Which texting tools sign a BAA

The question stops most practices before they ever set up a fast response system. You find a texting tool, you are ready to stop losing inquiries, and then someone asks the right question: will the vendor sign a business associate agreement? For most tools the answer is no. This guide explains why, which categories of tools usually will, and how to vet one before a single patient text goes out.

This is operational guidance, not legal advice. Run your tool selection and final workflow past your compliance officer or counsel.

What a BAA is and why it gates everything

A business associate agreement is a contract that binds a vendor handling protected health information to HIPAA safeguards. If a tool will carry patient communication and the vendor will not sign one, the practice is the party left holding the risk. That single document is the gate. It is also the fastest way to disqualify a tool: ask for the BAA first, and most of the market filters itself out before you waste time on features.

Why most texting tools say no

They were built for general business and marketing, not regulated health communication.
Signing a BAA commits them to encryption standards, access controls, audit logging, and breach liability they did not design around.
Many run on subcontractors who would also need to flow down those obligations, which they cannot guarantee.
The result is a polite no, or a silent gap where the topic is simply never addressed in their terms.

Categories of tools that usually will

Secure patient messaging

Platforms built specifically for clinician-to-patient communication. Designed around BAAs from day one.

Healthcare patient comms

Patient communication and engagement systems made for practices, often integrating with scheduling or records.

Telephony with a health plan

Some phone and SMS providers offer a healthcare tier that includes a BAA. Confirm the BAA covers SMS, not only voice.

Categories, not endorsements. The right tool depends on your stack and your counsel. We stay tool-agnostic and design the workflow around whatever signs.

The vetting checklist

Ask for the BAA in writing before sending anything, not after.
Confirm it covers SMS specifically, not just email or portal messages.
Check for encryption in transit and at rest, role-based access, and audit logs.
Ask how long messages are retained and how data is deleted on exit.
Confirm subcontractor obligations flow down in the agreement.
Have your compliance counsel review the signed agreement before go-live.

The shortcut that buys you options

Design the first touch to contain no protected health information. A neutral acknowledgment of a missed call carries nothing sensitive, which reduces what flows through any tool and widens what you can safely consider. It does not remove the need for a BAA on a channel that carries patient communication, because two-way threads drift toward detail fast. But it changes the workflow from risky by default to safe by design. That is the pattern we install.

FAQ

What is a BAA?

A business associate agreement is a contract between a healthcare practice and a vendor that handles protected health information on its behalf. It binds the vendor to HIPAA safeguards. Without one, sending patient information through that vendor is exposure the practice carries.

Why will most texting tools not sign a BAA?

Most consumer and marketing messaging tools were built for general business, not regulated health communication. Signing a BAA commits the vendor to safeguards, audits, and liability they did not design for, so they decline.

What kinds of tools usually will sign a BAA?

Secure patient-messaging platforms, patient communication systems built for healthcare, and some telephony or SMS providers that offer a healthcare plan. The category matters more than the brand. Always confirm in writing.

If my first text contains no PHI, do I still need a BAA?

A PHI-free first touch reduces what flows through the tool, but two-way conversations drift toward sensitive detail quickly. For any channel that carries patient communication, the safe default is a signed BAA. Let your counsel set the line for your practice.

How do I confirm a vendor will sign?

Ask directly, get the BAA in writing before sending anything, and confirm it covers SMS specifically rather than only email or portal messages.

Want the tool chosen and the workflow built for you?

The AI Operations Audit maps your inquiry-to-booking path, identifies the tooling that supports a BAA for your stack, and defines the compliant fix worth installing first, documented for your counsel to review.

See the Audit