HIPAA-Compliant Messaging & Chat: Why Medical Practices are Texting Patients


Medical practices have made major strides towards patient-centered strategies, swapping manual and paper-based processes for digital options, like automated appointment reminders and digital patient check-in. But it’s time to take it further with HIPAA-compliant messaging and chat because patients do the majority of their communicating via text message and they don’t always choose pre-programmed responses to automated solutions. What happens when in place of responding, “1 to confirm, 2 to reschedule, or 3 to cancel”, a patient responds to a text reminder with a thumbs-up emoji or a question like, “yes, but where should I park?” 

Patients don’t always behave within the confines we define for them, so medical offices need strategies that empower them to respond to patients accordingly. This is where HIPAA-compliant and chat software is so important to medical practices who want to engage their patients effectively. There are many applications for these strategies and reasons why medical practices who don’t adopt some form of patient messaging will struggle to keep up with the changing market dynamics and patient expectations. 

The COVID-19 pandemic only heightened the need for HIPAA-compliant and two-way patient messaging options as both providers and patients became more aware of the need to limit face-to-face contact with others and medical office staff began fielding rapid-fire questions from patients who had new questions about how to navigate healthcare in a pandemic. 

Is Text Messaging HIPAA-compliant? 

While HHS considers text appointment reminders to be HIPAA-compliant, a 1-to-1 ongoing patient conversation over traditional SMS or text messaging is not HIPAA-compliant. This is fine so long as your conversation with a patient doesn’t contain PHI but if a patient text conversations turns clinical or contains PHI, you’ll want a secure channel to switch over to and utilize. These secure channels mimic text messaging but require a patient to authenticate their identity before continuing and take place in a protected digital environment. 

Some patient engagement vendors use an “opt-in” workaround without utilizing a truly secure channel. Using this strategy, the organization informs the patient that they are communicating over a non-secure channel and requires their authorization to continue. While this might offer the vendor some protection from HIPAA, it isn’t in the best interest of patients and isn’t recommended.

What is HIPAA-Compliant Text Messaging? 

HIPAA-compliant text messaging is a software service that enables medical providers and medical office staff to communicate with patients in a text-like environment. These strategies allow patients to send and receive messages like they do other text messages while offering medical office staff and providers the visibility of a platform to see patient messages at a glance, track which ones have been replied-to and which ones are still awaiting a response. 

HIPAA-compliant messaging differs from standard two-way chat solutions because the messaging is protected by a unique patient-specific link and authorization, ensuring PHI doesn’t fall into the wrong hands. While two-way patient chat via SMS is a great solution for non-PHI questions like where to park, changes in hours, new telehealth options, or to notify the other party that the patient or provider is running behind, it can’t protect PHI. HIPAA-compliant solutions protect this information and the best solutions on the market know how to protect patient information without requiring patients to log-in with a username or password—more on that below. 

Why is HIPAA-Compliant Chat or Messaging Important? 

HIPAA-compliant chat software is an important component of a medical practice’s patient engagement strategy because it offers flexibility, expands patient access, and reaches patients using technology they’ve already adopted. It’s common for healthcare organizations to adopt technology that serves organizations and providers well only to struggle with patient adoption, patient-centered strategies like two-way patient messaging, leverage technology (like SMS) that patients already use to communicate with and engage patients. 

How Is HIPAA-Compliant Medical Text Messaging Used? 

There are many applications for the use of medical text messaging with patients, some of which were widely recognized prior to COVID-19 and others that surfaced in the midst of the pandemic. Take a look at how medical offices, hospitals, and health systems are using both HIPAA-compliant messaging and patient chat software to bring efficiency to their daily workflows and better engage their patients throughout the patient journey. 

Phone & Triage Nurse

Medical offices often assign a nurse to cover the phone for patient questions each day. Without a text/messaging option for patients, both nurses and patients are left to play a lot of phone tag as the Triage Nurse or Phone Nurse can only take one call at a time. With patient messaging software, clinical staff can view all patient messages at a glance, identify non-PHI questions for a front desk staff member or simply answer them quickly themselves while using a secure messaging option for patients who have clinical questions. In this scenario, patient messaging offers staff greater flexibility and bandwidth to answer patient questions and reduces the amount of time it takes to respond to patient questions. 

Helping Support Telehealth 

Even tech-savvy patients can have a hard time with a new platform or process but can often be helped with a simple answer. Patient messaging makes it easier to help patient navigate televisits, something many providers didn’t offer prior to the COVID-19 pandemic, but is now widely available to patients. Troubleshooting and questions about unique links, length of visit, whether the provider is ready, etc. can all be answered without requiring patients or medical office staff to dial a phone number. 

