Back to all posts
Compliance Legal 12 min read · April 22, 2025

HIPAA-Compliant Patient Communication: What Every Practice Needs to Know in 2025

VS

Dr. Vikram Singh

Practice attorney · Former clinician

I spent the first decade of my career treating patients. The last seven years, I have spent defending the dentists who did not realise their patient communication system was exposing PHI. The gap between what most dentists believe about their compliance status and what HIPAA actually requires has never been wider — and the OCR enforcement data proves it.

In 2024 alone, the HHS Office for Civil Rights resolved 16 enforcement actions against dental practices and DSOs, with penalties ranging from $10,000 to over $250,000. The most common violation? Impermissible disclosure of protected health information through unsecured communication channels. In plain English: sending appointment reminders or treatment details over unencrypted SMS, or storing patient photos on unsecured consumer cloud platforms.

The specific risk areas in 2025

Standard SMS and text message

The vast majority of dental practices send appointment reminders via standard SMS. Under HIPAA, this is permissible only if the patient has explicitly consented to receive unencrypted text messages and has been informed of the risk. The OCR's 2024 guidance clarified that "implied consent" — having the patient provide their mobile number at check-in — is not sufficient for treatment-related communication containing PHI.

The practical solution is not to stop using SMS. It is to (a) obtain written consent that specifically authorizes SMS communication containing PHI, (b) limit the PHI in SMS to the minimum necessary (appointment time and doctor name, not diagnosis or treatment details), and (c) offer the patient an encrypted alternative like a secure patient portal.

Practice management software integrations

This is the area I see the most exposure. Your PMS is likely HIPAA-compliant as a standalone system. But if your PMS integrates with any third-party service — recall platforms, billing processors, review management tools, AI transcription — each of those integrations creates a new potential disclosure point. You are required to have a Business Associate Agreement (BAA) in place with every third-party service that touches PHI. In my experience, about 60% of dental practices using integrated tools do not have valid BAAs for every vendor in their stack.

Patient photos on clinical platforms

With the rise of aligner therapy, implant planning, and digital smile design, dental practices are generating more clinical photography than ever. If those photos are uploaded to cloud-based treatment planning platforms, patient communication apps, or social media (even with "consent"), you have created a disclosure that needs to be tracked and documented under HIPAA's accounting of disclosures requirement. A common scenario I see: a practice uses a cloud-based treatment presentation tool to show patients their digital smile preview. The tool stores the photos on a US-based server. The patient signs a consent form. But the practice has no BAA with the tool provider. That is a violation.

"The rule of thumb I give every practice: if your patient data touches any server you did not personally secure, you need a signed BAA for it. No exceptions. No 'they said they were HIPAA-compliant' without a signed contract."

The three-tier compliance framework

I recommend every dental practice adopt a three-tier model for patient communication:

  1. Tier 1 — Public: Marketing communications, newsletters, general health tips. No PHI involved. Standard email and social media channels are fine. No consent needed.
  2. Tier 2 — Operational: Appointment reminders, recall notifications, billing notifications. Contains limited PHI (name, date, time). Requires written patient consent and should use a platform that maintains an audit trail.
  3. Tier 3 — Clinical: Treatment plans, lab prescriptions, clinical photos, post-op instructions. Contains full PHI. Requires encryption, BAAs with every vendor, and documented access controls.

Most compliance gaps occur when a practice treats a Tier 3 communication (sending post-op instructions with a wound photo) through a Tier 1 channel (unencrypted text message).

What the platforms need to provide

If you are evaluating a patient communication platform — and I strongly recommend you use one rather than building your own workflow — here is the compliance checklist I give my clients:

  • Signed BAA — not negotiable, and it must cover all subcontractors the platform uses (cloud hosting, SMS carriers, email delivery services)
  • Audit log — every message sent, viewed, and responded to must be logged with timestamps and user IDs
  • Minimum necessary configuration — the platform should let you limit what PHI appears in different message types
  • Patient consent management — digital consent capture with version tracking and revocation capability
  • Data deletion — when a patient requests deletion of their records, the platform must propagate that deletion to all downstream systems within a reasonable timeframe

The cost of non-compliance

Beyond the financial penalties, there is a reputational cost that is harder to quantify but more damaging. The OCR publishes every enforcement action. Patients can search for their dentist's name. A single HIPAA violation notice on the HHS website can undo years of trust-building. The practices that treat compliance as a marketing expense — not a legal one — are the ones that sleep better.

The good news: HIPAA compliance in 2025 is largely about documentation and platform selection, not infrastructure. There is no need to build your own encrypted messaging system. You just need to ensure that the platforms you use have the right contractual protections in place, and that your consent workflows are documented.

Dr. Vikram Singh

Compliant patient communication, built in

RetainOS provides HIPAA-ready infrastructure with BAAs, audit logging, patient consent management, and minimum-necessary messaging — so you do not have to think about compliance every day.