Engagys Best Practice Snapshot

Cracking the SMS Text Code for Healthcare Communications—Compliance

Messaging between businesses and healthcare consumers is regulated by a mix of federal law, implementing regulations, and industry requirements. HIPAA protects healthcare consumers from unwanted marketing messages of any type by requiring prior consent, but allows healthcare messages subject to any additional requirements imposed due to the mode of communication. Determining the rules can be challenging, but the key focus should be establishing consent from healthcare consumers.
The Telephone Consumer Protection Act (TCPA) establishes rules for non-marketing and informational messages sent to cellphones. These same regulations apply to text messages as they too, are received via cellphone. Cellphone communications do require some form of opt-in by the healthcare consumer, and this prior consent may be oral, written, or implied by healthcare consumers providing their cellphone numbers to the organization. These types of healthcare messages may not include any marketing content, or they would be considered marketing messages under the TCPA.

Additional Considerations

Compliance Program—Create/update policies documenting internal rules for messaging consumers:

  • Categorize types of messages sent by permissible modes
  • Categorize scope of consents/opt-ins collected
  • Manage opt-out lists
  • Require training of appropriate employees and/or vendors

Best Practices
—Determine which marketing/solicitation regulations may be best practices for all outreaches (e.g., TCPA imposes time of day requirements on pre-recorded telemarketing calls, but informational calls should also be sent during reasonable daytime hours (8 a.m. – 9 p.m. local).

Federal Do-Not-Call (DNC) List—DNC registry applies only to telemarketers and solicitation messages, and not to informational, non-marketing automated calls or text messages. For non-marketing messages sent via telephone to healthcare consumers, only the opt-out list for the organization will apply.

Cellular Telecommunications Industry Association (CTIA) Requirements

Additionally, the CTIA imposes its own compliance requirements for SMS text messaging. Since CTIA’s members are the wireless carriers and the technological gatekeepers for the organizations sending text messages, organizations must:

  • Collect opt-ins for text messaging campaigns
  • Send opt-in confirmation messages
  • Allow consumers to use common commands (e.g., “STOP”; “HELP”; etc.)
  • Manage an opt-out list

As a best practice, organizations should impose expiration timeframes of no more than eighteen months on opt-ins that are collected but not used for communication. Written consent provides the best record for an organization to document its adherence to the applicable rules, regulations and guidelines.

Finally, cellphone communications are not exempt from opt-out list management, and healthcare consumers may revoke their consent to receive text messages about a particular topic, or from a particular organization altogether at any time, and the organization must honor this opt-out and ensure no additional text messages are delivered.

SMS Text Requirements

Informational Messaging to
Healthcare Consumers
Marketing/Solicitation to
Healthcare Consumers
Consent: Prior Opt-inOral or writtenExpress written consent
Provide Opt-out InformationYesYes
Maintain Opt-out ListsYesYes
Identify SenderYesYes
Time of Day RestrictionBest PracticeYes
Federal DNC List Applies



This overview does not constitute legal advice; please consult an attorney for legal advice on applicable laws and regulations.