Jo Galvez
A compliant platform must include end-to-end encryption, a signed Business Associate Agreement (BAA), access controls, and consent workflows built for behavioral health. This guide explains what clinics need to know before choosing a texting solution.
HIPAA-compliant texting for behavioral health refers to secure, encrypted messaging that meets HIPAA rules for PHI. But for mental health and SUD clinics, compliance goes further. These settings also fall under 42 CFR Part 2, a federal law with stricter rules for SUD treatment records.
Behavioral health data is among the most sensitive in healthcare. A leaked diagnosis or treatment record can affect a patient's job, housing, or relationships. That's why the stakes for getting secure behavioral health communication right are so high.
This guide walks through what makes a texting platform truly compliant for behavioral health and what to watch out for.
What Makes Texting HIPAA-Compliant for Behavioral Health?
Not every "secure" messaging tool meets the bar for behavioral health. There's a baseline set of HIPAA rules that apply to all covered entities — and then there's a higher standard that mental health and SUD clinics must meet.
The Baseline HIPAA Requirements for Any Covered Entity
Under HIPAA, any platform used to send PHI must meet the Security Rule's technical safeguards. These include encrypted messaging, user access controls, audit logs, and automatic log-off features. Before a vendor can handle your patients' data, they must sign a BAA — a legal contract that holds them to HIPAA standards.
The baseline also requires staff to use only approved tools. Sending a patient's name, appointment details, or diagnosis over a personal phone or a non-approved app is a violation — even if the message seems harmless.
Why Baseline HIPAA Isn't Enough in Behavioral Health
Behavioral health data privacy goes beyond what standard HIPAA requires. Mental health records can include trauma histories, psychiatric diagnoses, and medication details. SUD records carry even more risk, since they can trigger discrimination in employment or legal proceedings.
This is why behavioral health clinics need platforms built with their specific needs in mind — not just general healthcare texting tools. A solution that works fine for a dermatology office may fall short for a therapy practice or a SUD treatment center.
Why Behavioral Health Has Stricter Rules: 42 CFR Part 2 Explained
Most healthcare providers only deal with HIPAA. But clinics that treat substance use disorders must also follow a separate federal law. Here's what it covers and why it matters for how you text your patients.
What 42 CFR Part 2 Is and Who It Applies To
42 CFR Part 2 is a federal regulation that governs SUD treatment records. It applies to any program that provides substance use disorder treatment and receives federal funding — which includes most SUD clinics, FQHCs, and hospital-based programs.
This law predates HIPAA and was designed specifically to protect people with substance use disorders from having their treatment records used against them. The concern was real: patients were avoiding care because they feared records could be subpoenaed or shared with employers.
How It Differs from HIPAA
HIPAA allows many routine disclosures of PHI without patient consent — like sharing records for treatment, payment, or operations. 42 CFR Part 2 is far more restrictive. Under Part 2, records generally cannot be shared without explicit written patient consent, even with other treating providers.
|
Feature |
HIPAA |
42 CFR Part 2 |
|
Who it covers |
All HIPAA-covered entities |
SUD treatment programs (federally funded) |
|
Consent for sharing |
Not required for TPO* |
Required in most cases |
|
Records scope |
All PHI |
SUD treatment records specifically |
|
Breach notification |
Required within 60 days |
Required (follows HIPAA timeline) |
|
Re-disclosure limits |
Limited protections |
Strict — recipients cannot re-disclose |
*TPO = Treatment, Payment, and Operations | Source: HHS and SAMHSA guidance
What This Means for Texting Patients About SUD Treatment
If your clinic provides SUD treatment, you need to think carefully about what you put in a text message. Even an appointment reminder that reveals a patient's program could violate 42 CFR Part 2 if it's seen by someone unauthorized.
Your texting platform must support consent workflows that are specific to Part 2 rules. Generic HIPAA consent forms are not enough. Patients need to give explicit, informed consent for each type of communication — and that consent must be properly documented.
The Risks of Using Regular SMS or Consumer Messaging Apps
Some clinics still rely on standard texting or apps like WhatsApp to reach patients. This is a compliance risk — and for behavioral health settings, the consequences can be serious. Here's what the risks look like in practice.
Unencrypted Carrier SMS
Standard SMS messages travel over carrier networks without encryption. They can be intercepted, stored by carriers, and accessed via subpoena.
For a mental health or SUD clinic, sending PHI over regular SMS is a HIPAA violation. Even something as simple as confirming an appointment that reveals a patient's provider type is a violation.
Carriers are also not HIPAA business associates. They won't sign a BAA, which means your clinic is fully exposed if a message is intercepted or subpoenaed.
iMessage, WhatsApp, and Other Consumer Apps
Consumer apps may use encryption, but they aren't designed for HIPAA compliance. iMessage stores messages on Apple servers. WhatsApp is owned by Meta, which has its own data practices. Neither will sign a BAA with a healthcare provider.
These platforms also lack audit logs, access controls, and retention policies — all of which are required under HIPAA. Using them for any patient communication involving PHI puts your clinic at risk.
Personal Phones and Bring-Your-Own-Device Risks
When staff use their personal phones to text patients, the clinic loses control of PHI. Personal devices aren't covered by the clinic's security policies. If a staff member leaves or a phone is stolen, there's no way to remotely wipe PHI from it.
Bring-your-own-device (BYOD) policies without strict controls are one of the most common sources of HIPAA violations in behavioral health settings. Without a dedicated, HIPAA-compliant platform, these risks are difficult to manage.
8 Must-Have Features in a HIPAA-Compliant Texting Platform for Behavioral Health
Not all HIPAA-compliant messaging tools are built the same. Behavioral health clinics need platforms that go beyond general healthcare requirements. These eight features are non-negotiable.
