Standard SMS messaging falls short of federal privacy requirements in nearly every way — here's what you need to know, and what to do about it.

If your practice or organization sends appointment reminders, follow-up notes, or any health-related information via standard text message, you may be unknowingly violating HIPAA. Standard SMS is convenient — but it was never designed with patient privacy in mind.

The good news: there are practical, affordable solutions. The key is knowing the difference between what's allowed, what's not, and why.

Why Standard SMS Fails HIPAA Requirements

Standard text messaging has multiple fundamental gaps that make it incompatible with HIPAA's technical safeguards for Protected Health Information (PHI):

• No encryption in transit — SMS travels over carrier networks in plaintext, visible to carriers, infrastructure operators, and anyone who intercepts the signal
• No encryption at rest — messages stored on carrier servers and devices are not encrypted
• No access controls — there's no authentication required to read messages on an unlocked device
• No audit trails — HIPAA requires logging who accessed PHI and when; SMS provides none
• No Business Associate Agreement (BAA) possible — carriers like AT&T and Verizon do not sign BAAs
• Uncontrolled retention — there's no way to enforce message expiration or remote wipe
• No breach notification — no way to know if messages were intercepted

What Information Is Off-Limits in a Text?

HIPAA defines 18 PHI identifiers that cannot be included in a standard text message. If any of the following appear alongside health-related context, you're in violation:

• Patient names
• Geographic data smaller than a state (addresses, cities, ZIP codes)
• Dates related to an individual (birth date, admission/discharge dates, age over 89)
• Phone or fax numbers, email addresses
• Social Security numbers, medical record numbers, health plan beneficiary numbers
• Account, certificate, or license numbers
• Vehicle or device identifiers, license plates, serial numbers
• URLs, IP addresses
• Biometric identifiers (fingerprints, voice prints)
• Full-face photographs or comparable images
• Any other unique identifying number, characteristic, or code

✓ What IS allowed via standard text:
Non-PHI information — such as general office hours, directions, or non-personalized reminders — can be sent over standard SMS without issue.

Compliant Solutions: What Actually Works

Encrypted Messaging Apps

Encrypted messaging requires both the sender and recipient to use the same app — it's not possible to send a HIPAA-compliant encrypted message to a standard SMS inbox. That said, several free and user-friendly options exist:

• Signal — The gold standard. Free, nonprofit, available on every platform. Download at Signal.org or via the Apple or Google app stores. Signal is also the only encrypted platform that consistently provides breach notification.
• Spruce and similar HIPAA-compliant platforms — These invite patients to a secure online portal for messaging. Note: this is not true text messaging — it functions more like encrypted email.

Message Retention

Most encrypted messaging platforms offer limited retention. Signal, for example, keeps messages for only 30 days. For long-term record-keeping, encrypted email remains the most reliable solution.

What About Microsoft 365?

Microsoft 365 can support HIPAA compliance — but it is not compliant by default. Here's what's required:

• Eligible plan — You must use Microsoft 365 Business Premium, E3, or E5. Consumer plans (Outlook.com, Microsoft 365 Personal) are not HIPAA compliant.
• Business Associate Agreement — You must sign a BAA with Microsoft, which is available for qualifying business and enterprise plans.
• Proper configuration — You must set up email encryption via Microsoft Purview, multi-factor authentication (MFA), data loss prevention (DLP) policies, and audit logging.

Compliance is not automatic — the responsibility lies with your organization to use the correct plan and configure all required safeguards.