HIPAA-Compliant SMS Communication for Clinical Research Sites

Standard SMS — the text messages your phone carrier delivers — is not HIPAA-compliant. It is transmitted without encryption, stored on carrier servers without patient authorization, and cannot be audited for access control. If your site is texting patients using a personal cell phone or a standard SMS app and those messages mention health conditions, study participation, or lab results, you have an active HIPAA compliance exposure. This guide identifies the exact risk and shows you the compliant implementation.

What Makes SMS Non-Compliant by Default

HIPAA requires that PHI transmitted electronically be protected by:

• Encryption in transit (standard SMS uses no end-to-end encryption)
• Access controls limiting who can view the message history
• Audit logs recording who accessed PHI and when
• A Business Associate Agreement with any third party handling the PHI

Standard SMS fails on all four criteria. A coordinator texting a patient “Your HbA1c screen result looked good — you are eligible for the study” from their personal phone has transmitted PHI through a non-compliant channel, regardless of intent.

The Two Safe SMS Approaches

Approach 1 — HIPAA-eligible platform with BAA: Use a messaging platform that offers HIPAA-eligible infrastructure and will sign a BAA. Twilio (twilio.com/hipaa), Heymarket (heymarket.com/hipaa), and Klara (klara.com) offer this. Messages are encrypted, access-controlled, and auditable. All condition-specific communication is permitted within the platform.

Approach 2 — Generic messaging with no PHI: Use any SMS platform but strip all PHI from messages. Send only: appointment reminders with date and time (no condition name), confirmation messages (“We received your inquiry — someone will call you tomorrow”), and logistics information. All clinical content moves to phone calls or secure patient portals. This approach requires no BAA but significantly limits what SMS can do in your recruitment workflow.

Patient Consent for SMS

Beyond HIPAA, SMS communication for marketing purposes requires TCPA (Telephone Consumer Protection Act) compliance. Before texting any patient, obtain explicit written or digital consent: “By providing your phone number and checking this box, you consent to receive text messages from [site name] about clinical research opportunities. Message and data rates may apply. Reply STOP to unsubscribe.” This consent language must appear on your inquiry form before the phone number field.

Staff Training: The Three SMS Rules

1. Never text from a personal phone about patient information. Use only the designated site platform with the BAA.
2. Never include condition names, diagnosis information, lab values, or study participation confirmation in SMS messages unless on a HIPAA-eligible platform.
3. Always include an opt-out option in every outbound SMS: “Reply STOP to stop receiving messages.” This is both TCPA-required and good practice.

48-Hour Action List

1. Hour 1: Audit your current SMS practices: does your team text patients? From what device or platform? Does any current SMS message include condition names or study participation details? Document every instance of non-compliant messaging.
2. Hour 2: Select a HIPAA-eligible SMS platform. Request a BAA. Twilio’s BAA is available at twilio.com/hipaa — downloadable and signable online. Heymarket has a direct BAA request process at heymarket.com.
3. Hour 3: Add TCPA consent language to your inquiry form above the phone number field. Have legal counsel review the consent language before launch.
4. Day 2: Brief your team on the three SMS rules. Document the briefing. Transition all patient SMS communication to the BAA-covered platform. Retain records of the BAA and consent language as part of your HIPAA compliance documentation.