top of page

Do I Need a BAA to Text Patients?



Flowchart showing when a healthcare practice needs a signed BAA to text patients under HIPA


Do I Need a BAA to Text Patients? 

 

Yes, in most cases. If you use a third-party texting platform to communicate with patients and that platform will ever transmit, receive, or store protected health information (PHI), that vendor is a business associate under HIPAA, and you need a signed Business Associate Agreement (BAA) with them before you send a single message. The only real exception is if every text you send is fully generic (no name, no appointment detail, no condition, nothing that identifies the patient or their care) and you never let patients reply with anything sensitive. In practice, that's a hard line to hold once texting becomes two-way, so most healthcare practices that text patients regularly should use a platform that includes a signed BAA rather than try to thread this needle message by message. 



What a BAA Actually Covers? 


A Business Associate Agreement is a contract required under the HIPAA Privacy Rule (45 CFR 164.502(e) and 164.504(e)) between a covered entity (a healthcare provider, health plan, or clearinghouse) and any vendor, the "business associate," that creates, receives, maintains, or transmits protected health information on the covered entity's behalf. 


The BAA obligates the vendor to: 


  • Use PHI only for the purposes specified in the agreement. 

  • Apply appropriate administrative, technical, and physical safeguards to protect that data. 

  • Report any breach of unsecured PHI to the covered entity. 

  • Return or destroy PHI when the relationship ends, where feasible. 


Without a signed BAA in place, a covered entity is not permitted to hand PHI to that vendor, full stop. This applies to texting software exactly the same way it applies to your EHR vendor, your billing company, or your answering service. For a closer look at how this plays out day to day, see HIPAA texting dos and don'ts and our broader SMS compliance guide

 


When You Need a BAA to Text Patients? 



Comparison of texting a patient from a personal phone versus a HIPAA compliant secure messaging platform


You need a BAA if your texting platform will, at any point, handle information that counts as PHI. Under HIPAA's list of 18 identifiers (45 CFR 164.514), a text becomes PHI-carrying the moment it combines a patient identifier (name, date of birth, phone number tied to their record, etc.) with health information (an appointment type, a diagnosis, a prescription, a lab result, a bill for a specific service). 


Common scenarios that require a BAA: 


  • Two-way texting where patients can reply with symptoms, questions about a diagnosis, or photos. 

  • Sending lab results, prescription details, or referral information by text. See our guide to texting patient lab result notifications for how to do this compliantly. 

  • Texting appointment reminders that name a specific provider, procedure, or department (for example, "Your oncology follow-up with Dr. Smith is tomorrow at 2pm"). 

  • Any platform that stores conversation history tied to a patient record for more than a single message. 

  • Secure messaging, patient portals, or chat widgets that route back into your practice's systems. 


If any of these describe how you text patients today, and your vendor hasn't signed a BAA with you, you are out of compliance. These scenarios come up constantly across common use cases of healthcare texting, which is why the BAA question matters more than most practices initially assume. 

 


When You Might Not Need One (and Why That's Risky) 


HIPAA doesn't require a BAA for messages that never touch PHI. A text that says only "You have an upcoming appointment. Reply YES to confirm or call us to reschedule," with no identifying health detail, arguably doesn't carry PHI on its own. 


There's also a narrower "conduit exception." Entities that merely transport data without accessing its content, historically applied to services like the US Postal Service, are not automatically business associates. Some vendors have argued that basic SMS carriers or dumb pass-through gateways fall into this category. But this exception is interpreted narrowly by HHS. A texting platform that stores messages, manages contact lists, provides a dashboard, or adds any functionality beyond blind transport is not a conduit, it's a business associate, and it needs a BAA. 


In practice, relying on the "no PHI in this message" exemption is risky for three reasons: 


  1. Patients reply however they want. A patient who receives a generic reminder often texts back their symptoms, a photo of a rash, or "can we talk about my test results," and now PHI is sitting inside a platform with no BAA. 

  2. Staff drift. Over time, the person sending reminders starts adding detail ("your cardiology appointment" instead of "your appointment") without realizing the compliance line moved. 

  3. Enforcement doesn't require intent. HHS Office for Civil Rights (OCR) enforcement actions have targeted covered entities for using unsecured, non-BAA channels regardless of whether the specific message content was minor. 



What Happens If You Text Patients Without a BAA? 


If PHI passes through a vendor with no signed BAA, that's a HIPAA violation regardless of whether a breach or complaint ever occurs. It becomes a reportable incident, and it exposes the practice to civil penalties under HHS's tiered enforcement structure, which scales based on whether the violation was unknowing, due to reasonable cause, or the result of willful neglect. 


Penalty amounts are adjusted for inflation periodically, so check the current tables on HHS.gov's HIPAA enforcement page rather than relying on a fixed dollar figure. Beyond the financial exposure, an unauthorized disclosure through an uncontracted vendor also triggers breach notification obligations to the affected patients and, depending on scale, to HHS and the media. 



