HIPAA COMPLIANCE GUIDE

HIPAA-Compliant Phone Service for Therapists

SIPNEX ·

A HIPAA-compliant phone service for therapists comes down to four disciplines: minimal voicemails, the warn-and-document rule for texting clients, a BAA covering whatever the system stores (voicemail, recordings, texts), and a line between scheduling logistics and clinical content that your phone workflows never cross. The dial tone was never the problem — the stored messages are.

Therapy practices carry a stricter privacy texture than most of healthcare: clients who haven’t told anyone they’re in therapy, ex-partners answering shared phones, psychotherapy notes with their own special protection. SIPNEX is an FCC-licensed carrier that serves solo and group practices — this guide, sourced to HHS/OCR positions, is the phone-specific slice.

Voicemail: the two-line discipline

HHS permits leaving messages with reasonable safeguards, and its guidance is concrete: limit the content — your name, a callback number, appointment confirmation at most. For a therapy practice the discipline is tighter still, because the fact of the relationship is itself sensitive: a voicemail that says “this is Dr. Reyes’s counseling office” on a speakerphone has already disclosed plenty.

The workable pattern: ask at intake how clients want to be contacted and what may be said (“May we leave a voicemail? What should it say?”), record the answer, and configure the outbound caller-ID name and greeting accordingly — a practice name that doesn’t announce the specialty is a legitimate choice. Your phone system’s job is making the compliant pattern the default: templates for reminder scripts, per-client notes at the front desk, consistent CNAM.

Texting clients: warn, document, keep it logistical

Clients want to text — and HIPAA permits it through the warn-and-document pathway: the client may request text communication; you warn that ordinary SMS is unencrypted and interceptable; if they still choose it, you may text, and you document the warning and their choice. Two practice-specific rails on top of that:

  • Keep texts logistical. “Confirming Tuesday 3pm” travels fine; session content never should. The moment texting drifts clinical, you’re in secure-platform territory.
  • The stored thread is the compliance object. Where texts live — your texting platform, stored on a vendor’s systems — is exactly where the business-associate analysis applies. That’s a BAA conversation — and a short one here: SIPNEX signs BAAs scoped to the texting functions you use.

Business texting also carries a non-HIPAA requirement most therapists hit blind: A2P 10DLC registration, which carriers require before application-sent texts deliver reliably — the registration guide covers it; we handle it at setup.

Recordings, transcription, and psychotherapy notes

Think twice before enabling call recording in a therapy practice. Recordings that capture clinical conversation are stored ePHI requiring Security Rule safeguards and a BAA — and anything approaching session content brushes against psychotherapy notes, which HIPAA gives heightened protection (they generally require specific client authorization to disclose). The pragmatic default for most practices: recording off, voicemail-to-email on with minimal-content greetings, transcription only with a BAA in place. If supervision or documentation workflows genuinely need recording, scope it deliberately.

The solo-practice setup that works

A one-clinician practice needs less than vendors sell: one practice number (ported or new), an attendant separating “schedule or reschedule” from “everything else,” voicemail with a disciplined greeting, warn-and-documented texting for logistics, and a softphone so the practice number — not your personal cell — appears on caller ID from anywhere. On SIPNEX that’s a cloud PBX of one or two extensions with every feature included — extensions start at $6.99 per extension monthly — and the compliance conversation happens before provisioning: which functions store PHI, how they’re safeguarded, and the BAA SIPNEX signs to cover them. The broader framework — conduit exception, when BAAs attach, the certification myth — is in our HIPAA phone service guide.

Frequently asked questions

Can therapists text their clients?

Yes, through HIPAA’s warn-and-document pathway: the client requests or agrees to texting, you warn that standard SMS is unencrypted, they choose it anyway, and you document that exchange. Keep the content logistical — scheduling and confirmations — and put anything clinical on a secure channel instead.

What should a therapist’s voicemail greeting say?

As little as identifies you to your clients without announcing the nature of the practice to whoever else hears it: a name and callback number is enough. On outbound messages, follow the client’s documented contact preferences from intake — HHS guidance permits messages but expects minimal content as a reasonable safeguard.

Do I need a BAA for my practice phone system?

For the parts that store PHI, yes: hosted voicemail, recordings, text threads, transcription. Pure call carriage sits under HIPAA’s conduit exception and doesn’t require one. Inventory which stored functions you’ll actually use, and get the BAA scoped to those.

Are phone sessions themselves HIPAA-compliant?

Audio-only telehealth is permitted — OCR issued dedicated guidance on it in 2022. The call itself over traditional lines isn’t “electronic media” under the Security Rule; your obligations concentrate on anything recorded or stored afterward and on verifying you’re speaking with the right person. Session documentation rules are unchanged by the medium.


SIPNEX is an FCC-licensed carrier for therapy practices: a cloud PBX sized for one clinician or a group, texting with registration handled, and the compliance conversation before provisioning — not after. Talk to an operator or see rates.

SIPNEX

The carrier built by operators, for operators.

FCC-licensed carrier with its own STIR/SHAKEN SP certificate. Operator-owned. SIP trunks built for operators who dial at volume.