HIPAA-Compliant Texting for Dental Practices: What You Need to Know
Patient texting has become essential for dental and endodontic practices. Appointment confirmations, reminders, and review requests are all more effective via SMS than phone calls or email. But texting patients brings regulatory requirements that every practice needs to understand.
There are three regulatory frameworks that govern patient texting: HIPAA (health information privacy), TCPA (telephone consumer protection), and A2P 10DLC (carrier-level messaging registration). This guide covers what each one requires and how to stay compliant.
HIPAA and patient texting
HIPAA's Privacy Rule and Security Rule govern how protected health information (PHI) can be transmitted. Text messages that contain PHI must be sent through a system that provides appropriate safeguards.
What counts as PHI in a text message?
PHI includes any information that can identify a patient and relates to their health condition, treatment, or payment. In the context of dental texting, this includes:
- Patient name combined with appointment details (date, time, procedure type)
- Patient name combined with balance or payment information
- Any mention of diagnosis, treatment, or clinical information
- Patient name combined with the practice name (this confirms a treatment relationship)
Standard appointment confirmations ("Your appointment is tomorrow at 2:30 PM") are considered treatment communications and are generally permissible under HIPAA's treatment exception, provided appropriate safeguards are in place.
What safeguards does HIPAA require?
HIPAA doesn't prohibit texting patients — it requires that you implement reasonable safeguards when doing so. For a HIPAA-compliant texting system, this means:
- Encryption in transit: Messages should be sent through a platform that uses TLS encryption. Standard SMS is not encrypted end-to-end, which is why using a HIPAA-compliant messaging platform matters.
- Access controls: Only authorized staff should be able to send and view patient messages. Role-based access with individual logins and audit trails.
- Business Associate Agreement (BAA): Your texting platform provider must sign a BAA, making them responsible for protecting PHI they handle on your behalf.
- Minimum necessary: Only include the minimum information needed in the text. Don't include procedure details, diagnosis codes, or clinical information in SMS messages.
- Audit trails: Maintain logs of all messages sent and received, including who sent them and when.
Best practice: Keep appointment confirmation texts generic — include the date, time, and doctor name, but not the procedure type. "Your appointment is tomorrow at 2:30 PM with Dr. Sempira" is safer than "Your root canal appointment is tomorrow at 2:30 PM."
TCPA requirements for dental texting
The Telephone Consumer Protection Act (TCPA) governs consent for automated text messages. This is separate from HIPAA and applies to any business sending automated texts, not just healthcare.
Prior express consent
You must have documented consent before sending automated text messages to patients. For healthcare messages (appointment reminders, confirmations), you need "prior express consent." For marketing messages (promotions, offers), you need "prior express written consent" — a higher bar.
In practice, this means:
- Appointment confirmations and reminders: Verbal or written consent is sufficient. Most practices obtain this during patient registration by asking "May we send you text messages about your appointments?"
- Review requests: These fall in a gray area between transactional and marketing. Best practice is to include review requests in your general SMS consent language.
- Payment reminders: Account servicing messages to existing patients generally fall under transactional consent.
- Marketing messages: Any promotional content requires written consent with specific language about message frequency and data rates.
Opt-out requirements
Every automated text must provide a way for the patient to opt out. The standard is "Reply STOP to opt out" included in the message. When a patient replies STOP, you must honor the opt-out immediately and stop all automated messaging to that number.
Never text patients who have opted out. TCPA violations can result in $500-$1,500 per unauthorized message. If a patient replies STOP, they must be removed from all automated messaging immediately.
A2P 10DLC registration
A2P 10DLC (Application-to-Person 10-Digit Long Code) is a carrier-level requirement that went into effect in 2023. All businesses sending automated text messages through local phone numbers must register their brand and messaging campaigns with The Campaign Registry (TCR) through their messaging provider.
