Texting therapy is changing the way therapists engage clients. Whether that is appointment reminders, check-in with patients, or throughout the therapeutic process itself, texting as a tool is becoming a big part of the delivery of health services.
But in just two years (2025) with tighter HIPAA regulations, and additional anxiety towards patient privacy, using even text messaging with your patients or clients in an unsecured way puts you at risk.
This guide breaks down every possible scenario you need to be mindful of to remain compliant as a therapist. You will learn best practices of how to use texting therapy in a way that is safe, situate potential landmines, and short messaging service (SMS) with patients or clients with reminders and text confirmations that are HIPAA-compliant.
If you are using SMS in your therapy practice, this is information you won’t want to miss.
What is Texting Therapy and How It Works
Texting therapy is a form of mental health service delivered via text messages. It differs from telehealth sessions that utilize video because texting doesn’t require an appointment and offers access to a client and their therapist at any time.
In 2025, many standard texting and telehealth therapists deliver therapy via texting services using an SMS platform that is HIPAA-compliant. SMS platforms that provide texting therapy offer reasonable level of protection of sensitive data and secure messaging with several security features, including audit trails and consent tracking. There are many popular platforms that allow for texting and other services, along with integrated practice management options that are also HIPAA compliant.
The demand for texting therapy has increased significantly year after year, especially as telehealth has emerged additional offerings out of convenience and safety to clients, who now see standards of quick, easy access to mental health service delivery almost exclusively by texting in their daily activities.
There are some free texting therapy apps available, however, these apps usually do not include any of the security features needed to be HIPAA compliant. Many therapists provide texting therapy delivery to clients so caution should be taken and providers and therapists should always aim to introduce only clinically-based texting and the potential risk associated with providing texting therapy services.
Types of Laws in HIPAA-Compliant Texting
Texting clients can be a helpful and easy way for those in the helping professions to communicate with their clients. However, texting (for the therapist) is also incredibly legally complicated.
In order to ensure that your communications are secure and compliant, you must follow a number of U.S.-based laws intended to protect the privacy of your client. Below is an overview of the primary laws related to HIPAA-compliant text messaging:
1. HIPAA Privacy Rule
The HIPAA Privacy Rule establishes the foundation for patient confidentiality, which involves the processes that therapists must take while working with Protected Health Information (PHI) while texting. You will want to obtain client consent for any messaging that involves personal health identifiers. Even seemingly benign messages can run afoul of HIPAA if they inadvertently reveal PHI.
2. HIPAA Security Rule
The Privacy Rule essentially describes what you can share with your client whereas the HIPAA Security Rule displays the manner in which you must secure ePHI or electronic protected health information. Using secure texting platforms, or other HIPAA compliant platforms which involve strong user authentication, end-to-end encryption, role-based access controls, automatic message logging and other protections is one way to do this.
3. HITECH Act
The Health Information Technology for Economic and Clinical Health (HITECH) Act amends, and bolsters HIPAA through increased penalties for data breaches and a channel for timely notifications to impacted clients. If any information that you text that can be considered as PHI is breached, you are legally required to provide notification of the breach.
4. 42 CFR Part 2 (for Substance Use Counseling)
For Therapists working with patients that are experiencing substance use disorders, 42 CFR Part 2 applies to you. 42 CFR Part 2 instills even stricter rules relating to confidentiality and security than HIPAA does. In fact, even if you have consent to disclose certain information by text, your ability to do so is heavily constrained and will need to be managed carefully—even with secure technology.
5. State-Specific Privacy Laws
A number of states have additional privacy regulations concerning healthcare data, in addition to the federal regulations noted above. For example, the California Confidentiality of Medical Information Act (CMIA) and New York’s SHIELD Act take additional steps to protect data. If using text messaging, therapists need to be aware of state specific legal requirements and how they may affect texting with clients.
Is Texting Therapy HIPAA-Compliant? Here’s What You Need to Know
Texting therapy can be HIPAA Compliant, but it must follow strict rules regarding the protection of patient data. The HIPAA act requires an electronic communication with Protected Health Information (PHI) to be secured and confidential.
What would be considered a PHI within a text?
PHI (Protected Health Information) means any health-related information that can be used to identify a person and that is sent or stored by a healthcare provider, including a text message.
Specifically, PHI in texting includes any message that contains both:
- Personally identifiable information (PII): Name, phone number, address, date of birth, email, insurance ID.
- Health-related material : Diagnosis, symptoms, medications, appointment times, therapist name, treatment notes.
Is It PHI? A Quick Text Message Check for Therapists
| Text Content | Includes Identity? | Includes Health Info? | HIPAA Protected (PHI)? | Why? |
| “Hi Sarah, your therapy session is confirmed for 3 PM tomorrow.” | ✔️ Yes (Name) | ✔️ Yes (Therapy) | ✅ Yes | Identifies person and care type |
| “Reminder: Session with Dr. Lee on Tuesday at 2 PM.” | ❌ No | ✔️ Yes (Session info) | ✅ Yes | Session context implies treatment |
| Hey! Don’t forget your appointment tomorrow.” | ❌ No | ❌ No | ❌ No | No identity or health details |
| “Hi John, your anxiety medication is ready for pickup.” | ✔️ Yes (Name) | ✔️ Yes (Medication) | ✅ Yes | Personal health and medication info |
| “Text STOP to unsubscribe.” | ❌ No | ❌ No | ❌ No | Generic message, no PHI involved |
Risks of Non-Compliant Therapy Texting in 2025
Communicating with clients via text without adhering to HIPAA guidelines can expose your practice to legal, ethical, and reputational risk. Before we discuss the risks involved, we need to clarify what non-compliant messaging is.
What is Non-Compliant Messaging?
Non-compliant texting can involve any text message or SMS communication that does not adhere to HIPAA privacy and security practices. This could include:
- Sending text messages with your personal phone or using non-compliant, unsecured apps without encryption.
- Sending a message that discusses sensitive information (in plain text) without encryption.
- Using text message communication without client consent to text.
- Sending identifiable information in plain text like appointment times, client names and/or client condition.
- Not retaining message logs and/or restricting access to records.
Why is this a Problem? Major Risks and Consequences
1. Legal and Financial Penalties
There could be serious penalties or fines for violating HIPAA, ranging from thousands to millions, even if the violation was unintentional. You may also subject yourself to audits, investigations or lawsuits, especially if PHI falls into the wrong hands or isn’t handled properly.
2. Failure of Client Trust
Clients expect confidentiality from you. A breach of privacy, even in one tiny instance, can cause clients to lose trust in your professionalism and ultimately stop engaging in therapy altogether.
3. Damage to Professional Reputation
In mental health care, your reputation is everything. Non-compliant messaging could affect your professional reputation resulting in loss of referrals, clients choosing not to continue in therapy with you, or damaging your reputation in your professional network.
Best Practices for HIPAA-Compliant Texting
Healthcare providers have a professional and legal duty to protect patient privacy and confidentiality while using text messaging. This section outlines helpful suggestions which can guide you to ensure your texting practices remain compliant, secure, and courteous to patients:
1. Utilize a HIPAA-Compliant Texting Platform
While many messaging apps or standard SMS such as, iMessage and WhatsApp, could be considered “secure” based on the user interface, none of them are HIPAA compliant. They do not have the features necessary to secure client information.
As a result, you should use a texting platform built specifically for healthcare professionals, equipped with the following characteristics, including:
- End-to-end encryption that protects messages while in transit.
- User verification to authenticate both the sender and recipient.
- Access control to ensure who can send messages and who can view messages.
- Documented message history with audit logs to provide an account of messaging activity.
HIPAA doesn’t apply to all forms of communication. If it is a non-clinical case such as an insurance statement, or sending an appointment reminder, you can explore texting platforms that interpret and support secure messaging workflows, without the HIPAA implications. For example, Textdrip is being used for SMS insurance communication where HIPAA doesn’t apply. This makes the outreach management to insurance recipients easier.
2. Obtain Written Client Consent Before Sending Texts
Prior to sending a text message, obtain written consent from the client. HIPAA regulations require that you inform clients of the communication type and potential risk.
You must describe:
- what kinds of messages they will receive (e.g., appointment reminders, information updates)
- the risk of mobile communication (for example, interception, unauthorized access)
- their choice to opt out of texting at any time, without any impact on their care or treatment
Always document the clients consent in your EHR or practice records. Oral consent is never enough – only documented consent protects you and your client in any future disputes.
Using secure forms or digital consent with your HIPAA-compliant platform is optimal and an effective solution.
3. Avoid Sending Detailed Health Information by Text
Text messages should be short, neutral and non-clinical. Even if using a HIPAA-compliant platform, it is best to reduce the amount of personal health information (PHI) shared.
Guidelines to follow:
- Keep messages generic – do not use any reference to diagnosis, medication, treatment plan or symptoms
- Avoid texting about sensitive topics – like mental health conditions, substance use, and mental health crisis updates.
Only if it is absolutely necessary to share any health-related information:
- Verify that the client has provided you with written consent
- The use of only HIPAA-compliant channels with encryption and access control.
By only communicating general reminders and updates, you keep the communication safe, maintain professional and personal boundaries, and respect your clients’ privacy.
4. Limit Identifiable Information
To be HIPAA compliant, always minimize the use of personally identifiable information (PII) in your messages.
A few tips to keep in mind.
- Do not include full names, addresses, birthdates, or insurance information in messages.
- If you need to identify a person, only use initials or first names, but only with client consent documented.
- Do not identify specific appointments or specific therapy notes that connect the message to a person.
The less information contained the less risk of revealing protected information.
5. Keep Message Logs Secure
Text message logs must be part of the client’s health records.
- Use a HIPAA-compliant texting platform that securely logs and retains a full record of all communications.
- Restrict access to these logs through role-based permission—a security setting that enables selected staff to see their messages and has your client data hidden.
- To ensure you have a backup of these logs, use encrypted storage solutions that conform to privacy regulations and regularly back-up your logs.
- Secure message logs provide protection for both your client and your practice and maintain compliance.
6. Provide an Opt-Out Choice When Appropriate
Allow clients the ability to opt-out of receiving texts, when they want, at any time.
- Communicate the opt-out policy when onboarding and in messaging.
- Use simple opt-out language like “Reply STOP to unsubscribe.”
- Respect opt-out requests immediately upon request in your HIPAA compliant texting platform.
This demonstrates transparency with clients, respects their choice, and fosters HIPAA compliance for counselors and therapists.
7. Train Staff on HIPAA Texting Protocols
HIPAA compliance requires more than tools it requires people too.
- Train your staff on what is considered PHI when texting.
- Have them trained to use only HIPAA-compliant phone apps for therapists.
- Provide examples of compliant and non-compliant messages.
- Keep records of training sessions.
Conclusion:
Texting with HIPAA compliance is not just a technical mission {it is a professional matter. For therapists, securing communication protects client confidentiality and client cases from ineffectiveness.}
By utilizing best practices, knowing the applicable laws of the U.S., and using the appropriate tools, you minimize risk of a data breach and risk with regulators.
The next step? Use a HIPAA compliant texting platform that is for healthcare providers. Supplement those platforms with approved message templates, staff training, and document your communication procedures. When it is all working correctly, secure texting will enhance your client experience and be 100% compliant.
