HIPAA Compliant Texting Apps: Secure Messaging for Healthcare (2026)
Healthcare providers send thousands of text messages daily to coordinate patient care, share test results, and communicate with colleagues. The convenience of texting has made it a preferred communication channel in clinical settings. But standard text messaging platforms were never designed to protect sensitive medical information, and using them to transmit protected health information (PHI) creates significant legal and regulatory exposure under the Health Insurance Portability and Accountability Act (HIPAA).
This guide examines why standard texting fails HIPAA requirements, what the law actually demands for electronic messaging, and which platforms meet those standards. For related compliance topics, see our guides on HIPAA compliant email and Business Associate Agreements.
Why Standard Texting Is Not HIPAA Compliant
Standard SMS, iMessage, and consumer messaging apps like WhatsApp and Facebook Messenger were built for personal communication. They lack several critical features that HIPAA requires for any system handling electronic protected health information (ePHI).
No Access Controls
Standard texting apps do not provide role-based access, unique user identification, or automatic logoff after periods of inactivity. Anyone with physical access to an unlocked phone can read every message. HIPAA requires covered entities to implement technical policies that restrict ePHI access to authorized individuals only, per 45 CFR 164.312(a).
No Audit Trails
The HIPAA Security Rule requires organizations to deploy mechanisms that "record and examine activity in information systems that contain or use electronic protected health information" (45 CFR 164.312(b)). Standard texting platforms provide no audit logging. Organizations cannot track who sent what, when messages were read, or whether content was forwarded or saved.
Insufficient Encryption
While iMessage and WhatsApp offer end-to-end encryption for messages in transit, they do not provide the administrative controls that HIPAA requires alongside encryption. Messages backed up to iCloud or Google Drive may be stored unencrypted. SMS messages travel as plaintext across carrier networks and can be intercepted on public Wi-Fi networks.
No Business Associate Agreement
Under HIPAA, any third-party vendor that handles ePHI on behalf of a covered entity must sign a Business Associate Agreement (BAA). Apple, Google, and Meta do not sign BAAs for their consumer messaging products. Without a BAA, using these platforms for PHI transmission violates HIPAA regardless of the platform's technical security features.
No Message Lifecycle Controls
Standard texting provides no mechanism for message expiration, remote wipe of content from lost devices, or restrictions on copying, forwarding, or screenshotting messages. Once a text containing PHI is sent, the sender loses all control over that information.
HIPAA Security Rule Requirements for Texting
The HIPAA Security Rule (45 CFR Part 164, Subpart C) establishes the baseline requirements that any texting platform must meet before it can be used for ePHI. The HHS Office for Civil Rights (OCR) enforces these requirements and has levied over $144 million in settlements and penalties through 2025.
Technical Safeguards (45 CFR 164.312)
The Security Rule defines five categories of technical safeguards that apply directly to text messaging systems.
Access Control (164.312(a)): The platform must assign unique user identification to every individual, implement emergency access procedures, include automatic logoff after inactivity, and provide encryption and decryption capabilities for ePHI.
Audit Controls (164.312(b)): The system must record and examine all activity involving ePHI. For texting, this means logging who sent each message, when it was delivered, when it was read, and any actions taken on message content.
Integrity (164.312(c)): Electronic mechanisms must verify that transmitted ePHI has not been improperly altered or destroyed. Message integrity controls prevent tampering during transmission.
Person or Entity Authentication (164.312(d)): The platform must verify the identity of any person or entity seeking access to ePHI. Multi-factor authentication, biometric verification, or PIN-based access all satisfy this requirement.
Transmission Security (164.312(e)): Technical security measures must guard against unauthorized access to ePHI transmitted over electronic networks. Encryption during transmission is the primary mechanism, with HHS recommending AES-256 encryption for data at rest and TLS 1.2 or higher for data in transit.
