A patient who books an appointment has given you permission to text them about that appointment. They have not given you permission to text them "20% off teeth whitening this month — book now!" Those are two different messages, governed by two different rules, and the line between them is thinner than most front-desk teams realize.
Full disclosure: I work for ReadySMS, and we run the compliance plumbing — opt-out handling, quiet hours, consent capture — that this article keeps pointing at. I'll show you exactly where it matters and where it doesn't, because half the value here is knowing which messages are already fine and which ones quietly aren't.
The trap isn't malice. It's a single well-meaning staffer adding one line to a reminder template. That one line can move a message from "permitted treatment communication" to "marketing message sent without express written consent," and the consent you actually have stops covering it.
Two laws, two jobs
People conflate HIPAA and TCPA. They do different things.
HIPAA governs the content — protected health information. It's why you don't put "your HIV test results are ready" in a text, and why even an appointment reminder should be deliberately vague ("You have an appointment Thursday at 2pm with Dr. Lee"). HIPAA is about protecting the substance of the message.
TCPA governs the consent to be contacted at all — specifically by automated systems. It doesn't care whether your message is medically sensitive. It cares whether the recipient agreed to receive that type of message. And TCPA draws a hard distinction between two categories:
- Informational / treatment messages — appointment reminders, recall notices, lab-result-ready pings, prescription pickup, post-op check-ins. These run on a lighter standard. Treatment-related texts to a patient who gave you their number for care purposes are generally covered by implied or "prior express consent" (the plain kind).
- Marketing / promotional messages — anything selling, upselling, or promoting. Whitening specials, new service announcements, "refer a friend," membership plans. These require **prior express written consent** — a separate, affirmative, documented opt-in.
The word "written" is the whole ballgame. A patient handing you their phone number at intake is not written marketing consent. It's consent to be contacted about their care.
The messages that quietly cross the line
Here's where clinics trip. Each of these starts as a permitted treatment message and then adds a few words that flip the category.
| Message | Category | Consent needed |
|---|---|---|
| "Reminder: appointment Thu 2pm with Dr. Lee. Reply C to confirm." | Treatment | Implied/express (plain) |
| "Your cleaning is due. Call to schedule." | Treatment (recall) | Implied/express (plain) |
| "Your cleaning is due — book this week and get $50 off whitening!" | Marketing | Express written |
| "Flu shots now available, walk-ins welcome." | Gray → likely marketing | Treat as written |
| "We miss you! Come back for a free consult 🦷" | Marketing | Express written |
| "Post-op check: how are you feeling? Reply if you have questions." | Treatment | Implied/express (plain) |
| "Refer a friend and you both get $25 off." | Marketing | Express written |
The pattern is clear once you see it: the moment a message contains an offer, discount, or promotion, it's marketing — even when it's wrapped around a legitimate recall. A recall notice ("your cleaning is due") is operational. The same text with "$50 off whitening" stapled to it is a promotional message you may not have consent to send.
That last gray-area one — "flu shots now available" — is genuinely arguable. A public-health service announcement to existing patients can be defended as informational. But the safe operating rule is: if you can't say with a straight face that the message exists purely to serve this patient's care, treat it as marketing and require written opt-in. I'd rather over-classify and lose a little reach than guess wrong at $500–$1,500 per text.
What "express written consent" actually looks like
It's less work than it sounds. You don't need wet signatures. You need an affirmative, documented opt-in where the patient clearly agreed to receive marketing texts, with the standard disclosures: that consent isn't a condition of treatment, that message and data rates apply, and how to opt out.
Practical implementations:
- A checkbox on your intake form (unchecked by default) that specifically says "Yes, send me promotional offers and news by text." Separate from any general communications consent.
- A keyword opt-in: "Text JOIN to 555-123 for offers." The inbound keyword is the affirmative act, and you log it.
- A patient-portal toggle for marketing texts.
The non-negotiable part is the audit trail. When a complaint lands, "we had their number" is not a defense for a marketing text. "Here is the timestamped record of them checking the marketing box on 3/14" is. ReadySMS records opt-in attestation for bulk and API sends, so you're building that trail as you go rather than reconstructing it under pressure. We dig deeper into the consent mechanics in Patient Text Consent: Essentials for Healthcare SMS.
