Healthcare organizations subject to HIPAA can use Talkroute for text messaging, but should avoid sending Protected Health Information (PHI) directly via SMS. Standard SMS is not suitable for transmitting PHI due to inherent limitations of the technology.
Why PHI Should Not Be Sent via SMS
- SMS is not encrypted end-to-end — messages can potentially be intercepted in transit
- Messages may be stored on carrier servers outside your control
- The recipient's device may not have appropriate security controls
- Messages cannot be remotely recalled or wiped if sent in error
These limitations apply to all SMS platforms, not just Talkroute.
How Healthcare Organizations Use Talkroute
The most common approach is to use SMS as a notification tool rather than for transmitting PHI directly. For example:
- Secure portal links: Send a text like "You have a new message from [Practice Name]" with a link to your EHR's secure patient portal where the recipient can log in to view the actual message.
- Appointment reminders: "Reminder: You have an appointment on Thursday at 2:00 PM. Reply C to confirm or call us to reschedule."
- General notifications: Office closures, check-in instructions, or requests to call the office.
These messages don't contain PHI and allow you to communicate efficiently with patients while keeping sensitive information within your secure systems.
Business Associate Agreements
Talkroute can sign a Business Associate Agreement (BAA) for customers on the Pro plan or higher. If your organization requires a BAA, please contact support to request one.
Need Help or Ready to Get Started?
Whether you're already using Talkroute or just exploring, we're here to help.