Administrative Safeguards
Beyond technology, HIPAA requires written policies governing how texting platforms are used, workforce training on proper messaging procedures, and risk assessments that specifically evaluate messaging-related vulnerabilities. Organizations must also designate a security official responsible for developing and implementing security policies.
The BAA Requirement
Any texting platform vendor that transmits, maintains, or has access to ePHI qualifies as a business associate. The covered entity must execute a BAA with the vendor before using the platform. The BAA must specify how the vendor will safeguard PHI, report breaches, and return or destroy PHI upon contract termination. For details on when a BAA is required, see our dedicated guide.
Proposed Security Rule Changes (2025-2026)
HHS published a proposed modification to the HIPAA Security Rule on December 27, 2024, representing the most significant update since 2013. The proposal eliminates the distinction between "required" and "addressable" implementation specifications, making all safeguards mandatory with limited exceptions.
Under the proposed rule, encryption of all ePHI at rest and in transit would become a strict requirement rather than an addressable specification. Organizations would need to comply within 240 days of the final rule, expected in mid-2026. Healthcare organizations currently using texting platforms with optional encryption features would need to ensure encryption is enabled and cannot be disabled by end users.
HIPAA Compliant Texting Platforms Compared
Several platforms have been purpose-built for HIPAA compliant healthcare messaging. Each offers a different combination of features, integrations, and pricing models. The following comparison covers the most widely adopted platforms as of early 2026.
TigerConnect
TigerConnect is the most widely used clinical communication platform in the United States, deployed across major hospital systems and health networks. The platform holds HITRUST CSF certification, a rigorous third-party security standard that exceeds baseline HIPAA requirements.
TigerConnect provides AES-256 encryption, role-based messaging that routes alerts to on-call clinicians by role rather than by name, message recall and expiration, and delivery and read receipts. The platform integrates with major EHR systems, nurse call systems, and scheduling tools. Voice and video calling are included alongside text messaging.
Pricing is enterprise-level and customized based on organization size and feature requirements. TigerConnect is best suited for hospitals and large health systems where clinical workflow integration is a priority. A BAA is included as part of the contract.
OhMD
OhMD focuses on patient communication and practice management, making it a strong fit for physician practices and outpatient clinics. The platform text-enables existing office landline numbers, allowing patients to initiate conversations through familiar phone numbers.
Key features include HIPAA compliant two-way texting, broadcast messaging, website live chat, voicemail transcription, and video visits. OhMD integrates with over 85 EHR and practice management systems, including Epic, Cerner, and athenahealth. The platform also includes automated appointment reminders and a developer API for custom integrations.
Pricing starts at approximately $125 to $300 per month depending on the plan tier. OhMD offers three plans: Communicate, Automate, and Develop. A two-week free trial of the Reach plan is available. A BAA is provided.
Spruce Health
Spruce Health positions itself as an all-in-one communication platform for healthcare practices. The platform combines HIPAA compliant messaging, VoIP calling, video visits, e-faxing, and voicemail transcription in a single application with a unified team inbox.
The Communicator plan includes customizable phone trees, time-of-day routing, and VoIP desk phone support. Spruce provides secure file sharing, after-hours phone solutions, bulk messaging, and workflow automation. EHR integrations are available on higher-tier plans.
Pricing ranges from $24 to $49 per user per month, with a free trial available. Spruce signs a BAA and uses encryption for all data in transit and at rest.
Trillian
Trillian offers an affordable HIPAA compliant messaging solution with HITRUST CSF certification. The platform provides encrypted messaging across desktop (Windows, macOS, Linux) and mobile (iOS, Android) applications using TLS 1.2+ for data in transit and BitLocker/LUKS encryption at rest.
Healthcare-specific features include sanitized push notifications that omit message content, configurable media policies that restrict file sharing to camera-only images (preventing accidental PHI leaks from photo libraries), and customizable retention policies that can be set to store no data on server or client. An optional on-premises server deployment gives organizations complete data control.
