Get started →

HIPAA-Compliant SMS, Text & WhatsApp Messaging in Salesforce

February 16, 2026

Your hospital sends 8,000 patient SMS, text and WhatsApp messages a week. If any one of them leaks identifiable health information to a wrong number, that’s a HIPAA breach with six-figure fines on the line. The right messaging configuration prevents that without slowing your clinics down.

Salesforce healthcare messaging admin panel with HIPAA opt-in, audit trail and minimum-necessary controls for SMS, text and WhatsApp

What HIPAA actually requires for messaging

Your HIPAA’s messaging rules are narrower than most healthcare teams assume, but stricter than the defaults your SMS tool ships with. In summary:

  • Patient consent is required before sending any message containing protected health information (PHI)
  • Minimum necessary information, don’t send more PHI than the patient needs for that specific message
  • Access controls, only authorised users can see the messages
  • Audit trail, every send must be logged with sender, recipient, timestamp
  • Incident response, documented procedure for breach notification if a message goes wrong

Your SMS, text and WhatsApp messages meet HIPAA when consent is captured, PHI is minimised, access is controlled and the audit is complete. AI SMS House in Salesforce gives you the infrastructure for all five.

Consent capture on the Salesforce record

Your Salesforce Patient or Contact record carries explicit HIPAA messaging consent fields, one per channel. SMS opt-in, text opt-in, WhatsApp opt-in. Your intake forms capture each consent separately at patient registration. The messenger blocks any send to a channel where consent isn’t recorded.

Your patient opts out, replies STOP, sends WhatsApp opt-out, or asks by phone, the Salesforce field updates immediately and every future message respects it. No rep can override it without logged justification.

Minimum necessary information

Your easiest way to stay compliant is to send as little PHI as possible. Your appointment reminder doesn’t need the diagnosis. Your prescription-ready alert doesn’t need the medication name. Your results notification doesn’t need the result itself, it needs to say “results ready, log in to portal.”

Your AI SMS House templates are written with minimum-necessary in mind. Sensitive information lives behind a secure patient portal link that requires authentication. The SMS, text or WhatsApp carries only the routing information, not the health data itself.

Access controls via Salesforce Permission Sets

Your Salesforce users shouldn’t all see every patient message. Your Salesforce Permission Sets control who can view, send, and audit patient messaging. Your billing clerk can see payment-related messages but not clinical ones. Your nurse can see clinical messages for her ward but not another ward’s.

Your messenger honours your existing Salesforce sharing model, down to the record level. Your HIPAA security officer doesn’t need to configure a second permission system, your existing one governs messaging access automatically.

The audit trail regulators actually want

Your HIPAA audit asks “show me all messages sent to patient X between these dates, including the content, the sender, the approval, and whether they were read.” Your Salesforce audit trail answers every part of that question through standard reports, no bolt-on compliance tool needed.

Your org every SMS, text and WhatsApp message logs sender (user or AI agent), timestamp, delivery status, read status, and the Salesforce record it was attached to. Exports run through standard Salesforce export tools. Evidence of compliance is a query, not a fire drill.