Solutions · HIPAA-Compliant Texting

Every healthcare text is one of two kinds.

HIPAA-compliant texting stops being confusing the moment you sort the messages: logistics texts that should never contain PHI, and clinical texts that need safeguards because they do. SIPNEX carries both on your practice's existing numbers — A2P-registered routes from an FCC-licensed carrier, with the BAA signed for the stored-PHI texting function. No app to install, no number to abandon.

The sorting rule

Sort the message before you send it.

"Is texting HIPAA-compliant?" is the wrong question — it treats a reminder that says Thursday, 2:40 pm, reply C to confirm and a message carrying lab context as the same act. They are not. The first is a logistics text: its compliance posture comes from keeping PHI out of the body and running registered, consent-clean routes. The second is a clinical text: PHI is the payload, so safeguards and agreements do the work. Every texting decision your practice makes gets easier once each message is sorted into its column first — so here are the columns.

Kind one · Logistics texting

Reminders and logistics: keep PHI out, keep the route clean.

Appointment reminders, confirmations, running-late notices, reschedule prompts — the traffic that fills schedules. The compliance work here is mostly carrier hygiene, and it is the same hygiene every texting business owes: registered traffic, real consent, honored opt-outs. Our A2P 10DLC registration guide walks the registry process; SIPNEX handles it as part of setup.

Your number, text-enabled

Patients reply to the number they already call. Texting runs on the practice's existing main line over registered A2P 10DLC routes — not a random shortcode or a rented five-digit stranger.

Registered A2P 10DLC traffic

Brand and campaign registration with The Campaign Registry, filed by us. Unregistered business texting gets filtered or blocked by mobile carriers; registered traffic delivers.

Consent in, STOP out

Documented opt-in on the way in; STOP replies honored automatically on the way out. Opt-out handling is carrier-enforced, not a policy memo taped to the front desk.

PHI-free by design

Date, time, location, confirm-or-reschedule. Diagnosis, procedure, and medication stay out of the body — which keeps the logistics column exactly as low-risk as it should be.

Kind two · Clinical texting

PHI in the message: what makes it permissible.

When the text itself carries patient information, three mechanisms carry the compliance load — each documented in HHS and CMS source material, each mapped in detail in our HIPAA phone service guide.

The BAA, scoped to storage

Message carriage is conduit territory; retained threads are stored PHI. SIPNEX signs the BAA covering the texting function your deployment actually uses — scoped to what is stored, not waved as a badge.

The documented warning

Patients may choose unencrypted text: OCR's pathway is to warn them of the interception risk, let them choose, and document both. The patient's channel preference is honored — on the record.

Staff texting & QSO-24-05

Provider-to-provider PHI has no patient-consent pathway — secure platforms only. For hospitals, CMS memo QSO-24-05 permits texting orders through a HIPAA-compliant secure texting platform, filed into the record, with CPOE still preferred.

The boundary, stated plainly

SIPNEX is the texting carrier, not a chat app.

Vendors in this space blur a line we prefer to draw: SIPNEX does not sell an encrypted clinical messaging app, and nothing on this page pretends otherwise. What we run is the carrier layer — real SMS and MMS on your practice's own numbers, over registered A2P routes, with registration, delivery, and opt-out handling as the messaging service and a BAA covering the stored-thread function. If your clinicians need staff-to-staff secure chat, that is a platform purchase; the patient-facing texting underneath it is ours. The same numbers carry your voice traffic — which is why practices pair this with the phone system for their segment on our healthcare phone systems hub, from the dental front-desk system to the hospital carrier layer — on extensions from $6.99/mo with every feature included.

Frequently asked

Healthcare texting questions, answered.

Does an appointment reminder text expose PHI?
A message linking a named person to a visit at your practice is health information in the technical sense, which is why the discipline matters: keep the body to logistics — date, time, reply C to confirm — and leave diagnosis, procedure, and medication out of it. A lean reminder on a registered practice number is the lowest-risk text a practice sends; the risk enters with the clinical detail, not the channel.
What consent covers texting patients from a practice number?
Two layers, two rulebooks. The carrier layer: A2P 10DLC registration requires a documented opt-in for the traffic and automatic honoring of STOP replies — that applies to every business, healthcare or not. The HIPAA layer: if unencrypted texts will carry anything clinical, OCR's pathway is a documented warning — the patient is told plain SMS can be intercepted, chooses it anyway, and the choice is recorded. Run both layers and the workflow holds up.
When does texting turn the carrier into a business associate?
When the texting function stores PHI on the practice's behalf — message threads retained on your numbers are stored data, not transient carriage. Pure call and message transport falls on the conduit side of HIPAA; retention is where the business-associate analysis attaches. SIPNEX signs the BAA covering the texting function when your deployment stores those threads.
Can hospital staff text patient orders?
CMS revised its position in 2024 (memo QSO-24-05): texting patient orders among the care team is permissible through a HIPAA-compliant secure texting platform, with orders promptly filed into the medical record — and CPOE remains the preferred entry method. The memo speaks to hospitals and critical access hospitals specifically, and ordinary SMS does not qualify as the secure platform it describes.
Is SIPNEX a secure clinical messaging app?
No, and we say so before you ask. SIPNEX is the carrier texting layer: real SMS and MMS on your practice's own numbers, riding registered A2P routes, with registration handled and a BAA covering the stored-thread function. Staff-to-staff clinical chat belongs on a secure messaging platform built for it — and that platform's patient-facing texts still need a registered carrier route underneath, which is the part we run.
What should the front desk do when a patient texts PHI unprompted?
Reply on the channel the patient opened — refusing to answer a text with a text mostly generates phone calls — but keep clinical detail minimal, deliver the interception-risk warning if it has not been documented for that patient, and record the choice. The thread itself is a stored-PHI texting function — the kind the SIPNEX BAA is scoped to cover — so make sure that BAA is in place and the storage side is handled.

Bring the two columns. We wire both.

Tell us which messages are logistics and which carry PHI. We come back with your practice number text-enabled on registered routes, the consent workflow mapped, and the BAA scoped to exactly the stored functions you deploy.

Or call direct: (833) 665-2220