Pricing starts at $3.33 per user per month for basic plans, with healthcare-focused plans at $10 to $20 per user per month. Trillian signs a BAA for covered entities.
Halo Health (symplr Clinical Communications)
Halo Health, now part of symplr, provides a clinical collaboration platform that combines HIPAA compliant messaging with on-call scheduling, VoIP calling, critical results delivery, and care team coordination tools.
The platform supports role-based communication, unlimited secure messaging with automatic status updates (sent, delivered, read), and high-resolution media attachments. A key security feature is that all messaging content, photos, videos, and schedule data remain encrypted within the application and cannot be exported to a user's personal device. Off-duty auto-forwarding and gatekeeping settings redirect messages when clinicians are unavailable.
Halo Health integrates with hospital clinical systems for access to on-call schedules, critical lab results, and care team directories. Pricing is enterprise-based and provided upon consultation.
QliqSOFT (Quincy Platform)
QliqSOFT's Quincy Digital Engagement Platform combines HIPAA compliant secure texting with AI-powered chatbots, digital forms, automated reminders, and virtual visits. The platform is used by over 1,000 healthcare organizations in the United States.
A notable feature is app-less patient communication: patients receive and respond to secure messages via standard SMS or email with a secure link, eliminating the need to download an app. The platform uses end-to-end encryption, multi-factor authentication, role-based access controls, and audit trails with message expiration.
Pricing starts at approximately $10 per user per month. QliqSOFT provides a BAA and integrates with major EHR systems.
Buzz (Skyscape)
Buzz from Skyscape offers a comprehensive HIPAA compliant communication platform that combines secure messaging with telehealth, e-signatures, bi-directional faxing, and AI-powered clinical tools. The platform integrates Skyscape's medical reference library directly into conversations, giving clinicians instant access to clinical decision support during messaging.
The platform supports text, voice, video, dictation, image sharing, and calendar management. Bi-directional EHR integration is available with systems including Epic, PointClickCare, and Homecare Homebase. Built-in electronic visit verification with caregiver geolocation tracking serves home health agencies.
Buzz offers a free tier for basic secure messaging, with paid plans for organizations needing advanced features. The platform is particularly strong for home health and behavioral health agencies.
Platform Comparison Table
| Platform | Encryption | BAA | EHR Integration | Message Expiration | Remote Wipe | Starting Price |
|---|---|---|---|---|---|---|
| TigerConnect | AES-256, HITRUST CSF | Yes | Major EHRs, nurse call | Yes | Yes | Enterprise (custom) |
| OhMD | End-to-end | Yes | 85+ EHR/PM systems | Yes | Yes | ~$125/month |
| Spruce Health | TLS in transit, encrypted at rest | Yes | Select EHRs | Yes | Yes | $24/user/month |
| Trillian | TLS 1.2+, BitLocker/LUKS, HITRUST CSF | Yes | Limited | Configurable | Yes | $3.33/user/month |
| Halo Health (symplr) | End-to-end, non-exportable | Yes | Hospital clinical systems | Yes | Yes | Enterprise (custom) |
| QliqSOFT | End-to-end, MFA | Yes | Major EHRs | Yes | Yes | ~$10/user/month |
| Buzz (Skyscape) | End-to-end | Yes | Epic, PointClickCare, others | Yes | Yes | Free tier available |
Patient Texting vs. Provider-to-Provider Texting
HIPAA treats patient-facing communication differently from internal clinical messaging, and organizations need separate policies for each scenario.
Patient Texting Requirements
Before sending any PHI to a patient via text, the healthcare provider must obtain documented consent. The consent process must inform the patient about the risks of text messaging, including the possibility of interception or unauthorized access. The patient must have a clear method to opt out at any time.
Even with patient consent, the covered entity remains responsible for using reasonable safeguards. Patient consent does not waive HIPAA requirements for the provider. Using a HIPAA compliant platform with a signed BAA is still necessary.
