SMS HIPAA Compliance Best Practices

Last updated 1 day ago

Patient privacy does not end when a message leaves the app, it depends on how that message is written and sent. The Health Insurance Portability and Accountability Act (HIPAA) sets clear expectations for SMS communications in healthcare, and clinical staff play a direct role in meeting them.

This page is a reference for core HIPAA compliance practices and approved message categories.

Core compliance practices

The following practices apply to all SMS communications sent through Subflow.

  • Avoid protected health information (PHI): Do not include PHI such as diagnoses, treatment details, addresses, or medical record numbers in standard text messages.

    • Do: "Hi [Name], your doctor has reviewed your recent lab results and would like to discuss next steps with you. Reply YES to schedule a follow-up"

    • Avoid: "Hi [Name], your lab results show an A1C of 8.2. Your doctor recommends starting insulin."

  • Use Subflow for all patient messaging: Send all patient communications through Subflow. Avoid personal phones or non-approved messaging applications.

    • Avoid: Texting patients from a personal phone or using applications like WhatsApp or iMessage.

  • Obtain and document patient consent: Ensure patients have explicitly consented to receiving SMS messages before sending. Keep documentation of that consent on file.

  • Follow the minimum necessary standard: Share only the information needed to accomplish the purpose of the message. Avoid including additional details that are not required for the patient to take action.

    • Do: Hi [Name], please complete your pre-op requirements before your upcoming procedure.

    • Avoid:"Hi [Name], Dr. Smith needs your pre-op bloodwork results before Thursday's procedure at [Facility Name]."

  • Limit identifiable information: Avoid using facility names, specific departments, or clinician identifiers in messages where possible. Use first names or masked identifiers when appropriate.

    • Do: "Hi [Name], this is a reminder about your upcoming appointment. Reply YES to confirm or call us to reschedule."

    • Avoid: "Hi [Name], this is the Oncology Department at [Facility Name] reminding you about your session with Dr. [Last Name]."

  • Keep messages clear and actionable: Focus each message on the single next step the patient needs to take, without revealing sensitive details.

  • Respect message timing: Send messages only between 8:00 AM and 9:00 PM in the patient's local time zone, in line with federal communication guidelines.

Approved message categories

The following categories reflect HIPAA-compliant messaging practices and can be used as the basis for Message Templates in Subflow.

Appointment reminders

  • "Hi [Name], your appointment with Dr. [Last Name] is tomorrow at [Time]. Reply to reschedule."

  • "Reminder: Your appointment is on [Date] at [Time]. Parking information is in the attached document."

At-home care instructions

  • "Hi [Name], today's care instructions are in the attached secure document."

  • "Good morning, [Name]. Please open the secure link we've sent you for today's care instructions."

Pre-visit and post-visit instructions

  • Pre-visit: "[Name], please complete the required form before your visit: [Secure Link]."

  • Post-visit: "[Name], your post-visit instructions are securely attached. Let us know if you have questions."

Payment and insurance notifications

  • Payment: "Your payment of [Amount] is ready. Access the secure link here: [Link]."

  • Insurance: "Your insurance claim has been processed. No further action is needed."

Medication and health reminders

  • Medication: "Hi [Name], this is your reminder to take your medication."

  • Health alerts: "View seasonal health updates here: [Secure PDF Link]."

Related articles