Healthcare organizations can send HIPAA compliant text message campaigns for health and wellness reminders when the messages are related to patient care, such as appointment reminders or general health tips, and do not include sensitive health information without patient authorization. Organizations must obtain proper patient consent, use secure messaging platforms with encryption, limit the use of PHI, and provide an easy opt-out mechanism to ensure compliance. When the message involves marketing or promotes third-party services, written patient authorization is required before sending.
HIPAA places guidelines on how healthcare organizations handle protected health information (PHI), including in electronic communications like text messages. According to the HHS, "Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number)." When sending text messages containing PHI, organizations must safeguard this data by using secure communication platforms, obtaining patient consent, and limiting the amount of personal information included in the message.
Healthcare organizations can send text messages that support patient treatment and care coordination without needing additional patient authorization. For example, reminders about upcoming appointments, medication refills, and annual checkups are part of routine patient care. They can be sent as long as security measures are in place.
Health promotion messages, such as reminders about vaccinations, health screenings, or tips for managing chronic conditions, are also generally allowed. These messages are considered part of treatment, especially when directly related to patient care, and do not involve third-party services.
"The Privacy Rule defines “marketing” as making “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.”. If a wellness reminder promotes a specific product, service, or third-party company, such as recommending a particular fitness program or dietary supplement, it qualifies as marketing. In these cases, organizations must obtain written patient authorization before sending the message.
In cases where the text message could be considered marketing, patient authorization is required. This written consent must clearly state what type of messages the patient agrees to receive and how their information will be used. For example, if a wellness reminder includes a promotion for a new healthcare service or partnership with an external provider, patient authorization is required.
Organizations should have a simple, clear process for obtaining consent, either through patient intake forms or through a double opt-in process for text messaging services.
Related: How to get consent for texting and emailing patients
No, healthcare organizations should use HIPAA compliant text messaging platforms to send campaigns, as regular SMS services do not provide the necessary encryption and security features.
Yes, under HIPAA’s breach notification rule, organizations must inform affected patients and report the breach if PHI is exposed due to insecure messaging or other failures.
The links should not lead to third-party services that promote products unless the patient has provided written authorization for marketing purposes. The link must also be to secure, trusted sources.