HIPAA's actual rules for patient SMS
HIPAA does not prohibit patient SMS. It requires the practice to: (1) only send PHI via SMS through a system with appropriate safeguards (encryption in transit, BAA with the SMS vendor), (2) obtain reasonable consent from the patient, (3) honor the patient's preference for not receiving SMS, (4) log every PHI-containing message in the audit trail.
What TCPA adds for healthcare practices
TCPA (Telephone Consumer Protection Act) governs commercial telephone outreach. For healthcare practices, key requirements: prior express written consent before automated marketing SMS, immediate honoring of STOP replies, quiet hours (typically 9 PM to 8 AM local time), and accurate DNC lists. TCPA violations carry $500-$1,500 per incident and class-action exposure.
Marketing SMS vs. operational SMS
TCPA distinguishes marketing messages (requiring prior express written consent) from operational messages (appointment reminders, lab results, prescription refill notifications — typically permitted under implied consent if the patient initiated the relationship). The line gets blurry: a 'we noticed it's been a year, time for your annual exam' message is operational; a 'come in this week for $50 off' message is marketing.
Carrier compliance: A2P 10DLC registration
All commercial SMS in the US now requires A2P 10DLC registration with the carrier ecosystem. This involves registering a Brand (the practice), a Campaign (the use case — e.g., 'appointment reminders'), and submitting sample message content for carrier approval. Unregistered traffic gets throttled or blocked by carrier filters.
WhatsApp Business: a parallel set of rules
WhatsApp Business has its own rule set: pre-approved message templates for outreach, 24-hour customer service window for free-form replies, and Meta's own content policies. WhatsApp is increasingly preferred by patients for healthcare communication — but practices must navigate Meta's policy quirks (no marketing in the customer service window, no PHI in template names, etc.).
What a compliant healthcare messaging practice looks like
Operating compliant high-volume healthcare messaging requires:
- BAA in place with the SMS / WhatsApp vendor
- A2P 10DLC registration completed for every campaign
- Patient consent capture during intake (express written for marketing, implied for operational)
- STOP / opt-out honored within seconds with audit logging
- Quiet hours enforced automatically by send-window rules
- Per-patient timezone awareness to avoid 9 PM local-time sends
- Audit log of every message containing PHI
- Carrier-compliant message content (no prohibited terms, no shorteners that look spammy)
Inside Velant
Velant ships this entire workflow out of the box — HIPAA-compliant CRM, AI Voice Agent, AI Lead Follow-up, Surescripts-certified ePrescribe, 270/271 eligibility, 837P claims, and closed-loop attribution. Book a 20-minute walkthrough and we'll show you how it runs end to end.
Frequently asked questions
Is patient SMS HIPAA-compliant?
It can be. HIPAA doesn't prohibit patient SMS — it requires the system have appropriate safeguards (encryption in transit, BAA with the SMS vendor), obtain reasonable patient consent, honor opt-outs, and log every PHI-containing message in an audit trail.
What is TCPA and how does it apply to healthcare SMS?
TCPA (Telephone Consumer Protection Act) governs commercial telephone outreach including automated SMS. Healthcare practices must obtain prior express written consent before sending marketing SMS, honor STOP replies immediately, respect quiet hours (typically 9 PM to 8 AM local), and maintain accurate DNC lists. Violations carry $500-$1,500 per incident with class-action exposure.
Do I need A2P 10DLC registration for healthcare SMS?
Yes. All commercial SMS in the US requires A2P 10DLC registration with the carrier ecosystem. The registration involves filing a Brand (the practice), Campaigns (use cases like appointment reminders), and sample message content. Unregistered traffic gets throttled or blocked by carrier filters.
Can I send appointment reminders without a BAA in place?
Technically yes if the reminders contain no PHI (just 'You have an appointment tomorrow at 3 PM' with no provider, no specialty, no condition). Practically, almost all appointment reminders contain enough information to be considered PHI — so a BAA with the SMS vendor is required.
Is Velant's SMS messaging HIPAA and TCPA compliant?
Yes. Velant offers BAA on request, automatic quiet hours and DNC enforcement, immediate opt-out handling, per-patient timezone awareness, A2P 10DLC registration support, and full audit logging of every PHI-containing message.
Related reading
- Patient AcquisitionHow to Respond to Healthcare Leads in Under 30 SecondsHealthcare leads cool 80% within 30 minutes. This guide shows how to build a response system that hits sub-30-second SMS, sub-5-second inbound calls, and full 24/7 coverage — without adding intake staff.
- ComplianceThe Complete Guide to EPCS for Behavioral Health PracticesEPCS (Electronic Prescribing of Controlled Substances) is now required for most psychiatric and addiction treatment prescriptions. This guide covers DEA 1311 compliance, identity proofing, PDMP integration, and choosing the right ePrescribe vendor.