA safeguards and retain documentation for six years. A messaging policy — specifying which platform is approved, what types of information may be sent, and what happens when staff violate the policy — must exist in writing.

The patient communication exception: when unencrypted SMS may be permissible

The rules described above govern staff-to-staff messaging and provider-to-patient messaging initiated by the practice. A separate, narrower set of rules governs patient-to-provider communication and patient requests for a particular communication channel.

Under 45 CFR § 164.522(b), every covered health care provider must accommodate reasonable requests by patients to receive communications by alternative means or at alternative locations. That includes a patient's request to receive health information by standard SMS, even though SMS is not encrypted.

The framework for accommodating such a request:

Inform the patient of the risks. Before complying with a request for unencrypted communication, the covered entity should advise the patient that standard SMS is not secure and that the message could be intercepted or accessed by unauthorized parties. The HHS Office for Civil Rights has confirmed this in agency guidance on email and text communications (HHS FAQ, "Does HIPAA permit covered entities to use email?").
Document the patient's informed choice. The patient's acknowledgment that they understand the risks and still prefer SMS should be documented in the medical record. The Omnibus Rule commentary (78 Fed. Reg. 5634) confirms that a covered entity may communicate with patients via unencrypted channels when the patient has been warned and elected to proceed.
Offer a compliant alternative. The patient should always be offered a secure alternative. If they decline and accept the risk, proceeding with their preferred channel is permissible. If they later object, the practice must switch.

Patient-initiated messages are treated differently. When a patient initiates a text message to the practice, OCR guidance indicates the provider may assume the patient accepts the risks of that channel — unless the patient has explicitly stated otherwise. The ePHI received from the patient's message becomes the practice's responsibility to protect from that point forward (45 CFR Part 164, Subpart C applies once the practice is in possession of it), but the channel itself was the patient's choice.

Important limitation: the patient communication exception applies only to provider-to-patient messages and patient-initiated messages. It does not authorize staff-to-staff messaging over unencrypted channels, even when the subject matter involves a specific patient. Clinician-to-clinician coordination requires a compliant platform.

Encrypted SMS vs. a secure messaging platform: the difference matters

Search results for "encrypted SMS" often describe two different things, and the distinction matters for HIPAA.

Encrypted SMS in the consumer sense most often refers to messaging applications that provide end-to-end encryption over an internet connection rather than the cellular SS7 protocol — consumer encrypted-messaging apps are examples of this category. These apps encrypt content in transit, but consumer versions typically do not sign BAAs, do not maintain compliant audit logs, do not enforce access controls or automatic logoff, and do not meet the full set of Security Rule requirements. Encrypted-by-default does not equal HIPAA-ready.

A HIPAA-compliant secure messaging platform is a purpose-built tool that addresses all five technical safeguard requirements at § 164.312, not just encryption in transit. The full stack — encryption, access controls, audit logging, session timeout, and a signed BAA — must be present and documented.

When evaluating a vendor, confirm in writing that the vendor will sign a BAA, and ask for documentation that the platform addresses each of the five § 164.312 standards. General marketing claims about "encryption" or "security" are not a substitute for a signed agreement and a reviewed architecture. The BAA is the contractual evidence that matters.

What the proposed 2026 rule would change

The 2026 Notice of Proposed Rulemaking (NPRM), published January 6, 2025 (90 Fed. Reg. 898), would make two changes directly relevant to messaging.

Encryption would become mandatory. Under the current Security Rule, encryption is an "addressable" specification — a covered entity can document why it chose an alternative safeguard instead. The NPRM proposes removing the addressable/required distinction entirely. Encryption of ePHI at rest and in transit would become a mandatory standard with only a narrow exception: an individual patient may request to receive their own ePHI in unencrypted form. That exception does not create permission for a covered entity to operate messaging infrastructure without encryption by default.

Multi-factor authentication would become mandatory. The proposed rule would also reclassify multi-factor authentication (MFA) from addressable to required for every system that touches ePHI. For messaging platforms, this means the login step for the platform — not just the message itself — must require a second factor.

The rule is not yet final. The comment period closed March 7, 2025, with approximately 4,700 submissions. A final rule has not been published as of the date this article was last verified. The current Security Rule remains in effect. Practices making technology investments in messaging infrastructure should build toward the proposed standard given the direction of enforcement — but should consult with compliance counsel about compliance timelines once the final rule is published.