HIPAA vs. TCPA, Two Separate Rules You Need 


A BAA solves the HIPAA problem, but it doesn't solve consent. The Telephone Consumer Protection Act (TCPA) is a separate federal law that governs whether you're allowed to text someone's cell phone at all. You generally need the patient's prior express consent to send informational or transactional texts, and prior express written consent for marketing texts. 


TCPA consent and a HIPAA-compliant BAA are two different boxes that both need checking. A platform with a signed BAA does not automatically give you TCPA consent, and getting a patient's phone number from an intake form does not automatically clear the TCPA bar either.


Most compliant healthcare texting platforms build opt-in and STOP/HELP handling into the workflow specifically to cover this second requirement. 


See our SMS marketing TCPA compliance guide and SMS compliance checklist for the consent side of this, separate from the BAA question covered here. 

 


How to Know If Your Current Texting Setup Needs a BAA (Checklist) 


Answer these honestly about how your practice actually texts patients, not how you intend to: 


  • Do patients ever reply to your texts? If yes, you need a BAA. 

  • Do your texts mention a specific provider, service line, diagnosis, medication, or appointment type? If yes, you need a BAA. 

  • Does your texting tool store message history tied to a patient's contact record? If yes, you need a BAA. 

  • Are staff texting patients from personal cell phones using the native Messages app? If yes, stop immediately. Personal phones are not HIPAA-compliant channels, there's no BAA, no encryption at rest, no audit trail, and the data leaves the practice's control the moment a phone is lost or an employee leaves. 

  • Does your current SMS marketing tool's own website avoid the words "HIPAA" or "BAA" entirely? That's usually a sign it isn't built for PHI, and you're using it outside its intended scope. 


If you answered yes to any of the first three, or yes to the fourth, you need a platform that includes a signed BAA before you continue texting patients. Our guides on why a secure SMS platform matters and how to protect text messages walk through what to look for beyond the BAA itself, including encryption and access controls. 

 


HIPAA-Compliant Texting Platforms Compared 


Pricing and plan structures change, so verify current details directly with each vendor before purchasing. Figures below were confirmed directly from each vendor's public pricing page as of July 2026. 



Pricing and BAA comparison chart of HIPAA compliant texting platforms for healthcare practices


Platform 

Starting price 

BAA included 

Best fit 

Real limitation 

Falkon SMS 

$14.99/user/month (annual), $17.99/user/month (monthly) on Essential; Pro plan $24.99 to $29.99/user/month 

Included on the Pro plan and above, not on Essential 

Healthcare, home care, legal, and finance teams that want to text from an existing landline, VoIP, toll-free, or Microsoft Teams number, plus AI-assisted compliant replies 

BAA and HIPAA compliance require upgrading from Essential to Pro, it isn't included on the entry-level plan 

Spruce Health 

$24/user/month (Basic), $49/user/month (Communicator) 

Included on every plan, including the free trial 

Solo practices and multi-location clinics wanting phone, text, fax, and telehealth in one app 

Per-user pricing scales quickly for larger staffs; advanced call routing and API access are Communicator-only 

OhMD 

$300/month (Communicate plan), $500/month (Automate plan) 

Included, listed explicitly on both plans 

Multi-provider practices that want strong EHR integrations and are moving toward AI-handled call volume 

Flat per-practice pricing starts high for a solo or two-provider office compared to per-user tools 

Weave 

Starting at $249/month, with Pro, Elite, and Ultimate tiers priced by custom quote 

Not confirmed on Weave's public pricing page, verify BAA terms directly with Weave before relying on it for PHI 

Dental, medical, veterinary, and optometry practices that want an all-in-one VoIP phone system plus texting and reviews 

Exact plan pricing is quote-only past the starting tier, and BAA availability should be confirmed with sales before use 

SimpleTexting 

Plans from roughly $39/month based on volume 

Not offered. SimpleTexting's own HIPAA guidance states standard SMS is not a secure channel and recommends keeping PHI out of messages entirely 

General business texting and marketing outside of PHI-carrying conversations 

Not built for PHI. Their own compliance content says to avoid sending protected health information through the platform 

EZ Texting 

Plans from $20 to $25/month (annual), up to $3,000/month for Enterprise 

Not offered. EZ Texting's trust and compliance page covers TCPA, CTIA, and carrier registration, with no HIPAA or BAA program listed 

High-volume SMS marketing campaigns outside of healthcare PHI use cases 

Not positioned or built for HIPAA. There's no BAA program, so it isn't a fit for texts that include PHI 


The clearest takeaway from this table: general-purpose SMS marketing tools (SimpleTexting, EZ Texting) are excellent at what they're built for, mass texting and campaign management, but they are transparent about not being built to carry PHI. 


