HIPAA Compliant Texting: How It Works and Why It’s Replacing Phone Calls in Healthcare
98% of text messages are read. 20% percent of phone calls from an unfamiliar number are answered. If you work in a medical practice, you’ve watched that gap play out every single day—your staff calling patients about lab results, referrals, appointment changes, and outstanding balances, only to reach voicemail after voicemail.
The irony is that everyone involved already prefers texting. Your patients text constantly. Your staff would rather text than make their 200th call of the day. But for years, the assumption has been that texting in healthcare is a compliance minefield—too risky, too complicated, not allowed.
That assumption is wrong. HIPAA compliant texting has been used by physician practices for over a decade, and the regulatory framework is clear. The Centers for Medicare & Medicaid Services (CMS) has explicitly affirmed that texting patient information is allowed between care team members using a secure texting platform. What matters is how you text, not whether you text.
This page covers what HIPAA compliant texting actually requires, how it works in practice, why it’s a better fit for patient communication than phone calls or email, and what results practices see after making the switch.
What Is HIPAA Compliant Texting?
HIPAA compliant texting is a way to send and receive text messages that may contain protected health information (PHI) using a platform that meets the technical safeguards required by the HIPAA Security Rule.
The key word is “platform.” Standard SMS—the kind built into every phone—is not HIPAA compliant. Messages sent through iMessage, Android Messages, or WhatsApp are stored on servers and personal devices with no centralized access control, no admin oversight, and no audit trail. A single lost phone can create a reportable breach.
A HIPAA compliant texting platform solves this by adding four layers that standard messaging lacks:
- Encryption in transit and at rest. Messages are encrypted while traveling between sender and recipient and while stored on the platform’s servers. OhMD uses TLS RSA with ARIA-256-CBC/SHA-384 for message delivery and AES-256 for data at rest, hosted on Amazon Web Services (AWS) HIPAA-compliant infrastructure.
- Access controls and user management. Every user has a unique login. Administrators can add, remove, or deactivate users centrally. No patient data is stored directly on personal devices. If someone leaves the practice, their access is revoked in seconds.
- Audit trail. Every message is logged with timestamps, sender, and recipient. Conversations can be pushed to the patient’s EHR chart with one click. If you’re ever audited, the documentation is already there.
- Business Associate Agreement (BAA). HIPAA requires a signed BAA between any covered entity (your practice) and any vendor handling PHI on your behalf. OhMD provides an automatic BAA for every user, covering texting, voice, video, forms, and file sharing. There’s no separate contract to negotiate.
One thing to understand: HIPAA compliant texting doesn’t mean every message is encrypted behind a portal. It means the platform gives you both options. Non-PHI messages—appointment reminders, scheduling confirmations, directions to the office—go out as standard SMS, which means they land directly in the patient’s text thread. When a message contains PHI, the patient receives a secure link they tap to view the encrypted content in their mobile browser. No app download. No portal login. No account creation.
This dual approach is what makes HIPAA compliant texting practical. Patients get the convenience of normal texting for everyday interactions, with encryption applied only when clinical information is involved.
Why Texting Is Replacing Phone Calls and Email in Healthcare
For most physician practices, the front desk phone is the single biggest bottleneck. A study published in the National Institutes of Health found that 42% of incoming calls to medical practices go unanswered. Each missed call represents a missed appointment, a missed refill, a frustrated patient who may not call back.
The math is blunt: if the average appointment generates $200 in revenue and your practice misses even 10 calls per day, that’s $2,000 in lost daily revenue before you factor in the downstream effects—the patients who switch providers, the referrals that never complete, the care gaps that widen.
Texting solves this because it changes the physics of the the interaction between patients and receptionists. A phone call is one-to-one and synchronous. One staff member, one patient, one conversation at a time. If a second patient calls while the first is on hold, someone has to wait. Texting is asynchronous and concurrent. A single staff member can manage five, ten, even twenty text conversations simultaneously, because patients respond on their own time and most messages take seconds to read and reply to.
See our Guide for Reducing Patient Phone Calls
But What About Email?
Email is technically an option for HIPAA compliant communication, but in practice it creates more problems than it solves. Most major email providers don’t sign Business Associate Agreements at all. Yahoo, Apple Mail, ProtonMail, and GoDaddy are all non-starters. Google Workspace and certain Zoho enterprise plans will sign a BAA, but only after you configure encryption settings, enforce TLS routing rules, and train your staff on the compliance nuances.
Even when you get HIPAA compliant email working, the patient experience is terrible. Each incoming encrypted email forces the recipient through a multi-step portal login: click the link, create an account, set a password, verify their identity, then finally read the message. If they need to reply, they do it all again. Compare that to a text that shows up on their phone and takes three seconds to read.