Mobile and field-based care: where messaging gaps concentrate

The HIPAA requirements for encrypted messaging apply uniformly to every covered entity. But the risk of an informal texting gap is highest where clinical staff routinely work away from a fixed workstation — in patient homes, across multiple sites, or in the community. The following settings share a common structural pressure: the work demands real-time coordination, staff typically have a phone in their pocket, and a purpose-built secure platform can feel like friction compared to the native SMS app.

Home health agencies

Home health nurses, physical therapists, occupational therapists, and speech therapists spend their days moving between patient homes. They coordinate with supervising physicians, intake coordinators, and each other throughout the day — often from a personal phone. Under the CMS Conditions of Participation for home health agencies (42 CFR Part 484), agencies must maintain clinical records that are accurately written, promptly completed, properly filed, and accessible (42 CFR § 484.110). Any clinical communication that constitutes a record must be captured — not left to disappear when a staff member's phone is replaced.

Home health agencies face the same bring your own device (BYOD) pressures as hospice agencies: field clinicians often use personal smartphones, and agencies with lean budgets cannot always provide dedicated devices. The Security Rule obligations are unchanged by who owns the hardware. The approved messaging platform must be the channel for ePHI regardless of whether the device is agency-issued or personal, and mobile device management (MDM) policies must address the personal-device scenario explicitly.

Hospice

A hospice interdisciplinary group (IDG) — nurses, physicians, social workers, chaplains, home health aides, and often volunteer coordinators — coordinates care across private homes, assisted living facilities, and inpatient units. The pace is genuine: a nurse at a patient's home at 2 a.m. needs to reach the on-call physician immediately, and the default is whatever communication tool is already on the phone.

Under 42 CFR Part 418 (the hospice Conditions of Participation), patients have an explicit right to a confidential clinical record. 42 CFR § 418.52(c)(5) states that "access to or release of patient information and clinical records is permitted in accordance with 45 CFR parts 160 and 164" — meaning the full HIPAA Privacy and Security Rules apply. Hospice agencies are covered entities under HIPAA.

Hospice care also involves a layer of communication that home health does not always share: family caregivers as the primary day-to-day contact. A family member managing a patient's last weeks may expect to receive nursing updates by text. Two questions arise. First, who is the authorized recipient? A family caregiver involved in the patient's care may receive PHI under the Privacy Rule's personal representative and treatment provisions, but the hospice must confirm the patient has authorized that disclosure and verify the caregiver's identity before sharing clinical details. Second, what channel is permissible? The patient communication exception under 45 CFR § 164.522(b) described earlier applies: if the patient or their authorized representative has requested updates by text and been informed of the risks, the agency may accommodate that preference — and the documentation of that informed choice belongs in the clinical record.

Behavioral health mobile teams

Assertive Community Treatment (ACT) teams, mobile crisis response units, and community mental health outreach workers operate almost entirely in the field. An ACT team member may contact a psychiatric nurse practitioner, a peer support specialist, and a case manager in sequence during a single home visit. Because behavioral health information carries heightened sensitivity and because many behavioral health patients have complicated relationships with formal institutions, the informal SMS habit can seem harmless — it is not.

Behavioral health providers who handle substance use disorder records face an additional layer: 42 CFR Part 2 governs those records with stricter consent requirements than standard HIPAA, and a 2024 Final Rule (aligning Part 2 more closely with HIPAA) changed but did not eliminate those additional protections. Any mobile communication workflow involving substance use disorder records must be reviewed against both HIPAA and the applicable Part 2 requirements.

PACE programs

Programs of All-inclusive Care for the Elderly (PACE) coordinate care across three settings simultaneously: the participant's home, the PACE adult day health center, and inpatient or specialist facilities. The PACE interdisciplinary team (IDT) is required under 42 CFR Part 460 to meet regularly and communicate continuously about each participant's plan of care (42 CFR § 460.98). That level of coordination among staff who rotate across all three settings creates persistent pressure to communicate quickly by phone. The same HIPAA requirements apply.

