Here's the trap I see clinics fall into constantly: they do the hard consent work correctly — signed intake form, opt-in language, a documented right to text — and then they blow it in the message body. Because "we're allowed to text this patient" and "we're allowed to put this in the text" are two entirely different questions, governed by two different bodies of law, and answering the first one yes doesn't answer the second.

Full disclosure: I work for ReadySMS, and yes, we sell tools that help with the compliance floor here. But the message-body problem I'm about to describe isn't something any platform fixes for you. It's a copywriting discipline. Your reminder templates either leak protected health information or they don't, and no STOP-handling feature saves you if the leak is baked into the text you wrote.

Consent-to-contact and content are separate approvals

TCPA and 10DLC govern whether you can send a text: did the patient consent, is the number scrubbed, are you inside quiet hours, is your campaign registered. HIPAA governs what the text can carry. A message can be perfectly TCPA-compliant and still be a HIPAA breach because of a single field in the body.

SMS is an unencrypted channel that lands on a lock screen anyone standing nearby can read. The patient consented to receive texts, sure — but the roommate, the coworker glancing over a shoulder, the family member who picks up the phone off the counter did not consent to see the patient's diagnosis. That preview pane is the whole risk surface.

If your consent framework itself feels shaky, start with SMS for Healthcare: HIPAA, Consent, and What You Can Actually Send before you touch copy. This post assumes consent is handled and focuses only on the words.

The 4 fields to never put in a message body

These are the ones that turn a legal text into a reportable disclosure. Cut them from every template.

1. Diagnosis, condition, or reason for visit

"Reminder: your oncology follow-up is Tuesday at 2pm" tells anyone who sees the screen that this person has, or is being screened for, cancer. Same problem with "your methadone appointment," "your fertility consult," "your STI results are ready." The condition is the PHI. Strip it.

2. Medication names

"Time to refill your Truvada" broadcasts HIV-prevention status. "Your lithium is ready for pickup" broadcasts a mental-health condition. Drug names are among the most identifying data you can send, because a huge share of them map one-to-one to a condition. Never name the drug in the body.

3. Test results or clinical detail

Never send the result itself — not "your A1C came back at 8.2," not "your biopsy was negative," not "labs show elevated..." anything. "Results are ready, please call us" is the ceiling. The result belongs in a portal or a phone call, behind authentication.

4. Provider specialty or facility that implies the condition

This one's subtle. "Reminder: appt at Riverside Behavioral Health" leaks the condition through the facility name. So does a provider signature like "Dr. Chen, Oncology." If your practice name or provider line reveals the specialty, use the umbrella group name or a neutral clinic identifier instead.

Safe rewrites that still get the patient to show up

You don't need the risky fields to drive action. The job of a reminder is time, place, action — not a clinical summary. Here's the swap:

Leaky versionCompliant rewrite
"Your dermatology appt for your psoriasis is Thu 3pm""You have an appointment Thu at 3:00pm with [Clinic]. Reply C to confirm."
"Refill ready: Adderall, pick up today""A prescription is ready for pickup at [Pharmacy]."
"Your HIV test results are in""Your recent results are available. Please call us at [number]."
"Reminder: methadone clinic 8am""Reminder: your appointment is tomorrow at 8:00am. Questions? Call [number]."
"Dr. Patel, Cardiology — see you at your stress test""Reminder from [Clinic Group]: appointment tomorrow at 10:00am."

Notice the pattern: identify the practice, not the condition. Confirm the time, not the diagnosis. Route anything sensitive to a call or a portal. The patient knows why they booked; you don't have to remind them in a form everyone can read.

There's a marketing-vs-treatment consent wrinkle sitting on top of all this too — a recall text and a promo text need different consent, and the copy tells the carrier which one you're sending. If you're writing recall copy, the annotated 11 Patient Recall SMS Templates pack walks the line field by field, and A Recall Text and a Promo Text Need Different Consent covers where clinics cross it accidentally.

Where the platform actually helps — and where it doesn't

The message body is on you. But the delivery conditions around it — the compliance floor — are worth automating, because a reminder sent at 11pm or to someone who already said STOP is its own kind of harm and its own kind of liability.

What ReadySMS enforces automatically:

  • Quiet-hours holds. Sends outside permitted local hours for the recipient's area get held, not fired. That's a TCPA exposure reducer, and honestly it's also just decent behavior — a 2am appointment reminder erodes trust even where it's technically legal. More on the legal-vs-smart line in SMS Quiet Hours: The Legal Rule, The Smart Rule.
  • Automatic STOP handling. Inbound STOP/UNSUBSCRIBE is honored and the opt-out propagates across campaigns, so a patient who leaves can't get re-messaged by a different workflow.
  • 10DLC registration in-app. Roughly ~$10/mo per brand and ~$20/mo per campaign, approval typically 1–3 days. Register the right use case — a reminder campaign filed as marketing is why delivery quietly drops.
  • Litigator/DNC scrubbing as a standalone add-on at $0.005 per contact, mostly relevant when you're re-engaging an older list.

What no platform does: read your template and tell you the word "oncology" is a breach. That judgment is human. A tool can hold the send until 9am; it cannot un-send a diagnosis to the wrong lock screen.

Build a one-time template audit into your workflow

You don't need to police every message — you need to police every template, once, because templates are what scale the mistake. A 400-patient recall blast sends the same body 400 times. If the field is wrong, it's wrong 400 times.

Run every reminder, recall, and results template through this checklist:

  1. Does the body name a condition, symptom, or reason for visit? Cut it.
  2. Does it name a medication? Cut it.
  3. Does it contain any test result or clinical value? Cut it — route to a call.
  4. Does the practice name, provider signature, or facility imply the specialty? Swap for a neutral group name.
  5. Is there a clear time, place, and action left? If yes, you're done. If the message is now empty, it was probably carrying PHI to begin with.

Keep the approved templates in your platform's reusable template library so staff can't freelance a "quick custom" text with the diagnosis in it. The freelanced one-off is where most real-world leaks happen.

For the operational side of automating reminders without stepping on either consent line, Compliance Meeting Care: Healthcare SMS Appointment Strategies and Automated SMS in Healthcare both go deeper than I can here.

The practical takeaway

Legal to send is not the same as safe to say. You can have flawless consent, a registered campaign, quiet hours enforced, STOP handling running — and still commit a HIPAA breach because someone typed a drug name into a template. The four fields to keep out of every body: diagnosis, medication, results, and any specialty that gives away the condition. Confirm the time and place, route the sensitive stuff to a call or portal, and audit your templates once so the mistake can't scale.

If you want the delivery floor handled while you tighten the copy, you can register 10DLC in-app and start on 2,500 free credits, no card required — see pricing or browse the rest of the healthcare SMS posts. The words are still your job. Everything under them, we can hold steady.