Patients respond to texts in minutes. They respond to emails in days—if they respond at all. For practices trying to close the loop on lab results, referral status, or pre-visit intake, texting is the obvious path.
What Makes Texting HIPAA Compliant: A Practical Checklist
There’s no official “HIPAA certification” that a software vendor can earn. No government agency stamps a product as compliant. HIPAA is a framework of rules—primarily the Security Rule, the Privacy Rule, and the Breach Notification Rule—and compliance is a shared responsibility between the vendor providing the platform and the covered entity using it.
That said, there are specific things you should look for when evaluating any HIPAA compliant texting solution. Here’s the checklist:
| Requirement | Why It Matters | OhMD |
| Signed BAA | Legally required before any vendor handles PHI on your behalf | Automatic for all users. Accessible in-app. |
| Encryption in transit | Prevents interception during delivery | TLS RSA with ARIA-256-CBC/SHA-384 |
| Encryption at rest | Protects stored data from unauthorized access | AES-256 on AWS EC2 HIPAA infrastructure |
| Unique user credentials | Prevents shared logins and ensures accountability | Individual username/password per user |
| Centralized admin controls | Ability to add/remove users and control access levels | Full admin panel with role-based permissions |
| No data on personal devices | Prevents PHI exposure if a phone is lost or stolen | No local storage. All data on encrypted servers. |
| Audit trail | Documentation for compliance reviews and investigations | Full conversation logs with one-click EHR push |
| Patient consent workflow | Required before sending PHI via text | Documented, date-and-time-stamped consent |
| Security assessment | Third-party validation of security posture | HiTrust assessed, HIPAA + NIST compliant |
If a vendor can’t check every box on this list, keep looking. And be wary of any platform that claims to be “HIPAA certified”—that designation does not exist. The correct language is “supports HIPAA compliance” or “HIPAA ready,” because the vendor provides the technical safeguards while your practice is responsible for proper use, patient consent, and organizational policies.
How OhMD HIPAA Compliant Texting Works
The best way to explain it is to walk through what a typical day looks like for a practice using HIPAA compliant texting.
A patient calls to reschedule an appointment. Instead of putting them on hold, OhMD’s voice AI answers, confirms the request, and sends a text with available time slots. The patient picks a slot by replying to the text. The new appointment syncs to the EHR. No staff member was involved.
Lab results come back for a patient. A nurse opens the OhMD dashboard on their desktop, selects the patient, and sends a secure text. Because the message contains PHI, the patient receives a standard-looking text with a secure link. They tap the link, see their results in an encrypted browser view, and text back a question. The nurse responds between other tasks. The entire conversation is pushed to the patient’s chart in one click.
A referral needs to be coordinated. The referring practice texts the specialist through OhMD’s care coordination feature. The message is encrypted end-to-end between providers. Clinical notes, imaging, and referral forms are shared as secure file attachments—no faxing required.
End of day. The practice sets OhMD’s business hours, and incoming texts receive an automatic out-of-office reply. Staff can still view messages from home if they choose, but there’s no obligation to respond until the next morning.
A few things to notice about this workflow:
- Texts go out from the practice phone number, not a random shortcode or unfamiliar number. Patients see the number they already have saved in their contacts, which dramatically improves open and response rates.
- Patients never download an app. This is critical. Patient portals fail because adoption rates are abysmal—getting patients to create accounts, download apps, and remember passwords is a losing battle. OhMD sidesteps this entirely. The patient receives a text. They reply to the text. That’s it.
- Staff work from one inbox. Phone calls, texts, web chats, and AI-handled conversations all appear in the same unified dashboard. There’s no switching between platforms. If voice AI started a conversation and the patient needs a human, staff step in from the same screen with full context visible.
- Everything integrates with the EHR. OhMD connects to 85+ electronic health record systems, including athenahealth, eClinicalWorks, Nextech, DrChrono, ModMed, and more. Conversations are documented in the patient chart without manual data entry.
What Happens When Practices Switch to HIPAA Compliant Texting
The results tend to follow a pattern. Within the first few weeks, staff notice the phones aren’t ringing as much. Within the first few months, the reduction is measurable and significant. Here’s what three practices experienced:
Family Practice Associates of Lexington
FPA is a 24-provider family medicine practice in Kentucky. Their biggest pain point before OhMD was what their Director of Clinical Education, Virginia Burberry, called “round robin phone tag.” Support staff were constantly calling patients about lab results, referrals, bills, and returned mail. With 500+ patients per day, voicemails piled up and tasks sat open for weeks waiting for a callback that rarely came.
After implementing HIPAA compliant texting, FPA’s weekly call volume dropped 22%—from 554 calls per week to 348—in just four months. Staff cleared their inboxes faster because they could text multiple patients simultaneously instead of making one call at a time. The 98% text read rate meant patients actually saw the message, unlike the 80% of calls from unfamiliar numbers that go unanswered.
