What Is HIPAA? When Does It Apply to Business Messaging?

If your business interacts with healthcare data, even tangentially, HIPAA is mandatory. It’s the regulatory backbone that governs how protected health information (PHI) is stored, transmitted, and accessed. And when you’re using messaging channels like SMS, WhatsApp, or voice to communicate with patients or healthcare providers, HIPAA is essential.

At Conversive, we work with hundreds of teams that rely on messaging to drive healthcare workflows such as appointment reminders, care coordination, patient follow-ups, lab notifications, and more. Many of them often ask if HIPAA applies to their messaging setup too.

This guide breaks that down for you. We’ll explain what HIPAA is, who must comply, how it applies to business messaging, and what steps to take if you're anywhere near PHI. 

What is HIPAA? Who Does It Apply To?

HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. It was designed to improve the portability of health insurance and standardize the protection of sensitive patient data in the U.S. But over time, it’s become the gold standard for regulating how protected health information (PHI) is handled, especially in digital communications.

HIPAA is enforced by the U.S. Department of Health and Human Services (HHS) through its Office for Civil Rights (OCR). If you store, transmit, or process PHI in any way, you may fall under HIPAA’s scope, even if you’re outside the U.S.

HIPAA applies to two main groups:

• Covered entities: These include healthcare providers (like clinics, hospitals, and doctors), health plans (like insurers), and healthcare clearinghouses.
• Business associates: Any third party that processes PHI on behalf of a covered entity. This could be your messaging provider, billing software, cloud storage vendor, or call center.

HIPAA doesn’t care where you’re located. It cares whether you touch PHI connected to a U.S. patient or healthcare provider. If you’re a messaging platform based in Europe or Asia but helping a U.S. clinic communicate with patients, you’re in scope.

In short, HIPAA compliance is based on the flow of data, not your company’s headquarters. If you’re involved in transmitting healthcare information that could identify a person, you need to treat HIPAA as a requirement.

When Does HIPAA Apply to Communication Channels Like SMS, WhatsApp, or Voice?

HIPAA compliance is more about what kind of data you're sending and how it's protected than which channels you’re using. If your message contains protected health information (PHI), HIPAA rules apply no matter whether it’s sent via SMS, RCS, WhatsApp, email, or a phone call.

PHI includes names, contact info, medical history, insurance details, appointment records, and anything that could be linked to a patient’s health status or care.

Here’s how HIPAA applies to different communication channels:-

i) SMS/RCS

These can be HIPAA-compliant, but only if appropriate safeguards are in place. That includes things like encryption at rest and in transit, secure opt-ins, and acknowledgement of messaging risks from patients.

ii) WhatsApp

Not HIPAA-compliant by default. Meta doesn’t offer Business Associate Agreements (BAAs), which are required for HIPAA compliance. Even though messages are end-to-end encrypted, the lack of enforceable controls means this channel can’t be used for PHI unless initiated by the patient.

iii) Voice calls

Common in healthcare, but still regulated. You need to follow privacy protocols such as confirming identities, avoiding leaving PHI on voicemails, and logging interactions appropriately.

If your message is purely logistical (e.g., “Your appointment is at 3 p.m.”) and contains no personal identifiers or health data, it may fall outside HIPAA scope. But the line between compliant and risky is thin, and it’s safer to assume HIPAA applies unless you're 100% certain.

How to Determine if HIPAA Applies to Your Business

It is often assumed that HIPAA applies only to hospitals or insurance companies, but that’s not true. It applies to anyone handling PHI on behalf of a healthcare entity. That includes vendors, messaging platforms, billing partners, even marketing agencies.

Ask yourself these questions to figure out if HIPAA applies to you:

i) Do you work in or support the healthcare industry?

If you’re a provider, a clinic, a lab, or a vendor serving these businesses, you're likely in scope.

ii) Do you create, access, transmit, or store PHI?

If you touch data that could identify a patient and relate to their health, even through automated tools, HIPAA applies.

iii) Do you offer tools (like SMS, CRM, or voice systems) that healthcare clients use to communicate?

If yes, you’re considered a “business associate” and must follow HIPAA rules.

iv) Are your customers U.S.-based?

HIPAA is a U.S. law, but it applies globally to any business handling PHI tied to U.S. patients or organizations.

Tip: If you handle PHI, even indirectly, you’re likely on the hook for HIPAA compliance, no matter where your company is based.

Steps Required to Become HIPAA Compliant

Unlike certifications where you get a badge or license, HIPAA compliance is about ongoing implementation. You don’t register somewhere and get approved. Instead, you demonstrate that you’ve put the required safeguards in place and maintain them.

Here’s what that typically involves:

1. Conduct a Risk Analysis and Map Your Data Flows

Identify where PHI exists across your systems such email, SMS, cloud storage, devices, and assess potential vulnerabilities.

2. Implement Required Safeguards

• Technical: Encryption (at rest and in transit), access controls, audit trails
• Physical: Secure facilities, device policies, restricted access
• Administrative: Documented policies, breach response plans, designated compliance officers

3. Sign Business Associate Agreements (BAAs)

Any vendor that might touch PHI whether it’s your SMS provider, CRM platform, or cloud storage must sign a BAA. This is legally required.

4. Train Your Team

Everyone who touches PHI should undergo HIPAA training. This includes your marketing, support, and engineering teams, not just doctors or nurses.