The shared pattern across all these settings

Each of these care models shares the same risk profile: the clinical need for immediate communication is real and urgent, the workforce is mobile, personal phones are at hand, and the administrative infrastructure to enforce a secure channel is harder to maintain than in a fixed-location clinic. The answer is the same in every case — a purposebuilt secure messaging platform covered by a BAA, included in the risk analysis, and enforced by written policy and training. The urgency of the clinical setting does not create a HIPAA exception; it creates a greater obligation to make the compliant tool easy enough to use that staff actually reach for it first.

Personal device policies (applies across all mobile settings)

Where BYOD is in use, the practice must ensure:

The approved messaging platform is installed on the personal device and is the only channel used for ePHI.
MDM policies can remotely wipe the approved app (or the device) in the event of loss or termination of employment.
Device encryption and screen-lock are required as a condition of participation.
BYOD expectations are documented in the workforce policy and covered in training.

CMS guidance on texting patient orders

On February 8, 2024, CMS issued memorandum QSO-24-05, reversing a 2018 prohibition and clarifying that hospitals and critical access hospitals may transmit patient information and orders by text — provided the platform meets HIPAA Security Rule requirements and the Conditions of Participation at 42 CFR § 482.24 (hospitals) and 42 CFR § 485.638 (critical access hospitals). Those conditions require that orders be dated, timed, authenticated, and promptly placed in the medical record. This guidance applies specifically to hospitals and critical access hospitals. Home health, hospice, PACE, and behavioral health agencies should assess whether their own Conditions of Participation impose comparable documentation requirements on clinical communications.

Where to start if your practice has no messaging policy

The gap between "we text patients on our personal phones" and "we have a documented, BAA-covered secure messaging workflow" is a gap your risk analysis must capture before it appears in an OCR investigation.

First: include messaging in your risk analysis. The Security Rule requires a risk analysis that covers all ePHI in your environment (§ 164.308(a)(1)(ii)(A)). If you have not specifically evaluated how clinical information is communicated by text — what channels are in use, who sends what, on which devices, to which recipients — that is a gap in your risk analysis regardless of what platform you eventually choose.

Second: identify what is actually happening. Before writing a policy, document current practice. Interview staff. Ask whether they text clinical information, which apps they use, and whether they use personal or practice-issued devices. Enforcement investigations often reveal that official policy said "use secure messaging" while actual practice was "everyone texts from their personal phone." The risk analysis must reflect actual behavior, not aspirational policy.

Third: evaluate platforms against the Security Rule requirements. When reviewing vendors, use the five § 164.312 standards as your checklist: access controls, audit controls, integrity controls, authentication, and transmission security. Require the vendor to sign a BAA before deployment, not after.

Fourth: document and train. Write a written messaging policy that specifies which channel is approved, which types of information may be transmitted, and what staff should do if they send a message to the wrong recipient. Train every member of the workforce who communicates clinical information. Retain training records.

Fifth: include the platform in ongoing risk management. The Security Rule requires not just a one-time risk analysis but ongoing risk management (§ 164.308(a)(1)(ii)(B)). Periodically review whether the platform's security posture has changed, whether the BAA is current, and whether actual use matches policy.

The steps are clear. The execution — documenting current state, identifying gaps, selecting and configuring a compliant platform, writing policy, and completing workforce training — takes focused work and carries consequences if done incompletely.

Sources and citations

45 CFR Part 164 — HIPAA Security, Privacy, and Breach Notification Rules: ecfr.gov
45 CFR § 164.312 — Security Rule technical safeguards: ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.312
45 CFR § 164.522(b) — Patient right to confidential communications by alternative means: ecfr.gov
HHS Office for Civil Rights FAQ, "Does the HIPAA Privacy Rule permit health care providers to use e-mail to discuss health issues and treatment with their patients?": hhs.gov/hipaa/for-professionals/faq/570
Omnibus Rule (2013), commentary on unencrypted communication with patient consent: 78 Fed. Reg. 5634 (Jan. 25, 2013)
CMS Memorandum QSO-24-05-Hospital/CAH, "Texting of Patient Information and Orders for Hospitals and CAHs" (Feb. 8, 2024): cms.gov/files/document/qso-24-05-hospital-cah.pdf
2026 HIPAA Security Rule NPRM: 90 Fed. Reg. 898 (Jan. 6, 2025): federalregister.gov/d/2024-30983
42 CFR § 418.52(c)(5) — Hospice patient right to confidential clinical record: law.cornell.edu/cfr/text/42/418.52
42 CFR Part 484 — Home Health Agencies Conditions of Participation, including clinical record requirements at § 484.110: ecfr.gov/current/title-42/chapter-IV/subchapter-B/part-484
42 CFR Part 460 — PACE Programs Conditions of Participation, including IDT coordination requirements at § 460.98: ecfr.gov/current/title-42/chapter-IV/subchapter-B/part-460
42 CFR Part 2 — Confidentiality of Substance Use Disorder Patient Records: ecfr.gov/current/title-42/chapter-I/subchapter-A/part-2
HIPAA civil monetary penalty tiers, 2025 inflation-adjusted schedule: 45 CFR § 102.3

