SMS / Text Messages
Unencrypted, stored on carrier servers, no access controls, no audit trail. Interceptable and subpoena-eligible.
Used by 73% of healthcare staff for patient communication (Spok, 2023).
HIPAA compliant messaging
Texting patients is one of the most common HIPAA violations.
If your staff texts patients from personal phones, your practice has an open HIPAA violation right now. SMS, iMessage, and WhatsApp are not compliant — and the penalties compound with every message sent.
The problem
Every non-compliant message is a separate potential violation.
iMessage / WhatsApp
End-to-end encryption exists, but no BAA available, no audit logging, no access management, and messages persist on personal devices.
The most commonly reported shadow communication channel in independent practices.
Personal Email
Standard email is unencrypted in transit. Attachments with ePHI sit in Gmail, Yahoo, or Outlook inboxes indefinitely. No retention controls.
Staff routinely forward patient information to personal accounts for 'convenience.'
Social Media DMs
Facebook Messenger, Instagram DMs, and similar platforms have zero HIPAA controls. No encryption guarantees, no audit trail, no BAA.
More common than practices admit — especially for appointment scheduling and follow-up.
What compliance requires
HIPAA compliant messaging is a regulatory requirement. Here is what it takes.
- End-to-end encryption for all messages containing ePHI
- Access controls — only authorized users can send and receive
- Audit logging — who sent what, when, and to whom
- Message retention and disposal policies
- Business Associate Agreement with the messaging platform
- Unique user identification — no shared accounts
- Automatic session timeout and device management
- Breach notification capability if a message is compromised
The Patient Protect solution
Replace personal phone communication with compliant, auditable workflows.
Encrypted secure messaging
All patient communication flows through Patient Protect's encrypted messaging system. No SMS. No personal email. No shadow channels.
Audit-ready by default
Every message is logged with sender, recipient, timestamp, and content hash. Evidence is available when auditors or attorneys arrive.
Role-based access
Nine defined roles control who can send messages, view patient information, and access communication history.
No personal devices required
The platform works through the browser — staff do not need to install apps on personal phones or use personal accounts.
FAQ
Common questions about HIPAA compliant messaging.
Is texting patients a HIPAA violation?
Yes, if the text contains protected health information (PHI) and is sent via standard SMS, iMessage, WhatsApp, or other non-compliant channels. HIPAA requires encryption, access controls, and audit logging for all electronic communication containing ePHI.
Can I use WhatsApp to communicate with patients?
No. WhatsApp does not offer a Business Associate Agreement (BAA), does not provide audit logging, and does not meet HIPAA access control requirements. Even though it offers end-to-end encryption, it is not HIPAA compliant.
What makes messaging HIPAA compliant?
HIPAA compliant messaging requires: end-to-end encryption, unique user authentication, role-based access controls, audit logging, message retention controls, automatic session timeout, and a signed BAA with the messaging platform.
Next step
How is your staff communicating with patients today?
If the answer involves personal phones, standard email, or messaging apps — you have an open violation. The risk assessment shows you exactly where.