Dedicated healthcare communication platforms (Falkon SMS, Spruce Health, OhMD) build the BAA into their compliance story from the start. Weave sits in between, it's healthcare-focused but its BAA terms need a direct confirmation from sales before you rely on it for PHI-bearing texts. 

 


Book a 15-minute compliance walkthrough




How Falkon SMS Handles This 



Falkon SMS Secure Chat screen where a patient enters a PIN to open an encrypted conversation


Falkon SMS is HIPAA compliant and includes a signed Business Associate Agreement on its Pro plan. Every message is encrypted in transit and at rest, and the platform maintains a full, timestamped audit trail of every conversation, which matters both for HIPAA's Security Rule requirements and for demonstrating compliance if you're ever audited. 


A few specifics relevant to the BAA question: 


  • The BAA is included in the Pro plan (currently $24.99 to $29.99 per user/month depending on billing term), it is not included on the entry-level Essential plan, so healthcare teams need to select Pro specifically. 

  • Patients keep texting the practice's existing landline, VoIP, toll-free, or Microsoft Teams number, there's no new number to give patients, which avoids the common failure mode of staff falling back to personal cell phones because the "new" business number wasn't adopted. 

  • For anything more sensitive than a standard message, Falkon SMS offers Secure Chat, a PIN-protected encrypted session patients can open without downloading an app, useful when a patient needs to share something more detailed than an appointment confirmation. 

  • Secure file sharing uses expiring links rather than email attachments, for sending lab results, intake forms, or care instructions. 

  • Falkon handles 10DLC carrier registration on the customer's behalf, which is a separate (non-HIPAA) requirement for any business texting at scale in the US. 

  • Role-based access controls limit who on staff can see which patient conversations. 


For a healthcare practice specifically evaluating "do we need a BAA, and does this platform give us one," the direct answer for Falkon SMS is: yes, on the Pro plan, with the BAA and encryption included rather than sold as a separate add-on. 


 

Frequently Asked Questions 


Do I need a BAA to send patients text message appointment reminders?


It depends on what the reminder contains. A fully generic reminder with no provider name, service line, or health detail may not require a BAA on its own, but the moment the message names a specific appointment type, provider, or department, or the patient can reply with anything about their care, you need a signed BAA with your texting vendor. 


Is it a HIPAA violation to text a patient without a BAA?


It is a HIPAA violation if protected health information passes through a vendor that hasn't signed a BAA with your practice, regardless of whether the disclosure was intentional or the message seemed minor. The violation exists the moment PHI reaches an uncontracted business associate. 


Can I text patients from my personal cell phone?


You shouldn't, if there's any chance PHI is involved. Personal phones have no BAA in place, no enforced encryption standard, no audit trail, and no way to guarantee the data is removed if the phone is lost, stolen, or the employee leaves the practice. Most healthcare compliance guidance recommends against using personal devices or the default Messages app for any patient communication that could include health information. 


Does a BAA make text messages automatically HIPAA compliant?


No. A BAA is a required contract, not a technical safeguard by itself. The platform also needs to implement the technical protections HIPAA's Security Rule requires, encryption in transit and at rest, access controls, and audit logging, and your practice still needs patient consent under separate rules like the TCPA before texting them at all. 


What is the difference between a BAA and TCPA consent?


A BAA is a HIPAA contract with your texting vendor that permits them to handle protected health information on your behalf. TCPA consent is the patient's separate agreement to receive texts on their phone at all. You need both: a signed BAA with your platform, and documented consent from each patient, before texting them about their care. 


Which texting platforms include a signed BAA?


Falkon SMS, Spruce Health, and OhMD each include a BAA as part of their offering, though the specific plan tier required varies by vendor. General SMS marketing platforms like SimpleTexting and EZ Texting do not offer a BAA and explicitly advise against sending protected health information through their systems. Always confirm BAA availability and which plan tier includes it directly with the vendor before sending any PHI. 


Do carriers like AT&T or Verizon need to sign a BAA to carry patient texts?


Generally no. Wireless carriers acting purely as network transport typically fall under HIPAA's conduit exception, similar to the postal service, since they don't access or store the content of the message. The BAA requirement applies to the software platform your practice uses to compose, manage, and store those conversations, not the underlying cellular network. 



Related Reading 


 


Sources 


  • U.S. Department of Health and Human Services, Office for Civil Rights, "Business Associates" guidance (45 CFR 164.502(e), 164.504(e), 164.532(d) and (e)) 

  • HHS Privacy Rule, 18 identifiers of protected health information (45 CFR 164.514) 

  • Federal Communications Commission, Telephone Consumer Protection Act rules 

  • Vendor pricing and compliance pages for Falkon SMS, Spruce Health, OhMD, Weave, SimpleTexting, and EZ Texting (verified directly, July 2026) 



See Falkon SMS's HIPAA-compliant Pro plan



 
 
bottom of page