HIPAA-Compliant Texting for Therapists — What Is and Is Not Allowed
Many therapists text clients without realizing it creates HIPAA liability. Standard SMS, iMessage, and WhatsApp are not HIPAA-compliant — they cannot sign a BAA. Here is what therapists can and cannot do when texting clients.
Updated May 2026 · Based on HHS guidance and OCR enforcement patterns
The key rule: it depends on the content
A text message becomes PHI the moment it links a person's identity to their health information. “Your appointment is tomorrow at 2pm” is borderline. “Your therapy appointment is tomorrow” is PHI — it links the person to mental health treatment. The name of your practice in the sender field can be enough.
What Counts as a HIPAA Violation When Texting
Texting a client about their diagnosis, symptoms, or treatment plan via standard SMS
Sending therapy session notes, homework, or clinical resources via regular text
Texting appointment reminders that mention "therapy" or your therapy practice name
A generic "appointment reminder tomorrow at 2pm" with no practice name — still risky without client consent
Using a HIPAA-compliant platform with a signed BAA for all client messaging
Sending non-PHI texts (general scheduling) after client provides written consent and acknowledgment of risk
HIPAA-Compliant Texting Options
All options below can sign a BAA and are appropriate for client communication containing PHI.
SimplePractice Secure Messaging
Built-in EHR messaging · Included with SimplePractice ($29+/mo)
BAA: ✓ Covered under EHR BAA
Best for: Therapists already using SimplePractice
- ✓No separate app needed
- ✓Client messages in same system as notes
- ✓BAA already signed
- ✓Message history attached to client record
- ✗Requires client to log into portal
- ✗Not a traditional text — portal-based
Hushmail for Healthcare
HIPAA-compliant email + secure forms · From $9.99/mo
BAA: ✓ BAA included
Best for: Therapists who need HIPAA-compliant communication outside their EHR
- ✓BAA included
- ✓Secure message delivery
- ✓Works like regular email
- ✓Healthcare-specific features
- ✗Email-based, not true SMS texting
- ✗Client needs to receive secure message link
Signal
Encrypted messaging app · Free
BAA: ✗ No BAA available
Best for: Not recommended for therapy client communication
- ✓End-to-end encrypted
- ✓Free
- ✗No BAA — not HIPAA-compliant for PHI
- ✗No audit logs
- ✗Not designed for healthcare
Standard SMS / iMessage
Regular text messaging · Free
BAA: ✗ No BAA
Best for: Non-PHI only — appointment reminders with no clinical content
- ✓Universal — every client has it
- ✓Instant delivery
- ✗Not HIPAA-compliant for PHI
- ✗No BAA from carriers
- ✗Avoid for anything clinical
What About WhatsApp?
WhatsApp does not sign HIPAA Business Associate Agreements. Meta (WhatsApp's parent company) explicitly states in their terms that WhatsApp is not intended for HIPAA-covered entities and does not offer a BAA.
Despite end-to-end encryption, using WhatsApp for therapy-related client communication is a HIPAA violation. This is one of the most common compliance mistakes among therapists — especially those who work with clients who prefer WhatsApp over email.
Trusted by 225,000+ Therapists
50% Off Your First 4 Months + Free Credentialing
SimplePractice is the #1 HIPAA-compliant practice management platform for therapists. Includes a signed BAA, encrypted messaging, telehealth, and full insurance billing.
Offer valid through July 15, 2026 · No credit card required for trial
Need HIPAA-compliant email only? See Hushmail for Healthcare →
FAQ — HIPAA Texting for Therapists
Can therapists text clients at all?
Yes — with conditions. You can text clients for non-PHI purposes (generic scheduling) with their written consent acknowledging the risk. For any communication containing PHI (clinical content, diagnosis-related information, or anything that identifies them as a therapy client), you must use a HIPAA-compliant platform with a signed BAA.
Is iMessage HIPAA-compliant?
No. Apple does not offer a HIPAA BAA for standard iMessage. iMessage is end-to-end encrypted, but encryption alone does not make a service HIPAA-compliant — you also need a signed BAA, audit logs, and access controls. iMessage has none of these for healthcare use.
What is the easiest HIPAA-compliant texting solution for solo therapists?
If you use SimplePractice, the built-in secure messaging is the easiest option — it is already covered under your existing BAA and keeps client messages in the same system as your notes. If you need something outside your EHR, Hushmail for Healthcare is the simplest standalone option with a signed BAA.
Can I get client consent to text them on a non-HIPAA platform?
Client consent allows you to communicate on a non-HIPAA platform, but it does not eliminate your HIPAA obligations — it shifts some risk to the client. OCR has indicated that authorization does not fully protect providers from liability if a breach occurs. For anything beyond basic scheduling, a HIPAA-compliant platform is the safer choice.