Skip to content
TCPAHIPAAcomplianceSMShealthcarelegal

SMS Compliance for Healthcare Practices: TCPA and HIPAA Explained

S

SlotFill Team

Compliance

8 min read

You want to text your clients about appointment availability. But you've heard HIPAA makes that risky. And there's something called TCPA that regulates texting. And you're not sure if you need consent, or what kind, or from whom.

Here's the straightforward guide to texting clients legally in a healthcare practice. No legal jargon, no hand-wringing — just what you need to know and do.

Two Laws, Two Different Concerns

HIPAA: What You Can Say

HIPAA (Health Insurance Portability and Accountability Act) protects patient health information. It governs the content of your messages.

Core question: Does your text reveal that someone is receiving healthcare treatment?

TCPA: Who You Can Text and When

TCPA (Telephone Consumer Protection Act) regulates unsolicited communications. It governs your permission to send texts and when you can send them.

Core question: Did the person consent to receive these texts, and are you sending at appropriate times?

You need to comply with both simultaneously. Let's break each one down.

HIPAA: What Goes in the Text

What Counts as PHI in a Text?

Protected Health Information (PHI) is any individually identifiable health information. In practice:

Definitely PHI:

  • "Your therapy session is confirmed" (reveals they're in therapy)
  • "Time to refill your anxiety medication" (reveals a condition)
  • "Your PT session for your ACL rehab..." (reveals injury and treatment)
  • Any mention of diagnosis, treatment type, or clinical details

Not PHI (scheduling information):

  • "An appointment is available tomorrow at 2pm"
  • "Reminder: you have an appointment Wednesday at 10am"
  • "Your appointment has been rescheduled to Thursday"

The critical distinction: A message that says "an appointment is available" doesn't reveal what kind of appointment. Without context, it could be a haircut, a dentist visit, or a business meeting.

Safe Messaging Templates

Waitlist notification (HIPAA-compliant):

"Hi Sarah! An appointment opened up for Tuesday at 2pm. Interested? [Claim link]"

Appointment reminder (HIPAA-compliant):

"Reminder: You have an appointment tomorrow, Wednesday Jan 15, at 2:00 PM. Reply YES to confirm or call to reschedule."

Not compliant:

"Hi Sarah, a therapy opening is available for your anxiety treatment next Tuesday."

The Rule of Thumb

Before hitting send, ask: "If a stranger read this text over someone's shoulder, would they learn anything about this person's health?"

If yes, rewrite it. If no, you're good.

What About the Practice Name?

This is a gray area. If your practice is called "Sunrise Physical Therapy," having that in the sender name or message does reveal the type of care. Most regulators consider this acceptable because:

  1. The client consented to receive texts from your practice
  2. Practice names are public information
  3. The alternative (hiding your identity) creates trust issues

However, if your practice name includes sensitive specialties ("Addiction Recovery Associates," "Fertility Wellness Center"), consider using a more neutral sender identity.

TCPA: Permission to Text

What Consent Do You Need?

TCPA requires express written consent before sending marketing or informational texts. For healthcare appointment notifications, you need:

Written consent that includes:

  • The specific phone number being texted
  • Agreement to receive texts from your practice
  • Understanding that messages may incur carrier charges
  • Clear ability to opt out

How to Get Consent

The easiest approach: add it to your intake paperwork.

Sample consent language:

"I consent to receive text message notifications from [Practice Name] regarding appointment availability, scheduling, and practice updates. Messages will be sent to the phone number provided below. Message frequency varies. Message and data rates may apply. Reply STOP to opt out at any time."

For pediatric practices, the parent or legal guardian provides consent for the minor patient. Collect the consenting adult's mobile number, not the child's.

Verbal Consent Is Not Enough

A client saying "sure, you can text me" during a session is not sufficient under TCPA. You need it documented — either:

  • Signed on paper intake forms
  • Checked on a digital intake form
  • Agreed to via a web form (your waitlist join page can serve as this)

Opt-Out Requirements

You must honor opt-out requests immediately. TCPA requirements:

  • Include opt-out instructions in your first message ("Reply STOP to opt out")
  • Process STOP replies within a reasonable time (ideally instantly)
  • Confirm opt-out: "You've been unsubscribed and won't receive further messages"
  • Never text someone who has opted out, even if they verbally say it's OK later (get new written consent)
  • Keep records of opt-outs

Who Opts Out

In practice, opt-out rates for healthcare scheduling texts are very low (1-3%). Clients want to know about available appointments. If your opt-out rate is higher than 5%, you may be sending too many messages or texting about irrelevant openings.

