Patient Messaging Systems

By Wade Emmert

I recently worked with a health care client who uses a third-party messaging system to communicate with patients—sending appointment reminders, online forms, educational materials, and even marketing campaigns.

While convenient, these systems can be *a privacy minefield* if not handled properly. Here’s why:

❌ Text messages are not encrypted in transit — they can be intercepted.

❌ Messages aren’t protected at rest — anyone with access to a phone or email can read them.

❌ No authentication — you can’t be sure the intended recipient is the one reading the message. If you’re using a messaging system with patients, you need safeguards in place. Here are three key steps:

✅ Get patient consent before sending messages via text or email.

✅ Avoid including PHI (Protected Health Information) — instead, send a secure link where patients can log in to view details.

✅ Have a Business Associate Agreement (BAA) with your vendor to ensure they follow industry-standard privacy and security protections.

If you have questions, drop a comment below or email me at wade@texashealthlaw.com.