This article is educational and does not constitute legal advice. Nothing here establishes or indicates that any practice "is HIPAA compliant." The regulatory standards described are a starting point for a practice's own documented risk analysis. Consult qualified legal or compliance counsel for advice specific to your organization.

FAQ

Common questions

Is texting a HIPAA violation?

Sending protected health information via standard SMS is a HIPAA Security Rule violation because standard SMS lacks encryption, access controls, and audit logging — all required by 45 CFR § 164.312. However, texting itself is not banned. Using a secure messaging platform that meets the Security Rule's technical safeguard standards and is covered by a signed business associate agreement is permissible.

Does HIPAA allow texting patients?

Yes, with conditions. Under 45 CFR § 164.522(b), a patient can request to receive their health information by any means they choose — including standard SMS — after being warned of the risks. Once warned, the provider may comply. For staff-to-staff messaging that contains ePHI, a compliant platform with encryption and a signed BAA is required regardless of patient preference.

What makes a messaging platform HIPAA compliant?

A platform must provide: encryption in transit (TLS 1.2 or higher) and at rest (AES-256), unique user identification and access controls, automatic session logoff, audit logs that record who sent and accessed each message, and a signed business associate agreement with the vendor. The covered entity must also train staff and include the platform in its risk analysis.

Is iMessage or WhatsApp HIPAA compliant?

Neither consumer iMessage, WhatsApp, nor standard SMS meets HIPAA's requirements for transmitting ePHI between staff. Apple and Meta do not sign business associate agreements for consumer accounts. Messages stored on devices lack the access controls and audit trails required under 45 CFR § 164.312. There is a narrow exception if a patient initiates contact and you document that they accepted the risks.

Why do hospices need specific guidance on HIPAA messaging?

Hospice care is delivered by a mobile, interdisciplinary team across private homes, skilled nursing facilities, and inpatient units. Nurses, physicians, social workers, and chaplains coordinate care in real time — often from personal phones — while also communicating with family caregivers who are not HIPAA-regulated themselves. This creates high-risk conditions for informal SMS use. Under 42 CFR § 418.52(c)(5), hospice patients have an explicit right to a confidential clinical record governed by 45 CFR parts 160 and 164.

What does the 2026 NPRM change about messaging?

The proposed rule (90 Fed. Reg. 898, Jan. 6, 2025) would make encryption a mandatory standard — not an addressable specification — for all ePHI at rest and in transit. Under the current rule, a covered entity can document why it chose not to encrypt. Under the proposed rule, that option would be eliminated for messaging and all other ePHI transmissions, with a narrow exception when an individual requests unencrypted delivery.

Keep learning

The 2026 rule
HIPAA technical safeguards: current requirements and what the 2026 NPRM changes
The HIPAA Security Rule's technical safeguards govern access, encryption, audit logging, and authentication. The 2026 NPRM proposes significant changes. Here is what is required now and what would change under the proposed rule.
May 20, 20267-minute read
The 2026 rule
HIPAA and multi-factor authentication: what the 2026 rule means for small practices
Multi-factor authentication is currently 'addressable' under HIPAA — meaning you can document why you didn't implement it. The proposed 2026 rule would make it mandatory. Here is what that means in practice.
May 5, 20266-minute read
How-to
HIPAA BAAs for technology vendors: the requirement, what it covers, and how to verify
Any vendor that handles ePHI on your behalf is a business associate requiring a BAA before you transmit patient data. Here is the regulatory basis, which tool categories always need one, and how to find and verify a BAA with any vendor.
June 4, 20267-minute read