Quiet Hours: When You Can Text

TCPA restricts when you can send non-emergency texts:

Federal rule: No texts before 8:00 AM or after 9:00 PM in the recipient's time zone.

Why Time Zones Matter

If your practice is in New York and your client is in California (telehealth, snowbirds, etc.), you must respect their local time, not yours. A 9:00 AM ET text reaches California at 6:00 AM — that's a TCPA violation.

Best practices:

  • Track each client's time zone (or infer from their area code)
  • Build in a buffer: don't send before 8:05 AM or after 8:55 PM
  • If broadcasting to a mixed-timezone waitlist, use the most restrictive zone
  • Queue messages that fall outside quiet hours for delivery the next morning

Emergencies

TCPA quiet hours don't apply to genuinely urgent health communications. But a cancelled appointment slot is not a medical emergency — quiet hours apply.

Common Compliance Mistakes

Mistake 1: Using Personal Phone for Practice Texts

Texting from your personal cell phone creates problems:

  • No audit trail — You can't prove what you sent or when
  • No opt-out tracking — How do you know who said STOP?
  • Commingled data — Your personal contacts and practice contacts mix
  • No BAA possible — Your phone carrier won't sign a Business Associate Agreement

Use a dedicated business line or a platform designed for healthcare messaging.

Mistake 2: Group Texts

Sending a group text to announce an opening reveals everyone's phone number to everyone else — and potentially reveals they're all clients at your practice. This is both a HIPAA and TCPA violation.

Always use individual messages, even when broadcasting to a group.

Mistake 3: Including Clinical Details

It's tempting to add context: "An appointment is available for a 50-minute individual therapy session." Don't. The words "therapy session" convert scheduling information into PHI. Keep it to: time, date, and a claim mechanism.

Mistake 4: No Consent Documentation

"I'm sure they gave consent at some point" doesn't hold up. Maintain records of:

  • When consent was given
  • What they consented to
  • Which phone number they provided
  • Any opt-out requests and when they were processed

Mistake 5: Texting Opted-Out Clients

A client who replies STOP must be removed immediately. Even if they call the next day and say "actually, I want the texts," get new written consent before resuming. "They said it was OK" won't protect you.

Tools and BAAs

Do I Need a BAA for My Texting Tool?

Conservative answer: Yes, always get one for any tool that handles patient data.

Practical answer: If your texting tool only processes first names, phone numbers, and appointment times (not diagnoses, treatment details, or clinical notes), some argue it's not handling PHI. However:

  • Regulators prefer caution
  • Malpractice insurers may require BAAs for any patient-facing tool
  • Any tool that could inadvertently receive PHI (a client replies with health details) should have a BAA

What to Ask Before Adopting a Tool

  1. "Will you sign a Business Associate Agreement?"
  2. "Where is data stored? Is it encrypted at rest and in transit?"
  3. "Can I export or delete my data on request?"
  4. "How do you handle opt-out (STOP) requests?"
  5. "Do you support quiet hours / time zone handling?"

A "no" to question 1 is a dealbreaker for healthcare practices.

Quick Reference: Compliance Checklist

  • [ ] Written SMS consent collected at intake for each client
  • [ ] Consent records stored and accessible
  • [ ] Message content contains no PHI (no diagnosis, treatment type, clinical details)
  • [ ] Opt-out mechanism working (STOP keyword honored instantly)
  • [ ] Quiet hours enforced (no texts 9pm-8am in recipient's time zone)
  • [ ] Individual messages (no group texts that reveal other recipients)
  • [ ] Dedicated business number (not personal cell phone)
  • [ ] BAA in place with your messaging tool/platform
  • [ ] Records retained of messages sent, opt-outs processed

The Bottom Line

Texting clients about appointment availability is legal, ethical, and appreciated — as long as you follow two simple principles:

  1. HIPAA: Keep messages to scheduling information only. No clinical details, no diagnosis, no treatment type.
  2. TCPA: Get written consent, honor opt-outs immediately, respect quiet hours.

These aren't obstacles to communication — they're guardrails that protect your clients and your practice.

SlotFill is built with healthcare compliance in mind. HIPAA-conscious messaging (scheduling data only, no PHI), automatic STOP/START handling, quiet hours enforcement, and BAAs available on request. Start your free trial and see how simple compliant waitlist messaging can be.

Ready to stop losing revenue to cancellations?

Try SlotFill free for 30 days. Fill your first cancellation in minutes.

Start Free TrialCalculate Your Savings
← Back to all articles