“Reaching those patients in a timely manner has been ultimately life-changing for our support staff,” Burberry said. “OhMD has taken a huge burden off of our support staff. They’re no longer overwhelmed with phone calls.”
FPA also uses OhMD’s video feature for two mental health providers who conduct all appointments remotely. Because video links are sent via HIPAA compliant text, patients don’t need to log into a portal—they tap the link and connect in seconds.
Coastline Orthopedics
Coastline Ortho saw a 68% reduction in call volume after switching to OhMD. Staff reclaimed more than four hours per person per day—time previously spent on hold, leaving voicemails, and returning calls. That’s time now spent on patients who are physically in the office.
The key metric wasn’t just fewer calls. It was fewer missed calls. When communication moved to text, the loop closed faster. A text about a surgical follow-up gets read and answered. A voicemail about the same follow-up sits in a queue.
Heart & Vascular Care
This cardiology group added OhMD’s AI and texting to handle routine patient calls. The result: over 60% of routine calls are now resolved without staff involvement.
“By automating over 60% of routine calls, our staff can finally focus on patients who need real attention,” said Larami Oliver at Heart & Vascular Care.
For a cardiology practice where clinical staff time is especially expensive, offloading routine scheduling, refill requests, and insurance questions to HIPAA compliant texting freed up meaningful capacity without adding headcount.
What This Costs vs. the Alternatives
The comparison that matters isn’t HIPAA compliant texting vs. no texting. It’s HIPAA compliant texting vs. the status quo: hiring another person to answer phones.
| Factor | Hire Another FTE | OhMD HIPAA Compliant Texting |
| Monthly cost | $3,500–$4,500 (salary + benefits) | $250–$1,200 |
| Time to productivity | 4–6 weeks (hiring + training) | 1–2 weeks |
| After-hours coverage | None (or overtime costs) | 24/7 AI + text auto-replies |
| Concurrent patients | One call at a time | Unlimited simultaneous texts |
| Turnover risk | ~20% annual in healthcare admin | Software doesn’t quit |
| EHR documentation | Manual entry after each call | One-click push to patient chart |
| Scalability | Linear (more volume = more staff) | Handles volume spikes without adding cost |
Start Texting Patients Today
OhMD gives your practice HIPAA compliant texting, voice AI, and a unified inbox—all from your existing phone number. Patients text you the way they text everyone else. No apps. No portals. No phone tag.
See plans and pricing or book a demo to see how it works with your EHR.
Frequently Asked Questions About HIPAA Compliant Texting
HIPAA compliant texting is a secure way to send and receive text messages containing protected health information (PHI) between healthcare providers, staff, and patients. It requires end-to-end encryption, access controls, audit logging, and a signed Business Associate Agreement (BAA) between the texting platform and the healthcare organization. OhMD provides all of these safeguards automatically, so practices can text patients from their existing phone number without worrying about compliance.
Texting patients can be HIPAA compliant when done through a platform designed for healthcare. Standard SMS apps like iMessage or Android Messages are not HIPAA compliant because they lack encryption, access controls, and audit capabilities. With a HIPAA compliant texting platform like OhMD, practices can send standard SMS for non-PHI messages (appointment reminders, scheduling confirmations) and encrypted message links when PHI needs to be shared. Patient consent must be documented before communicating PHI by text.
No. With OhMD, patients receive texts as standard SMS messages on their phone. When a message contains PHI, patients receive a secure link they can tap to view the encrypted content in their mobile browser. There is no app to download, no portal to log into, and no account to create. This is one of the biggest advantages over patient portals, which have notoriously low adoption rates.
Most patient phone calls are routine: scheduling, prescription refills, referral status, directions, and basic clinical questions. HIPAA compliant texting lets practices handle these conversations via text instead of phone, allowing staff to manage multiple patient conversations simultaneously. Practices using OhMD report 50–68% fewer phone calls. Family Practice Associates of Lexington saw weekly call volume drop from 554 to 348 calls within four months of implementing HIPAA compliant texting.
Yes. OhMD integrates with 85+ EHR systems including eClinicalWorks, athenahealth, Nextech, DrChrono, and more. After a text conversation, staff can push the full conversation into the patient’s chart with one click. This eliminates the need for manual documentation and ensures every patient interaction is part of the medical record.
For patient communication, yes. HIPAA compliant email requires encrypted portals that force patients through multiple login steps, separate accounts per organization, and clunky interfaces. Most major email providers (Yahoo, Apple, GoDaddy) do not sign BAAs at all. Text messages have a 98% read rate compared to roughly 20% for email. Patients respond to texts in minutes rather than days. For practices prioritizing response rates and patient satisfaction, HIPAA compliant texting is the clear winner.