Keep your two lists actually separate
The cleanest fix is structural: maintain two distinct audiences.
- Treatment list — everyone who's a patient. Gets reminders, recalls, results-ready, post-op. No promos. Ever.
- Marketing list — only patients who also gave express written marketing consent. Gets the whitening special.
Most clinics fail by running one list and letting a campaign template do double duty. Someone builds a "recall blast," adds a seasonal offer because the marketing calendar said to, and now a promotional message just went to everyone on the treatment list — including patients who never opted into marketing.
If you're running this through GoHighLevel, this is also where automation quietly double-texts people. A recall workflow and a promo workflow both firing on the same contact tag is a classic mess. We walk through how that happens in The 4 GoHighLevel Workflow Mistakes That Double-Text Your Contacts — worth a 20-minute audit if you've got more than two active workflows.
Opt-out is universal — and that's the floor, not the ceiling
Here's something people get backwards: opt-out applies to both categories, but the consent standard differs.
If a patient texts STOP, they're out — even of treatment reminders, if they so choose. ReadySMS honors inbound STOP/UNSUBSCRIBE automatically and propagates the opt-out so the contact can't be messaged again across campaigns. That last part matters in a multi-list setup: a patient who opts out of marketing shouldn't keep getting whitening offers because they live on a second list your front desk forgot about. The opt-out follows the number, not the campaign.
But — and this is the part operators miss — automatic opt-out handling does not grant you opt-in. It cleans up the back end. It does not give you permission to have sent the marketing message in the first place. Don't let "we honor STOP" become a mental excuse for blasting promos to a treatment list. STOP is the exit; written consent is the entry. You need both doors managed.
Quiet hours: the easy lever you're probably ignoring
TCPA restricts marketing-style calls and texts to roughly 8am–9pm in the recipient's local time. A recall text isn't a marketing text, but if your clinic sends anything promotional, quiet-hours timing is a cheap exposure reducer that costs you nothing in reach — a 9:40pm "book your cleaning + get $50 off" is both more annoying and more legally exposed than the same text at 10am.
ReadySMS holds sends outside permitted local hours based on the recipient's area, so a campaign scheduled at the wrong moment doesn't fire into the danger zone. I think of it as a guardrail for the times your scheduling discipline slips — because it will slip. There's a fuller treatment of the legal-vs-smart timing question in SMS Quiet Hours: The Legal Rule, The Smart Rule, The One That Gets You Opt-Outs.
A quick self-audit
Run your last 30 days of outbound healthcare SMS through these questions:
- Does any "reminder" or "recall" template contain a discount, offer, or upsell? → That's marketing. Move it.
- Do you have a separate, documented marketing opt-in distinct from your intake number collection? → If not, your promos are riding on the wrong consent.
- Can you produce a timestamped opt-in record for any patient who got a promo? → If not, build the trail now.
- Does a patient who opts out of marketing stay subscribed to treatment messages they didn't STOP? → That's correct behavior; verify your platform does it.
- Are promotional sends time-fenced to local daytime hours? → Set it once.
If you want the broader picture of what's safe to send and what isn't, SMS for Healthcare: HIPAA, Consent, and What You Can Actually Send covers the content-side rules that pair with the consent-side rules here.
The takeaway
A recall text and a promo text feel like the same message because they go through the same phone, the same template tool, often the same staffer. Legally, they're not the same. Treatment messages run on the consent a patient gives by becoming a patient. Marketing messages need a separate, written, documented yes — and the fastest way to stay clean is to keep two lists, never let an offer leak into a recall, time-fence your promos, and honor every STOP automatically.
None of that requires a compliance department. It requires deciding which category each message belongs to before you hit send. If you'd like the opt-out propagation, quiet-hours enforcement, and consent capture handled by the platform rather than your front desk, that's the part ReadySMS is built to take off your plate — but the classification call is, and always will be, yours to make.