1. Signed Business Associate Agreement (BAA)
A BAA is the legal foundation of any HIPAA-compliant vendor relationship. Before your clinic sends a single patient message through a platform, the vendor must sign one. The BAA spells out each party's responsibilities for safeguarding PHI.
Don't assume a BAA is in place — ask for it in writing. If a vendor won't sign one, walk away. No BAA means your clinic alone is liable for any breach that involves their platform.
2. End-to-End Encryption in Transit and at Rest
Encryption in transit protects messages as they travel between devices. Encryption at rest protects stored messages on the platform's servers. A compliant platform needs both — not just one or the other.
For SUD clinics, this is especially critical. A stored message that reveals a patient's treatment program, even if never transmitted to the wrong party, can still be a Part 2 risk if accessed without authorization.
3. Granular Access Controls and Audit Logs
Your platform should let you control who can see which patient records. Not every staff member needs access to every conversation. Role-based access controls let you limit visibility based on a person's job.
Audit logs record every action taken within the platform — who viewed a message, when, and from where. These logs are essential for demonstrating compliance during a review or investigation.
4. 42 CFR Part 2–Aware Consent Workflows
For SUD treatment programs, the platform must support structured consent workflows that align with 42 CFR Part 2. This means capturing explicit patient consent before sending certain types of messages — and keeping a record of that consent.
Generic opt-in forms aren't enough. The consent process must clearly explain what types of communications the patient is agreeing to, and it must meet the standard required by Part 2.
5. Retention and Deletion Controls
HIPAA requires covered entities to retain PHI for at least six years from creation or last use. But Part 2 records have additional rules around how long SUD treatment records can be kept and when they must be destroyed.
Your platform should let you set retention policies and support secure, auditable deletion. This isn't just a compliance checkbox — it also reduces your clinic's exposure if records are ever subject to a legal request.
6. Secure File and Form Handling
Behavioral health clinics often need to send intake forms, consent documents, or lab results via text. This adds another layer of risk — every file that includes PHI must be transmitted securely.
A compliant platform should handle secure file sharing with the same encryption and access standards as messaging. Look for platforms that let patients fill out and sign forms digitally without exposing PHI over email or open file links.
7. EHR Integration for Documented Communication
When patient communications live outside the EHR, things get missed. A texting platform that integrates with your EHR ensures that messages are documented as part of the patient record.
This is important for continuity of care — and for compliance. If a regulator asks to see your communication records, you need to show that messages were properly logged. Platforms like Curogram offer integrations across multiple behavioral health EHRs, including Curogram's Osmind integration, Curogram's Valant integration, Curogram's Welligent integration, and Curogram's TherapyNotes integration.
8. Staff Training and Policy Support
A compliant platform is only as strong as the people using it. Staff need to know what they can and can't send, how to handle a patient request to opt out, and what to do if they make a mistake.
Look for a vendor that provides onboarding support and training resources. Some platforms also offer policy templates to help clinics document their texting practices — which is required under HIPAA's administrative safeguards.
What Patient Consent Should Look Like for Texting in SUD Treatment
Consent isn't just a checkbox — it's a compliance requirement. For SUD treatment programs, getting it wrong can expose your clinic to serious risk.
Under 42 CFR Part 2, written patient consent is required before SUD treatment records can be shared or used in most communications. This applies to text messaging. If a message references a patient's SUD program — even indirectly — it may fall under Part 2 rules.
A proper consent form for texting in SUD settings should include: the patient's name, the name of the program, the purpose of the communication, what information may be shared, how long the consent is valid, and the patient's right to revoke it.
Consent must also be documented in a way that can be retrieved for a compliance review. Verbal consent is not sufficient. Your texting platform should make it easy to collect, store, and audit consent records for each patient.
Important: This article provides general educational information. For guidance on what to include in your clinic's consent forms or BAAs, consult your compliance officer or legal counsel.
Common Compliance Mistakes Behavioral Health Practices Make
Even well-run clinics can slip up. These are the most common mistakes we see in behavioral health settings — and why they matter.
Using a general healthcare texting tool that hasn't been vetted for 42 CFR Part 2. Many platforms are HIPAA-compliant but not designed for SUD programs. This creates gaps in consent workflows and record-keeping.
Skipping the BAA verification step. Clinics often assume their EHR vendor's BAA covers third-party texting tools. It usually doesn't. Each vendor needs its own BAA.
Sending appointment details that reveal a patient's treatment type. A text that says "Your appointment at [SUD program name] is confirmed" may violate Part 2 if the patient hasn't consented to that disclosure.
Allowing staff to text from personal phones. Without a BYOD policy and an approved platform, any message sent from a personal device is outside the clinic's security controls.
Not training staff on what's allowed. A compliant platform can't compensate for staff who don't know the rules. Training should be documented and repeated at least annually.
Failing to audit message logs. Audit logs only protect you if someone is reviewing them. Regular reviews help catch issues before they become violations.
Conclusion
Behavioral health patients deserve both privacy and access. The right texting platform makes both possible. When done well, secure messaging can actually improve the patient experience — faster confirmations, fewer missed appointments, and less friction at every touchpoint.
Curogram is HIPAA-compliant and SOC 2 certified, with features built for the specific needs of behavioral health clinics. From encrypted messaging and signed BAAs to EHR integrations across leading behavioral health platforms, Curogram is designed to support compliance without slowing down your team.
Learn more about how Curogram serves behavioral health clinics, or visit our compliance standards page to see what's under the hood.
Schedule a demo to see how Curogram makes mental and behavioral health clinics' processes easier with HIPAA-compliant texting.
Frequently Asked Questions