Why it matters
Unregistered messages are increasingly filtered or blocked by carriers (AT&T, T-Mobile, Verizon). Even if your messages are HIPAA-compliant and you have patient consent, unregistered messages may never reach your patients' phones.
What you need to register
- Brand registration: Your business entity — EIN, address, website, contact information
- Campaign registration: The type of messages you send — use case (healthcare, appointment reminders), sample messages, opt-in/opt-out flows, consent documentation
- Phone number assignment: Your sending phone number must be associated with your registered campaign through a Messaging Service
Registration is typically handled by your messaging platform provider and takes 3-7 business days for approval. Once approved, your messages are sent through registered A2P routes with higher deliverability and throughput.
Multiple use cases may require multiple campaigns
Carriers distinguish between different message types. Appointment reminders and billing notifications may require separate campaign registrations if the carrier classifies them differently. Your messaging platform should handle this routing automatically.
SMS consent best practices for dental practices
Documenting consent properly protects your practice from both TCPA liability and carrier compliance issues. Here are the recommended methods:
Digital consent during patient registration
If your practice management software has an SMS consent field (TDO has this as the "bSendSMS" flag), staff should record consent during patient registration. The patient's SMS preference becomes part of their record, and your messaging system only sends to patients with consent recorded.
Paper intake forms
Include an SMS consent disclosure on your patient intake form: "I consent to receive appointment confirmations, reminders, and practice communications via text message (SMS). Message frequency varies. Msg&Data rates may apply. Reply STOP to cancel."
Verbal consent
Front desk staff can obtain verbal consent: "May we send you text messages about your appointments and account? You can opt out anytime by replying STOP." Record the consent in the patient's chart.
Public consent disclosure page
Maintain a publicly accessible page on your website that documents your SMS consent practices, messaging frequency, opt-out instructions, and links to your privacy policy and terms of service. Carriers review this page during A2P campaign registration.
Document everything. If a patient claims they didn't consent to messages, your documentation is your defense. Record the consent method (digital, paper, verbal), the date, and who obtained consent.
What to include (and exclude) in patient texts
Safe to include:
- Patient first name
- Practice name
- Appointment date and time
- Doctor name
- General balance amount (e.g., "$150.00 outstanding balance")
- Payment link URL
- Review request with Google link
- "Msg&Data rates may apply. Reply STOP to opt out."
Avoid including:
- Procedure type or diagnosis (e.g., "root canal", "apicoectomy")
- Clinical details or treatment notes
- Insurance information
- Social security numbers or dates of birth
- Detailed financial breakdowns
- Information about other patients
Choosing a HIPAA-compliant texting platform
When evaluating texting platforms for your dental practice, look for:
- BAA included: The provider must sign a Business Associate Agreement
- A2P 10DLC registration: The provider handles campaign registration with carriers
- Encryption: TLS 1.2+ for data in transit, AES-256 for data at rest
- Access controls: Individual user accounts with role-based permissions
- Audit logs: Complete message history with timestamps and sender identification
- Opt-out management: Automatic STOP keyword processing and DNC list management
- PMS integration: Direct integration with your practice management software to read consent flags
For endodontic practices using TDO Software, SendVyte integrates directly with TDO and reads the SMS consent flag from patient records. Only patients with consent recorded in TDO receive automated messages. SendVyte is HIPAA compliant, A2P 10DLC verified, and includes a BAA with every plan.
HIPAA-compliant texting from TDO
SendVyte reads consent flags directly from your TDO database. A2P 10DLC registered. BAA included. Encrypted end-to-end.
Request a DemoKey takeaways
Texting patients is legal, effective, and increasingly expected — but you need the right infrastructure. Get documented consent (digital, paper, or verbal), use a platform with a BAA and A2P registration, keep message content minimal (no procedures or diagnoses), and honor opt-outs immediately. Do these four things and your practice will be compliant with HIPAA, TCPA, and carrier requirements.
This article is for informational purposes and does not constitute legal advice. Consult with a healthcare compliance attorney for guidance specific to your practice.