Is illegal is it to send SMS/text messages to patients without proper, documented consent?

Yes, it is illegal to send SMS/text messages to patients without proper, documented consent under two primary federal laws: the Telephone Consumer Protection Act (TCPA) and the Health Insurance Portability and Accountability Act (HIPAA).

Violations of these regulations carry severe penalties for healthcare providers and facilities:

TCPA Penalties: Fines range from $500 to $1,500 per message. If the violation is found to be “willful,” the penalty can increase to $3,000 per message.
HIPAA Penalties: Civil penalties for HIPAA violations vary by “tier” based on the level of negligence, ranging from roughly $141 to over $2 million per year for uncorrected willful neglect.
Criminal Charges: In severe cases involving malicious intent, violations can lead to criminal charges and potential imprisonment.

The specific standards for obtaining and documenting patient permission.

Prior Express Written Consent: The TCPA generally requires explicit written permission before sending automated texts.
Informed Consent: Under HIPAA, patients must be warned about the security risks of texting (such as lack of encryption on standard SMS) before they consent.
Documentation: Consent must be “documented” and stored securely, such as in an Electronic Health Record (EHR), or a Consent Management System. Verbal consent is typically not sufficient for legal protection.
Mandatory Opt-Out: Every message must include a clear way for the patient to stop receiving texts (e.g., “Reply STOP to Opt-Out”).

Limited scenarios where messages may be sent without prior written forms.

While documented consent is the safest path, there are limited exceptions:

Patient-Initiated Contact: If a patient texts the practice first (e.g., asking for hours), the provider may respond directly within that specific conversation.
Emergency Purposes: Messages sent for “health or safety emergencies” (e.g., public safety warnings) are generally exempt from TCPA consent rules.
Prior Relationship (Informational Only): Some informational texts, like appointment reminders, may be allowed if the patient provided their number during registration, provided they have not opted out. However, these must still follow HIPAA’s “Minimum Necessary Standard” for any health info included.

Why standard SMS is often considered non-compliant even with consent.

Even with consent, using standard SMS (like iMessage or WhatsApp) can still be a HIPAA violation because they often lack:

End-to-End Encryption: Standard texts can be intercepted on open networks.
Audit Trails: HIPAA requires a record of who accessed or sent patient data.
Access Controls: Personal phones often lack the unique logins and automatic log-offs required by the HIPAA Security Rule.

Automated Collection: Captures informed consent for treatment and data sharing via your website.
Audit-Ready Logs: Creates non-editable logs (date, time, IP, policy version) for every consent event.
Preference Enforcement: Integrates with the CRM to automatically respect patient choices regarding marketing communications.
Centralized Dashboard: Offers a single view to manage and track patient consents or revocations.
Compliance: Helps fulfill the 6-year federal record-keeping requirement.

Costs vary based on your PatientGain service tier: