Secure Texting for Therapists: A Guide to HIPAA Risk and Compliance

Texting has become a convenient and even expected way for therapists to communicate with clients, whether for confirming appointments, checking in between sessions, or following up after care. But when those messages contain personal or health-related information, the stakes become much higher.

Under HIPAA, therapists are considered covered entities, which means any text message that includes protected health information (PHI) is subject to strict security and privacy regulations. That includes seemingly harmless details like a name, diagnosis reference, or even the fact that a person has an appointment.

This guide breaks down what therapists need to know about HIPAA-compliant texting, the risks of standard apps, and how to choose a secure, legally defensible communication solution.

The Hidden Risks of Conventional Messaging Apps

Most consumer texting apps are not HIPAA compliant. While they may offer some form of encryption, they typically lack:

• A signed Business Associate Agreement (BAA)
  
  
• Access controls (e.g. biometric or PIN authentication)
  
  
• Encrypted cloud storage that’s separate from personal backups
  
  
• Admin-level visibility or the ability to remotely wipe data
  
  
• Detailed audit logs that show when and how messages were accessed
  
  

For solo practitioners and small group practices, these risks can be easy to overlook, but the consequences are serious. HIPAA violations can result in financial penalties, reputational harm, and even loss of licensure in extreme cases.

What HIPAA Requires for Therapist-Client Texting

The HIPAA Security Rule outlines three core safeguard categories: administrative, physical, and technical. For texting, this translates into the need for encrypted communication, device-level access restrictions, secure message storage, and breach notification protocols.

Most importantly, HIPAA requires that any third-party service provider involved in transmitting PHI, like a texting app, must sign a Business Associate Agreement (BAA). If your platform doesn’t offer one, you are automatically out of compliance, regardless of how secure it seems.

What Makes a Platform HIPAA-Compliant for Therapists?

When evaluating a texting solution, therapists should look for platforms specifically designed for healthcare. These platforms should allow you to maintain a clear separation between personal and client communication while giving you the administrative tools to manage access, store data securely, and document communication trails for compliance audits.

Platforms like iPlum offer dedicated business numbers, encrypted texting and calling, and HIPAA-aligned controls, all with the option to sign a BAA. This ensures therapists can continue communicating efficiently with clients while upholding legal and ethical standards.

A HIPAA-compliant texting platform should provide:

• Encrypted messaging in transit and at rest
  
  
• A separate business number that keeps personal data private
  
  
• PIN or biometric access control on messages
  
  
• A signed Business Associate Agreement (BAA)
  
  
• Admin tools for remote wipe, message logs, and secure backups
  
  

These aren’t just “nice-to-haves”—they’re critical for meeting HIPAA’s expectations and reducing liability.

Therapist Use Cases: Everyday Compliance in Action

Consider a therapist who texts a client to confirm a session time, or another who follows up after a difficult appointment with a check-in message. If those messages are sent over unsecure channels, they may inadvertently expose PHI.

Using a platform like iPlum allows therapists to continue offering client-centered communication while encrypting messages, logging communication events, and providing clear boundaries between personal and professional use.

Final Thoughts

In 2025, HIPAA compliance for therapists goes far beyond encrypted email or printed forms. As texting becomes a primary tool for client interaction, so too does the need to protect every message, call, and voicemail.

If you’re a therapist currently using your default phone number or consumer apps for client messaging, now is the time to upgrade. Not just to protect your practice, but to protect your clients and the trust they place in you.

‍