5. Maintain Documentation and Review Regularly

You need clear documentation for your risk assessments, policies, training records, BAAs, and ongoing audits. Compliance requires periodic reviews.

HIPAA Compliance Cost for Different Business Sizes

Your investment to become HIPAA compliant depends on your organization’s size, risk exposure, and the complexity of your healthcare operations. Here’s a general overview:

‍

HIPAA compliance costs scale with the size and complexity of the healthcare organization. Small practices focus on essentials like risk analysis, training, and basic security, often guided by consultants. Mid-sized organizations expand efforts with internal compliance roles, audits, and automated workflows. Large enterprises treat HIPAA as a full program, with dedicated teams, enterprise-grade tools, and regular certifications to manage risk across massive data environments.

Each part of a HIPAA compliance program has its own cost. Here's a deeper look at the key investments businesses need to plan for:

i) Risk Analysis ($2,000–$20,000+)

A HIPAA-required starting point, the risk analysis identifies vulnerabilities in how you collect, store, and transmit Protected Health Information (PHI). For small practices, this could mean a one-time external audit using standardized tools. For larger orgs, it's often a multi-week engagement involving onsite assessments, IT audits, and compliance gap analysis. If you handle sensitive workflows (e.g., billing, diagnostics, telehealth), expect this to cost more due to increased complexity.

ii) Security Tools and Infrastructure (Variable: Hundreds to Thousands/Month)

HIPAA expects both technical and physical safeguards to be in place. Depending on your tech stack and PHI exposure, this may include:

• Data encryption (in transit and at rest)
• Endpoint security for staff devices
• Multi-factor authentication for all PHI access
• Secure cloud storage or EMR integration

Cloud-based tools (e.g., Google Workspace with HIPAA BAA, encrypted messaging) might cost $20–$200 per user per month. Enterprise-grade firewalls, secure file transfer systems, or advanced audit logging will push monthly costs higher.

iii) Policy Development and Staff Training ($1,000–$5,000+ per year)

Documentation isn’t optional. You need clear, accessible policies for everything from device use to data breach response. Most businesses also invest in annual HIPAA training:

• Basic compliance courses for all employees
• Role-based training for admins, clinicians, and support staff
• Simulated phishing and breach drills

Off-the-shelf training can be affordable, but many opt for customized programs, especially when handling complex PHI workflows.

iv) Third-Party Certifications (Optional but Credibility-Boosting: $8,000–$200,000+)

HIPAA itself doesn’t offer a certification program. But many healthcare businesses pursue recognized security frameworks like:

• HITRUST CSF
• SOC 2 Type II
• ISO 27001

These certifications can strengthen your market credibility, help win enterprise contracts, and ensure vendor-level rigor but they come with a significant cost in consulting, audits, and remediation.

Why Choose Conversive for HIPAA-Compliant Messaging?

HIPAA compliance shouldn’t come in the way of responding in real-time when someone needs an appointment confirmation or post-visit follow-up. Most messaging tools make you choose between security and usability. Conversive doesn’t.

Conversive is built for sectors where privacy is non-negotiable. It gives you the tools to communicate effectively without risking exposure of Protected Health Information (PHI). 

What sets Conversive apart is encryption, BAA support, and how deeply it integrates with the reality of how healthcare teams work. You can separate PHI and non-PHI messages, automate opt-ins and audit trails, and route sensitive messages through secure pathways inside your existing systems. No extra logins. No jumping between tools.

This matters when your front desk needs to send a same-day appointment reminder, or when a care coordinator wants to follow up after a procedure. Conversive lets them act quickly without guessing which channel is safe or whether a message violates compliance rules. It removes the burden of “playing it safe” by making the safe path the easy one.

Book a demo to enable secure, compliant communication without slowing your team down.

Frequently Asked Questions

Can I register somewhere for HIPAA compliance?

No, HIPAA compliance isn’t something you apply for or get certified by a central body. There’s no official badge or portal. Compliance is implemented through internal safeguards, documented policies, and vendor agreements. You prove compliance by how you operate—through audits, breach response readiness, and consistent adherence to the rules.

Can SMS be HIPAA-compliant?

It can be. But only under specific conditions. SMS, by nature, isn’t encrypted end-to-end. That said, the HHS allows providers to use SMS if patients are informed of the risks and still choose to receive messages that may contain PHI. Safeguards like access controls, message logging, and clearly defined opt-in/opt-out flows are essential to reducing risk.

Is WhatsApp HIPAA-compliant?

Not by default. WhatsApp does not offer Business Associate Agreements (BAAs), which are legally required for any vendor handling PHI on your behalf. While you might technically send a message via WhatsApp, doing so in a healthcare context risks non-compliance unless the patient has explicitly requested this channel and acknowledged the risks in writing.

Are appointment reminders subject to HIPAA?

It depends on the content. A reminder that says, “You have an appointment at 3 PM” without mentioning the provider or condition is generally allowed. But the moment you include names of specialists, treatment details, or sensitive timing (e.g., “Your oncology follow-up”), it becomes PHI and falls under HIPAA protections.

Who enforces HIPAA and issues penalties?

The Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS) is responsible for enforcing HIPAA. In cases of willful neglect or intentional data misuse, the U.S. Department of Justice (DOJ) can escalate matters to criminal charges. Penalties range from warning letters to multimillion-dollar fines and public reporting.