Can I send PHI via SMS?

Generally, no. Standard SMS is not encrypted. Avoid sending Protected Health Information (PHI) directly in text messages. Use secure portals and send notifications via SMS.

Do I need a BAA for TCR registration?

The Campaign Registry itself does not sign a BAA, but your SMS provider (CSP) likely needs one if they handle PHI. Consult your legal counsel.

2025 Telehealth TCR Compliance Guide | HIPAA & 10DLC

The Dual Challenge: HIPAA & 10DLC

Telehealth providers face a unique compliance environment. You must satisfy mobile carrier requirements (10DLC) to ensure message delivery while strictly adhering to federal patient privacy laws (HIPAA). Failure in either area can lead to communication blackouts or significant fines.

HIPAA Privacy

Protecting PHI. SMS is generally not secure for sensitive diagnosis or treatment details.

10DLC Rules

Carrier mandates for brand verification and explicit opt-in for business messaging.

TCPA Consent

Prior express written consent required for marketing messages, distinct from treatment consent.

Core Compliance Requirements

To successfully register your telehealth SMS campaign, you must meet these specific criteria:

1

Specific Use Case

Register under the "Healthcare" use case. Be specific in your description (e.g., "Appointment reminders and secure portal notifications for [Clinic Name]").
2

No PHI in Texts

Sample messages must NOT contain Protected Health Information. Use generic notifications (e.g., "You have a new message in your portal") rather than specific medical info.
3

Secure Link Practices

If sending links to patient portals, use a branded domain (e.g., `portal.yourclinic.com`). Avoid generic public shorteners like bit.ly.

Implementation Roadmap

Get your telehealth practice compliant in 3 phases.

Phase 1

Review Intake Forms

Update digital and paper forms to capture explicit SMS consent.

Phase 2

Register Brand

Submit your legal entity details to TCR. Ensure exact match with tax records.

Phase 3

Configure Messaging

Set up your system to send generic notifications that link to your secure portal.

Streamline Healthcare Compliance

MyTCRPlus offers specialized compliance kits for healthcare providers, including HIPAA-aware consent templates and registration guides.

View Healthcare Solution

Frequently Asked Questions

Is 2FA required for patient portals?

While not strictly a TCR requirement, using 2FA (Two-Factor Authentication) via SMS is a standard security practice for protecting PHI access. These messages must also be registered under a "2FA" or "Security" use case.

What if a patient opts out?

You must honor the "STOP" request immediately. Do not send further texts. You can still contact them via phone or email for critical health information if permitted by HIPAA and your internal policies.

Can I use a shared short code?

Shared short codes are largely deprecated. 10DLC (dedicated long codes) is the standard for most healthcare providers. Dedicated short codes are an option for very high volume but are expensive.

Healthcare Playbook

Detailed compliance guide.

Read Playbook

Use Case Selector

Find the right category.

Select Case

Consent Templates

Patient intake language.

Get Templates

Legal Disclaimer: This content provides general information about Telehealth SMS compliance requirements and does not constitute legal or medical advice. Compliance obligations vary based on business model, message content, and applicable federal/state regulations (HIPAA, TCPA). Organizations should consult qualified legal counsel for guidance specific to their messaging programs. MyTCRPlus does not provide legal advisory services.

2025 Telehealth TCR Compliance Guide