Are appointment reminders HIPAA compliant?
What HIPAA allows in appointment reminders
The HIPAA "treatment exception" allows healthcare providers to contact patients for appointment reminders without prior written authorization. However, the content must follow the minimum necessary standard — include only what the patient needs to show up, and nothing that reveals their health status.
- Name + date + time = generally safe
- "Please call us" with phone number = safe
- Reason for visit = PHI (not safe)
- Provider specialty revealing condition = PHI (not safe)
- Insurance or billing details = PHI (not safe)
SMS vs email reminders
SMS is higher risk because text messages are not encrypted end-to-end, phones are frequently shared, and messages persist in notification previews. Email is safer if the patient has consented to email communication and the email body contains no PHI. Encrypted email portals are the safest option for any message that must include health details.
How Jotform handles HIPAA-safe reminders
Jotform's built-in SMS and email notifications can be configured to strip PHI from the message body. Instead of sending the appointment details in the notification, the message routes the patient to log in to an authenticated Jotform view where the full details are available behind a secure session.
The minimum necessary rule
The minimum necessary rule is the guiding principle: only include what the patient needs to show up. A name, a date, and a time. If the patient needs more context, direct them to log in to a secure portal rather than including it in the reminder message itself.
I built HIPAA-safe notification flows for healthcare practices during my Jotform years. The reminder content issue came up in every single engagement.
- HHS minimum necessary standard guidanceU.S. Department of Health and Human Services
- HIPAA treatment exception FAQU.S. Department of Health and Human Services
- Jotform HIPAA features overviewJotform
Related questions
What information is safe to include in an appointment reminder?
Patient name, appointment date, and appointment time are generally considered safe. A generic message like 'You have an appointment on June 5 at 2:00 PM' avoids any PHI risk. Avoid including the reason for the visit, provider specialty that reveals a condition, diagnosis codes, or insurance details.
Are SMS appointment reminders HIPAA compliant?
SMS reminders can be HIPAA compliant if the message body contains no PHI. The risk with SMS is that text messages are unencrypted, phones may be shared, and notification previews display message content on lock screens. The safest SMS reminder is one that says only 'You have an upcoming appointment. Log in to your portal for details.'
Can I send automated appointment reminders under HIPAA?
Yes. Automated reminders fall under the HIPAA treatment exception, which permits healthcare providers to contact patients for treatment-related purposes including appointment scheduling without prior authorization. The automation itself is not a compliance issue — the content of the message is what matters.
What if my EHR sends reminders with visit details?
Many EHR systems send reminders that include the provider name and visit reason by default. Check your EHR's reminder settings and disable any fields that reveal health information. If your EHR cannot strip those fields, configure it to send a generic reminder that directs patients to log in to the patient portal instead.