Post-Discharge or Post-Procedure Follow-Up

While triage is initiated when a patient reaches out to a medical provider, HIPAA-compliant patient messaging can also be used to initiate a conversation from provider to patient. When a patient is discharged from an inpatient stay, their records are often sent to their regular providers who then reach out to follow-up. Providers also work hard to follow-up with their patients post-procedure, whether it be something they did in the clinic or through a same-day surgery center. Two-way messaging, specifically HIPAA-compliant messaging, empowers physicians to do this using a form of communication that is more likely to successfully reach their patients and yield a response. Some HIPAA-compliant platforms even allow for patients to send pictures or documents to their medical providers, making post-operative questions easier to answer. 

Sharing Normal Test Results 

While difficult news and test results are best delivered in person and at the very least, over the phone, normal lab results can often be delivered less personally. HIPAA-compliant patient messaging makes it easier for providers to deliver normal lab results and makes it possible for patients to receive those results more quickly, easing anxiety and fear more quickly. And because patients are more likely to view a text than listen to a voicemail when they are already tied up in another activity, great news travels faster to the patient. 

Answering Simple Patient Questions Quickly & Easily 

Sometimes a HIPAA-compliant solution isn’t necessary when patients have simple questions like where to park, can they bring a support-person, will they be required to wear a mask, or just want to notify staff of a short delay. Medical practice staff can keep the office flowing smoothly and receive information more quickly when patients have a text option. 

Improving the Patient Experience

Patients have come to expect mobile access to their healthcare providers thanks to similar accessibility in other consumer industries. Though healthcare has not historically been viewed as a consumer industry, it should be as patients now contribute up to 30% of provider revenue and have many options for how to access care. Providers who want to ensure they not only maintain their current patient census but build upon it should be ready to engage patients the way patients prefer to engage. Patient messaging helps providers do this, building loyalty with their patients and offering the ease and convenience patients expect. 

To Support a Virtual Waiting Room

The COVID-19 pandemic spurred a lot of creativity as medical providers looked for new ways to mitigate the risk of exposure for both their patients and their staff. Virtual waiting rooms became the norm, allowing patients to check-in for appointments from their phones and wait in their vehicles until an exam room is ready. Patient messaging has helped make this possible, allowing patients to text their medical provider’s office when they arrive for an appointment. 

Do you need both secure & non-secure two-way patient chat? 

While you don’t have to have both, we highly recommend it.  If you offer patients the ability to communicate with your office via a chat/text function, you’ll want to account for the HIPAA-compliant component because patients will inevitably assume they can use text for all their questions and patient needs. In the case that a patient initiates a clinical question or PHI-sensitive conversation via a text message, you’ll want to have the option to switch the conversation to a secure message to both protect the patient’s privacy and ensure you remain in compliance with regulatory and privacy standards. 

The good news is that some patient engagement vendors offer a non-HIPAA-compliant version of patient texting or messaging for free or include it as a part of a bundled product offering, charging only for the secure or HIPAA-compliant product. 

What to Look for in a HIPAA-Compliant Messaging & Chat Vendor

Let’s start with a disclaimer: Relatient offers both Secure Messaging (HIPAA-compliant) and Patient Chat Messenger. In fact, Relatient is the 2020 KLAS Category Leader in Patient Outreach, so this is pretty near and dear to us. We not only think it’s important, we think it can significantly help medical providers, practices, hospitals, and health systems create healthier communities and keep their patients engaged in their care and connected to the practice. That said, we always encourage health systems and prospective customers to evaluate the options and do their research. We want our customer to have confidence in knowing they’ve selected the best of the best. So as you do your research, view demos, and talk to sales teams, look for some of the following features and ensure you’re choosing a partner who will be there when you need them. 


This feature may seem like a given but it may not be. There are some vendors in the marketplace offering “secure” messaging that in reality are relying on a patient to waive their security. The working theory here is that as long as a patient acknowledges that they are sharing PHI over a non-secure channel and chooses to do so anyway, the organization is covered. But this misses the point, patient privacy should be protected and there are patient-friendly solutions that do this. Don’t settle for a solution that simply promises to cover your liability, be sure you’re choosing a partner who values a patient’s security and privacy and has designed a product to do the same. 

