FOLIO · The framing
Two laws, two questions, two answers
The compliance question on healthcare appointment reminders has two distinct legal frames that practices often conflate, with predictable confusion. The first frame is privacy: does the message inappropriately disclose PHI? That question is governed by HIPAA, which is enforced by the HHS Office for Civil Rights (OCR). The second frame is consent: did the patient agree to receive automated communication from the practice? That question is governed by the TCPA, which is enforced by the FCC and (more often in practice) by private class-action attorneys.
Each frame has a different answer. Under HIPAA, an appointment reminder is a permitted use of PHI under the Treatment, Payment, Operations (TPO) basis at 45 CFR 164.502. No separate written authorisation is required. The practice's standard Notice of Privacy Practices is sufficient, provided the patient was given the notice at intake and the reminder content stays within the minimum-necessary rule. The OCR has reinforced this position consistently: 2008 enforcement guidance, 2013 omnibus rule preamble, 2022 telehealth-and-HIPAA bulletin, and the 2023 reproductive-health privacy guidance all treat appointment reminders as TPO and not requiring further authorisation.
Under TCPA, automated calls and texts to a patient's cell phone require prior express consent. The 2012 FCC Healthcare Provider Exemption carved out a substantial part of routine healthcare communication, including appointment reminders, exam confirmations, lab notifications, and prescription pickup reminders, from the higher-bar prior express written consent that marketing texts require. The lower-bar prior express consent (the patient gave the practice the phone number for the purpose of healthcare communication) is generally satisfied by intake-form opt-in. The HIPAA answer and the TCPA answer both end at yes, but for different reasons.
FOLIO · What's PHI in a reminder
The minimum-necessary rule, applied to message content
HIPAA's minimum-necessary rule (45 CFR 164.502(b)) limits PHI use to the minimum required to accomplish the purpose. For an appointment reminder, the purpose is to remind the patient of the appointment. The information needed to accomplish that purpose is the date, time, location, and a way to confirm or reschedule. Anything beyond that risks running afoul of the rule.
| Content element | Status | Why |
|---|
| Patient first name | Fine | Identifies the recipient; minimal disclosure to others viewing the phone |
| Patient last name | Avoid where possible | Adds re-identification risk if phone is shared; first name plus practice name suffices |
| Practice name (generic) | Fine | Necessary for the patient to recognise the source |
| Practice name (specialty-revealing) | Caution | 'Coastal Oncology' or 'Bay Behavioral Health' reveals diagnosis category to anyone reading the phone; consider a neutral DBA for messaging |
| Date and time | Fine | Core purpose of the reminder |
| Provider name | Context dependent | Generally fine, except where the provider's specialty is itself sensitive (psychiatry, oncology, infectious disease) |
| Visit type or procedure | Do not include | Beyond minimum-necessary; reveals diagnosis context |
| Medication name | Do not include | Reveals diagnosis category |
| Test result reference | Do not include | Treatment context; secure portal only |
| Reschedule link | Fine | Operational; the link target should authenticate before revealing further PHI |
| No-show fee notice | Fine | Payment-related; permitted under TPO |
FOLIO · Sample template
A reminder template that stays inside both rules
Hi [first name]. Reminder of your appointment at [practice name] on [date] at [time]. A $50 no-show fee applies if missed without 24-hour notice. Reply C to confirm, R to reschedule, STOP to opt out.
That template covers the patient's first name (identification), the practice (necessary recognition), the appointment time and date (the purpose of the message), the fee notice (TPO payment-related), and the opt-out keyword (TCPA compliance). It excludes provider specialty, visit type, and any clinical context. It is appropriate for the vast majority of healthcare appointment reminders.
Variations for sensitive specialties: for psychiatric, addiction-medicine, infectious-disease, oncology, reproductive-health, and HIV-related practices, the practice name itself reveals diagnosis category. Common pattern: register a neutral DBA for messaging purposes (e.g. 'Coastal Health Group') and use it in reminder messages while retaining the specialty-revealing name for in-person and clinical communication.
FOLIO · Intake-form mechanics
Capturing TCPA opt-in without making it a compliance theatre exercise
TCPA prior express consent is satisfied when the patient knowingly provides the phone number for the purpose of healthcare communication. Most intake forms accomplish this with a simple checkbox plus a short disclosure. Sample disclosure language: By providing my mobile number, I consent to receive appointment reminders and other healthcare-related text messages from [practice name]. Standard message and data rates may apply. I may opt out at any time by replying STOP. SMS is not a secure channel and I understand my appointment reminders will be sent in plain text. For secure clinical communication I will use the patient portal.