Appointment reminders that contain only a name, date, time, and location (without health information) generally do not implicate HIPAA. However, any message that includes diagnosis, treatment, medication, or billing information constitutes PHI and must be transmitted through secure channels.
Provider-to-Provider Texting
Communication between healthcare providers about patient care always involves ePHI and must use a HIPAA compliant platform. Patient consent is not a factor in provider-to-provider messaging because the obligation to secure ePHI rests entirely on the covered entities and their business associates.
Provider-to-provider platforms typically emphasize workflow features: role-based routing, on-call scheduling integration, critical result alerts, and read receipt confirmation. These features address the clinical need for fast, reliable communication while maintaining a complete audit trail.
Penalties for Non-Compliant Texting
The HHS Office for Civil Rights enforces HIPAA through investigations of complaints and data breaches. Texting-related violations typically fall under failures to implement adequate access controls, encryption, or audit mechanisms, or the failure to obtain a BAA from a messaging vendor.
Civil penalties follow a tiered structure based on culpability:
- Tier 1 (lack of knowledge): $141 to $36,748 per violation
- Tier 2 (reasonable cause): $1,464 to $73,495 per violation
- Tier 3 (willful neglect, corrected): $14,643 to $73,495 per violation
- Tier 4 (willful neglect, not corrected): $73,495 per violation, up to $2,204,850 annually per violation category
Criminal penalties apply when violations involve knowingly obtaining or disclosing PHI, with fines up to $250,000 and imprisonment up to 10 years for offenses committed with intent to sell, transfer, or use PHI for commercial advantage or malicious harm.
OCR settled or imposed penalties in 22 cases during 2024 alone, continuing an aggressive enforcement trend. For information on the breach reporting process, see our guide on reporting HIPAA breaches.
How to Evaluate a HIPAA Compliant Texting Platform
When selecting a platform, healthcare organizations can use this checklist to verify HIPAA readiness:
Security verification: Confirm the platform provides end-to-end encryption (AES-256 preferred), TLS 1.2 or higher for data in transit, and encryption at rest. Look for third-party certifications like HITRUST CSF or SOC 2 Type II.
BAA availability: Verify that the vendor will sign a BAA before any ePHI is transmitted. Review the BAA terms carefully, particularly breach notification timelines and data destruction provisions. For more on what a BAA covers, see our BAA guide.
Access controls: Ensure the platform supports unique user identification, multi-factor authentication, role-based access, and automatic session timeout.
Audit capabilities: Confirm the system generates comprehensive audit logs that record message creation, delivery, read status, and any modifications or deletions.
Device management: Verify remote wipe capability for lost or stolen devices, PIN or biometric lock requirements, and the ability to prevent ePHI from being saved to personal device storage.
EHR integration: Assess compatibility with existing electronic health record systems. Direct integration reduces the risk of manual data entry errors and improves workflow efficiency.
Message lifecycle: Look for configurable message expiration, recall capabilities, and restrictions on copying, forwarding, or screenshotting message content.
This article provides general legal information about HIPAA compliant texting requirements. It does not constitute legal advice. Consult an attorney and a qualified HIPAA compliance professional for advice specific to your organization.
Sources and References
- 45 CFR 164.312 - Technical Safeguards (HIPAA Security Rule)(law.cornell.edu)
- Summary of the HIPAA Security Rule - HHS.gov(hhs.gov).gov
- 45 CFR Part 164 Subpart C - Security Standards for ePHI (eCFR)(ecfr.gov).gov
- HIPAA Enforcement Highlights - HHS Office for Civil Rights(hhs.gov).gov
- HHS Guidance on Electronic Communications with Patients(hhs.gov).gov
- Guidance to Render Unsecured PHI Unusable - HHS Breach Notification(hhs.gov).gov
- HIPAA Compliant Messaging Software - TigerConnect(tigerconnect.com)
- HIPAA Compliant Texting - Trillian(trillian.im)