An Intuitive Dashboard to Manage Patient Messages 

To a patient, this messaging will appear like a text message but to medical office staff, it should be easy to view all the patient messages, designate or assign them to others, and even view how long it’s been since the patient sent their message. 

Initiate a Secure Message at Any Time 

Patients don’t think in terms of which solution their provider is using, they ask questions the same way via text whether it contains PHI or not. Look for a solution that allows the provider or staff to switch the message over to a HIPAA-compliant channel at any point. 

Get Notifications via Email

Medical office staff are rarely sitting at their desks all day, they are up and moving to accommodate patients, help providers, answer phones, and much more. Best practice patient messaging solutions account for this, sending email notifications when a patient message is not responded to within a specified amount of time. This reduces the risk that a patient message would go unanswered. 

Part of a Unified Strategy

The very best way to utilize both secure and non-secure patient messaging is to do so as part of a larger patient engagement strategy. The best vendors in the market offer these solutions in an integrated fashion so they elevate and leverage your other patient engagement strategies. Automated appointment reminders are a great example, giving medical office staff the ability to see and respond to non-traditional patient responses to their appointment reminders. 

No Usernames or Passwords, Ever

The reason text communication is so effective with patients is because it’s intuitive and they already use it daily, most use it hourly. Locking this convenience behind a portal, username, and password negates the value to patients and can easily backfire, causing frustration and dissatisfaction. 

Ability to Send/Receive Files

A patient with a clinical question will often need to send a picture in order to give a medical provider the information they need to assess and respond. Similarly, medical office staff may need or require forms or pictures of insurance cards or ID’s—all of this is simple and convenient with a messaging software that allows both patients and providers/staff to send and receive files through the messaging solution. 

Long-Term Support and Training

No solution is fool-proof, there will be hiccups at times. While top-notch vendors test and test their products to ensure reliability, at some point you’ll need some help. Whether it’s resources for new employees, troubleshooting to technology glitches, or changes to your set up, choose a vendor with a reputation for standing by their customers long-term. Even better, find a partner who specializes in healthcare so when you need help, they understand the impact to your day-to-day operations. 

How to Implement HIPAA-Compliant Messaging & Chat 

Getting started should be easy. Here a few steps to take the guess-work out of it: 

  1. Determine what success will mean to your organization and how to measure it. Be sure to grab baseline data before implementation.
  2. Find a partner 
  3. Determine your timeline and dedicate a resource to the project 
  4. Work with your vendor through the implementation project and timeline 
  5. Upon go-live, let your patients know you’re expanding access and making it convenient to get in touch with your office. Here are a few suggestions to get the word out: 
    • Signage in your office, “You can text us!”
    • Use demand/broadcast messaging to notify your patients via text and email that you are available via chat now 
    • Be ready to respond to non-traditional reminder responses 
    • Include language in your appointment reminders to notify patients that they can simply respond to their text reminder to ask questions and get help when needed 
  6. Track metrics like response rates and utilization
  7. Round table with your clinical and non-clinical staff to learn how they like it and expand how they use it 
  8. Ask patients for their feedback and share with staff 

HIPAA Text Messaging Policy 

When implementing a 2-way patient chat solution, an accompanying HIPAA text messaging policy is recommended. Policies like this clarify when and how to utilize text messaging to communicate with patients, how to identify when a patient conversation should be switched to a secure messaging channel, and how to do that. Though each organization should draft their own policy with the help and collaboration of their leaderships and legal experts, at a minimum the policy should outline what is considered PHI so medical office staff can identify a conversation that should be secure vs. non-secure. Best practice patient chat solutions have built-in flag for medical office staff to remind them to evaluate each patient conversation and utilize secure messaging in the case that a patient conversation contains PHI. 


Medical practices, hospitals, and health systems need a way to communicate with patients via text. It’s more efficient, drives a better patient experience, expands access and convenience, and is more effective than any other form of patient communication. There are multiple applications for the everyday use of both HIPAA-compliant and non-secure patient chat within a healthcare setting, offering both clinical and non-clinical staff efficiencies that manual outreach and phone tag can never offer. The combination of both HIPAA-compliant and patient messaging can be more affordable when choosing a vendor who offers bundled pricing or who offers the non-secure messaging feature for free with appointment reminders or other solutions you may already have in place or that you need in addition to the messaging component. The quality of the solution and the reliability and responsiveness of the vendor are of equal importance so be sure to evaluate market options on both and talk to current customers, if you can. As with any health IT undertaking, you should determine your metrics of success on the front end, measure your baseline data, and be ready to compare at scheduled intervals to determine the success of the project.