Every healthcare text is one of two kinds.
HIPAA-compliant texting stops being confusing the moment you sort the messages: logistics texts that should never contain PHI, and clinical texts that need safeguards because they do. SIPNEX carries both on your practice's existing numbers — A2P-registered routes from an FCC-licensed carrier, with the BAA signed for the stored-PHI texting function. No app to install, no number to abandon.
Sort the message before you send it.
"Is texting HIPAA-compliant?" is the wrong question — it treats a reminder that says Thursday, 2:40 pm, reply C to confirm and a message carrying lab context as the same act. They are not. The first is a logistics text: its compliance posture comes from keeping PHI out of the body and running registered, consent-clean routes. The second is a clinical text: PHI is the payload, so safeguards and agreements do the work. Every texting decision your practice makes gets easier once each message is sorted into its column first — so here are the columns.
Reminders and logistics: keep PHI out, keep the route clean.
Appointment reminders, confirmations, running-late notices, reschedule prompts — the traffic that fills schedules. The compliance work here is mostly carrier hygiene, and it is the same hygiene every texting business owes: registered traffic, real consent, honored opt-outs. Our A2P 10DLC registration guide walks the registry process; SIPNEX handles it as part of setup.
Your number, text-enabled
Patients reply to the number they already call. Texting runs on the practice's existing main line over registered A2P 10DLC routes — not a random shortcode or a rented five-digit stranger.
Registered A2P 10DLC traffic
Brand and campaign registration with The Campaign Registry, filed by us. Unregistered business texting gets filtered or blocked by mobile carriers; registered traffic delivers.
Consent in, STOP out
Documented opt-in on the way in; STOP replies honored automatically on the way out. Opt-out handling is carrier-enforced, not a policy memo taped to the front desk.
PHI-free by design
Date, time, location, confirm-or-reschedule. Diagnosis, procedure, and medication stay out of the body — which keeps the logistics column exactly as low-risk as it should be.
PHI in the message: what makes it permissible.
When the text itself carries patient information, three mechanisms carry the compliance load — each documented in HHS and CMS source material, each mapped in detail in our HIPAA phone service guide.
The BAA, scoped to storage
Message carriage is conduit territory; retained threads are stored PHI. SIPNEX signs the BAA covering the texting function your deployment actually uses — scoped to what is stored, not waved as a badge.
The documented warning
Patients may choose unencrypted text: OCR's pathway is to warn them of the interception risk, let them choose, and document both. The patient's channel preference is honored — on the record.
Staff texting & QSO-24-05
Provider-to-provider PHI has no patient-consent pathway — secure platforms only. For hospitals, CMS memo QSO-24-05 permits texting orders through a HIPAA-compliant secure texting platform, filed into the record, with CPOE still preferred.
SIPNEX is the texting carrier, not a chat app.
Vendors in this space blur a line we prefer to draw: SIPNEX does not sell an encrypted clinical messaging app, and nothing on this page pretends otherwise. What we run is the carrier layer — real SMS and MMS on your practice's own numbers, over registered A2P routes, with registration, delivery, and opt-out handling as the messaging service and a BAA covering the stored-thread function. If your clinicians need staff-to-staff secure chat, that is a platform purchase; the patient-facing texting underneath it is ours. The same numbers carry your voice traffic — which is why practices pair this with the phone system for their segment on our healthcare phone systems hub, from the dental front-desk system to the hospital carrier layer — on extensions from $6.99/mo with every feature included.
Healthcare texting questions, answered.
Does an appointment reminder text expose PHI?
What consent covers texting patients from a practice number?
When does texting turn the carrier into a business associate?
Can hospital staff text patient orders?
Is SIPNEX a secure clinical messaging app?
What should the front desk do when a patient texts PHI unprompted?
Bring the two columns. We wire both.
Tell us which messages are logistics and which carry PHI. We come back with your practice number text-enabled on registered routes, the consent workflow mapped, and the BAA scoped to exactly the stored functions you deploy.