Over 80% of healthcare providers already text messages that include protected health information. They text colleagues about patient cases. They text patients about appointments and results. Most of them know they should be worried about compliance. Many aren’t sure what compliance actually requires.
Here’s the reality: there is no such thing as “HIPAA certified” software. No government agency stamps a product as compliant. HIPAA is a set of rules—the Security Rule, the Privacy Rule, and the Breach Notification Rule—and compliance is a shared responsibility between the vendor providing the platform and the healthcare organization using it. The vendor provides the technical safeguards. The practice provides the policies, training, and proper use.
OhMD was built from the ground up for healthcare communication. Every feature—texting, voice AI, video visits, digital forms, file sharing, and care coordination—is designed to support HIPAA compliance by default. This page explains exactly how.
How OhMD Supports HIPAA Compliance
HIPAA has three core rules that apply to any platform handling protected health information. Here’s how OhMD addresses each one.
The Security Rule: Protecting PHI Technically
The HIPAA Security Rule requires administrative, physical, and technical safeguards to protect electronic PHI. OhMD meets these requirements through multiple layers:
- Encryption in transit: All messages and data are encrypted using TLS RSA with ARIA-256-CBC/SHA-384 during delivery. This prevents interception between sender and recipient.
- Encryption at rest: All stored data is encrypted using AES-256. OhMD’s infrastructure is hosted on Amazon Web Services (AWS) EC2 HIPAA-compliant servers on the East Coast of the United States. OhMD and Amazon have an executed BAA in place.
- Access controls: Every user requires a unique username and password. Administrators can add, remove, or deactivate users centrally. Role-based permissions control who sees what. No patient data is stored on personal devices.
- Security assessment: OhMD has completed a HiTrust assessment, ensuring its information and network security approach complies with all HIPAA and NIST standards. The OhMD team has completed HIPAA training and treats all customer data with care.
The Privacy Rule: Controlling Who Sees What
The Privacy Rule governs how PHI is used and disclosed. OhMD supports compliance through:
- Patient consent workflows: Organizations are required to gain documented, date-and-time-stamped patient consent before communicating PHI via SMS. Most practices accomplish this through patient consent forms during intake.
- Segregated communication: Using OhMD separates communication containing PHI from personal communication platforms (standard SMS, personal email, WhatsApp). This reduces the risk of PHI ending up in unsecured channels.
- Dual messaging approach: OhMD combines standard SMS for non-sensitive messages (scheduling confirmations, office directions) with encrypted messaging links for content containing PHI. Patients tap a secure link to view protected content in their mobile browser—no app download or portal login required.
- Conversation auditing: Administrators can audit any conversation within their organization. Full message history is available for compliance review and can be pushed to the patient’s EHR chart with one click.
The Breach Notification Rule: Preventing and Responding
The Breach Notification Rule requires covered entities to notify affected individuals, HHS, and sometimes the media after a breach of unsecured PHI. OhMD reduces breach risk through:
- Centralized platform: Because all communication runs through OhMD rather than scattered across personal devices and email accounts, there is a single, auditable point of control.
- Instant deactivation: If a staff member leaves the practice or a device is lost, administrators can deactivate the account immediately. No PHI is stored locally on devices, so a lost phone does not create a breach.
- Encrypted data at rest: Even in the unlikely event of unauthorized server access, AES-256 encryption renders the data unreadable without the proper keys.
The Business Associate Agreement
Before any vendor can handle PHI on behalf of a healthcare organization, HIPAA requires a signed Business Associate Agreement (BAA). This is a legal contract that defines the vendor’s responsibilities for protecting patient data, what happens in the event of a breach, and the permitted uses and disclosures of PHI.
OhMD provides an automatic BAA for every user. It’s executed the moment you start using the platform—no separate negotiation, no paperwork, no legal review required. The BAA covers all communication channels: texting, voice, video, forms, file sharing, and care coordination. You can access the current BAA at any time from within the OhMD platform or on the legal agreements page.
This is worth emphasizing because many platforms either don’t offer a BAA, require you to be on a paid enterprise plan to get one, or make you ask for it. With OhMD, it’s included from day one, even on the free plan.
