Consent Requirements for Messaging Referred Patients
Last updated 7 days ago
Patient consent is a foundational requirement for healthcare communication. In Subflow, messaging referred patients is a common occurence, and knowing the rules upfront helps your team communicate confidently and compliantly.
Federal consent ruling
Under the Telephone Consumer Protection Act (TCPA) and the Health Insurance Portability and Accountability Act (HIPAA), written consent is not required when messaging a referred patient about healthcare-related matters, provided the messages meet the conditions outlined on this page.
Prior express consent
When a patient shares their phone number with a healthcare organization, such as a hospital or clinic, during the normal course of their care, that act of sharing is treated as permission to contact them about their care. The Telephone Consumer Protection Act (TCPA) refers to this as "prior express consent."
In practice, this means that if a referred patient's phone number was collected by a HIPAA-covered entity as part of their intake or treatment, your organization can send them healthcare-related SMS messages without obtaining separate written permission first.
Conditions for consent-free messaging
Before sending an SMS to a referred patient without written consent, confirm that each message meets all three of the following conditions. A message that does not meet these conditions requires separate written consent before sending.
Non-commercial: the message does not sell or advertise any product, service, or offering. It exists solely to support the patient's care.
Non-promotional: the message does not encourage the patient to purchase anything or market your organization's services. Appointment reminders and care instructions are appropriate; promotional offers are not.
Directly related to the patient's care: the message must connect to the patient's active treatment, follow-up, or care plan. General outreach or unrelated communications do not qualify.
The following message types are permitted without additional written consent:
Appointment reminders
Lab or test results
Medication instructions
Pre- or post-operative care instructions
Messaging criteria
Meeting the conditions above allows you to message a referred patient without written consent. The following obligations apply to every message you send, regardless of consent status:
Ensure the security and privacy of message content
Avoid including unnecessary personally identifiable or sensitive protected health information (PHI)
Provide an opt-out mechanism in all outgoing messages
Recommended first message for referred patients
Subflow recommends the following opening message when contacting a referred patient for the first time:
Hi [First Name], this is [Your Clinic Name]. You were referred to us by [Referring Partner]. Msg/data rates may apply. Reply STOP to opt-out.
This message introduces your clinic, names the referring partner for context, and satisfies CTIA/TCPA opt-out requirements. This is a starting template, adjust it to match your organization's voice and any additional requirements from your compliance team.
β οΈ TCPA and CTIA regulations are subject to change. This page does not constitute legal advice. Consult your legal and compliance team for your organization's official policies.
For additional help, contact Subflow support at support@subflow.com.
Related articles
SMS HIPAA compliance best practices: Learn how to handle protected health information (PHI) in SMS messages and when Secure Chat is required instead of standard SMS.
SMS deliverability best practices: Learn how to write messages that reliably reach patients and avoid carrier filtering.
Guidelines for compliant use of Subflow: Review the full set of organizational obligations clients must fulfill when using the platform.