That disclosure addresses three things at once: TCPA consent for automated texts, HIPAA acknowledgement that SMS is not encrypted, and the patient's understanding of the opt-out mechanism. Practices using e-intake (Phreesia, NexHealth, Klara) can capture this digitally; paper intake works equally well. The form should be retained as part of the patient record for audit purposes.
Two implementation notes. First, the opt-in covers all healthcare-related messaging including reminders, no-show fee notices, lab-result-ready notifications, and refill reminders, but does not cover marketing messages (newsletter, promotional offers, satisfaction surveys), which require a separate marketing opt-in under the higher TCPA bar. Second, the opt-out (STOP) must be honoured immediately and platform-wide; a patient who texts STOP to one campaign must be removed from all healthcare campaigns for that practice. Modern HIPAA-eligible platforms handle this automatically but verify the behaviour during vendor evaluation.
FOLIO · Business Associate Agreements
The BAA layer: every vendor in the message path
HIPAA requires a signed Business Associate Agreement (BAA) with any vendor that creates, receives, maintains, or transmits PHI on the practice's behalf (45 CFR 164.502(e)). For SMS reminders, this means the patient engagement platform (Weave, SolutionReach, NexHealth, etc.) must sign a BAA covering its handling of patient names, phone numbers, and appointment metadata. All major healthcare-focused platforms sign BAAs as a matter of course. If a vendor declines or qualifies the BAA, that is a signal the vendor is not appropriate for healthcare and the practice should look elsewhere.
The SMS carrier itself (the telecom routing the message to the patient's phone) is generally treated as a conduit under HIPAA conduit-exception logic and does not require a BAA. This treatment is somewhat informal but has held under enforcement scrutiny because the carrier handles message routing without persistent access to message content. The patient engagement platform layer, which does have persistent access to message content and patient metadata, is unambiguously a Business Associate and the BAA is non-negotiable.
Practices building their own SMS pipeline using a wholesale aggregator (Twilio, MessageBird, Vonage) should sign a BAA with the aggregator. Twilio offers a HIPAA-eligible service tier that includes a BAA; the standard tier does not. Verify which tier the practice is on. Practices that built a quick-and-dirty SMS pipeline on the standard Twilio tier without a BAA are operating outside HIPAA and exposed to OCR enforcement risk.
FOLIO · Related
Related folios
FOLIO · Margin notes
Frequently asked questions
Are SMS appointment reminders HIPAA-compliant?+
Yes, when implemented correctly. HHS Office for Civil Rights guidance, restated most recently in the December 2022 telehealth bulletin and the 2023 reproductive-health privacy guidance, treats appointment reminders as a permitted use of PHI under 45 CFR 164.502 (Treatment, Payment, Operations). The practice does not need separate written authorisation from the patient to send a reminder. Conditions: limit the PHI in the reminder (date, time, practice name, brief location is fine; diagnosis, medication, test result, or treatment plan is not appropriate); use a HIPAA-eligible platform with a Business Associate Agreement signed with any vendor that touches the message; respect patient opt-out preferences captured on the intake form.
What counts as PHI in an appointment reminder?+
PHI is any individually identifiable health information. In an appointment reminder context, the patient name, the practice name (if specialty-revealing, like 'reminder from Coastal Oncology'), the appointment date and time, and any details about the visit type (procedure, diagnosis context) all qualify. The minimum-necessary rule applies: include only what the patient needs to remember the appointment. Best practice in 2026 is patient first name, practice name (generic where possible), date, time, and a reschedule link. Avoid: specific provider name where it reveals specialty (e.g. an oncologist or psychiatric provider), procedure description, test result reference, or medication context.
Do I need patient consent to text appointment reminders?+
Two consent regimes apply, and they are distinct. HIPAA does not require separate written authorisation for appointment reminders, as noted above. TCPA does require prior express consent for any automated text to a patient cell phone. The 2012 FCC Healthcare Provider Exemption covers most appointment reminders without explicit prior express written consent, provided the message is free to the patient and limited to specified categories. Practical compliance pattern: include an SMS opt-in checkbox on the intake form (signed by the patient), capture the phone number, and provide a STOP keyword in every message. The opt-in covers the TCPA question; HIPAA is satisfied by the Treatment-Payment-Operations basis without further authorisation.
Is regular SMS encrypted enough for HIPAA?+
Regular SMS is not encrypted in transit. HHS has acknowledged in published guidance that this is a known risk and that practices using SMS for appointment reminders must accept and disclose the risk to patients. The accepted compliance pattern is: limit PHI in the message body to the minimum (name, date, time, practice name only); inform the patient at intake that SMS is unsecured and ask them to confirm willingness to receive reminders by text; document the patient acknowledgement; offer a secure-portal alternative for patients who prefer encrypted communication. This pattern is widely accepted by OCR enforcement, with the caveat that the practice should not transmit clinical detail by SMS.