HIPAA Compliant Communication Across Every Channel
OhMD isn’t a single-purpose texting tool. It’s an omni-channel communication platform where every feature is built with HIPAA compliance as the foundation. Here’s how compliance applies to each channel:
| Channel | What It Does | Learn More |
| Secure Texting | Two-way SMS from your practice phone number. Standard SMS for non-PHI messages, encrypted links for PHI. Staff manage conversations from desktop or mobile. Patients never download an app. | HIPAA Compliant Texting → |
| Voice AI | AI answers routine patient calls (scheduling, refills, common questions) and deflects to text when appropriate. Staff monitor and step in from the same inbox. All conversations encrypted and logged. | Virtual Medical Receptionist → |
| Digital Forms | Patient intake, consent forms, and clinical questionnaires sent via secure text link. Patients fill out forms on their phone before appointments. Data is encrypted and can be pushed to the EHR. | HIPAA Compliant Forms → |
| File Sharing | Send and receive X-rays, lab results, insurance cards, referral documents, and clinical notes securely. All files encrypted in transit and at rest. No faxing required. | HIPAA Compliant File Sharing → |
| Video Visits | HIPAA compliant telehealth via secure video links sent by text. Patients tap the link to connect—no portal, no download. Providers report fewer dropped calls and better connectivity vs. portal-based video. | HIPAA Compliant Telehealth → |
| Broadcast Messages | Send appointment reminders, practice announcements, or public health updates to groups of patients. Individual or bulk messaging with delivery tracking. | Patient Communication → |
Every channel listed above is covered by OhMD’s automatic BAA. All conversations across all channels appear in a single unified inbox, so staff never lose track of a patient interaction regardless of how it started—phone call, text, web chat, or AI.
Is Email HIPAA Compliant?
This is one of the most common questions practices ask, and the short answer is: standard email is not HIPAA compliant. While email is convenient, it lacks the encryption, access controls, and audit capabilities required by the HIPAA Security Rule out of the box.
The longer answer depends on which email provider you use:
| Provider | Signs a BAA? | HIPAA Capable? | Notes |
| Google Workspace | Yes (paid plans) | Yes, with configuration | Requires admin to enforce TLS routing and configure compliance settings |
| Microsoft 365 | Yes (paid plans) | Yes, with configuration | Must enable message encryption and configure DLP policies |
| Zoho Mail | Yes (enterprise only) | Yes, with configuration | Only certain enterprise plans qualify |
| Yahoo Mail | No | No | No encryption controls or admin features |
| Apple Mail / iCloud | No | No | Apple explicitly states its services are not HIPAA compliant |
| ProtonMail | No | Partial | End-to-end encrypted, but no BAA means it doesn’t meet HIPAA requirements |
| GoDaddy Email | No | No | No HIPAA-grade encryption or healthcare support |
Even when you get HIPAA compliant email working (Google Workspace, Microsoft 365), the patient experience is poor. Every encrypted email forces patients through a multi-step process: click the link, create an account, set a password, verify identity, then read the message. If they need to reply, they repeat the process. Compare that to a text message that arrives on their phone and takes three seconds to read.
This is why most practices that evaluate HIPAA compliant email end up choosing HIPAA compliant texting instead. Text messages have a 98% read rate. Patients respond in minutes, not days. Staff can manage dozens of text conversations simultaneously, while each phone call or email exchange is one-to-one. For practices trying to close the loop on lab results, referral coordination, or pre-visit intake, texting is faster, cheaper, and significantly more effective.
Technical Security Specifications
For IT teams, compliance officers, and anyone evaluating OhMD’s security posture, here are the technical details:
| Component | Specification |
| Message encryption (transit) | TLS RSA with ARIA-256-CBC/SHA-384 |
| Web service encryption (transit) | AES-256 for web service callouts |
| Data encryption (at rest) | AES-256 |
| Hosting | Amazon Web Services (AWS) EC2 HIPAA-compliant service, East Coast US |
| AWS BAA | Executed between OhMD and Amazon |
| Security assessment | HiTrust assessed — HIPAA + NIST standards |
| Authentication | Unique username/password per user, role-based access controls |
| User management | Centralized admin panel, client-side or OhMD-managed, instant deactivation |
| Local device storage | None — no PHI stored on personal devices |
| Audit capabilities | Full conversation logging, admin audit access, one-click EHR documentation |
| BAA | Automatic for all users (including free plan), accessible in-app and at /agreements/ |
| Staff training | All OhMD staff have completed HIPAA training |
HIPAA Is a Shared Responsibility
This is worth saying plainly, because it’s the most misunderstood part of HIPAA compliance: no software vendor can make your practice HIPAA compliant on its own. The vendor provides the technical safeguards—encryption, access controls, BAA, audit trail. Your practice is responsible for the rest.
Here’s what falls on your side:
- Patient consent. You must document that patients have consented to receive communication via text. This should be date-and-time-stamped. Most practices add consent language to their intake forms.
- Staff training. Your team needs to understand what PHI is, when to use encrypted messaging vs. standard SMS, and how to handle patient communication properly. OhMD’s platform makes the right choice easy—encrypted links are generated automatically when sharing clinical content—but your staff should understand why.
- Organizational policies. You should have a written communication policy that covers acceptable use, after-hours expectations, documentation requirements, and incident response procedures.
- User management. When staff members leave your practice, deactivate their accounts promptly. OhMD’s admin panel makes this a one-click action, but it’s your responsibility to do it.
OhMD gives you the tools. Your practice puts them to work correctly. Together, that’s what HIPAA compliance looks like in practice.
See OhMD in Action
OhMD gives your practice HIPAA compliant communication across text, voice, video, forms, and file sharing—all from one inbox, all covered by a single BAA.
See plans and pricing or book a demo to see how it works with your EHR and your workflow.
Questions? Email us at team@ohmd.com.
Frequently Asked Questions
Yes. OhMD is a HIPAA compliant communication platform built specifically for healthcare. Every user receives an automatic Business Associate Agreement (BAA). OhMD has completed a HiTrust assessment ensuring compliance with all HIPAA and NIST security standards. Data is encrypted using AES-256 at rest and TLS RSA in transit, hosted on AWS HIPAA-compliant infrastructure.
Standard email is not HIPAA compliant. Most popular email providers—including Yahoo, Apple Mail, ProtonMail, and GoDaddy—do not sign Business Associate Agreements. Google Workspace and Zoho offer HIPAA-compatible configurations, but only on paid enterprise plans with additional setup required. Even when configured correctly, HIPAA compliant email forces patients through clunky encrypted portals with separate logins per organization. HIPAA compliant texting platforms offer a faster, simpler alternative with higher engagement rates.
A BAA is a legal contract between a healthcare organization (the covered entity) and any vendor that handles protected health information on their behalf (the business associate). It’s required by HIPAA before sharing any PHI with a third party. OhMD provides an automatic BAA for all users, covering texting, voice, video, forms, and file sharing. The BAA is accessible directly within the OhMD platform.
OhMD supports HIPAA compliant communication across multiple channels: two-way SMS texting, encrypted messaging, voice AI for inbound calls, live website chat, video visits, digital patient forms, broadcast messages, and secure file sharing. All channels are managed from a single inbox, so staff never have to switch between platforms to reach patients.
OhMD encrypts all data in transit using TLS RSA with ARIA-256-CBC/SHA-384 and at rest using AES-256. Infrastructure is hosted on Amazon Web Services (AWS) EC2 HIPAA-compliant servers with an executed BAA between OhMD and AWS. No patient data is stored directly on user devices. All accounts require unique credentials, and administrators can add, remove, or deactivate users centrally. Full conversation audit trails are available for compliance review.
Yes, but only through a HIPAA compliant platform. Texting patients from your personal messaging app (iMessage, WhatsApp, standard Android messaging) is not HIPAA compliant and can result in fines up to $50,000 per violation. OhMD’s mobile app lets you text patients from your phone while keeping all data encrypted and off your personal device. Messages are sent from your practice phone number, not your personal number.