Will My SMS Architecture Survive Scrutiny or Create Liability?
A mini field guide for founders building SMS-led healthcare programs who keep being told “we’ll figure out compliance later” and have not yet seen the bill.
Will My SMS Architecture Survive Scrutiny or Create Liability?
A mini field guide for founders building SMS-led healthcare programs who keep being told “we’ll figure out compliance later” and have not yet seen the bill.
5 Minute Read • June 8, 2026
Author’s note
Hi, I’m Vadim.
Healthtech venture is hard, a fact I’ve learned firsthand as an operator, accelerator director, and investor. I’ve watched good teams repeat avoidable mistakes others have already paid for. I write Healing Healthtech to distill research and the experiences of top-tier operators into actionable tactics and frameworks, so we can all aim to make only new mistakes.
Subscribe for a twice-monthly dispatch of free and paid field guides meant to help you build more deliberately toward something better in human health. And if it’s useful, please forward it to other healthtech builders in your network.
This is the open, abbreviated edition for free subscribers of Healing Healthtech. The full SMS vs. Apps Field Guide is available to paid subscribers. It combines deep operator experience from payer, provider, and startup CEOs, with findings of 75+ published studies into a tactical document on how, when, and why to choose SMS vs. Apps for Digital Health programs as well as how to instrument and manage their operation.
TLDR
Bucket every message by content type before the first send, and never let two buckets ride on the same wire. The mixed-content SMS is the most common TCPA enforcement vector in healthcare; $500 per message under a private right of action.
Sign a BAA with the SMS vendor, then walk the chain down to the carrier aggregator and back up in writing. HIPAA coverage is only as strong as the weakest BAA in the path; downstream gaps surface during enforcement, not before.
Send notifications in the SMS body; route identified clinical content through a click-out to a HIPAA-compliant surface. The SMS layer’s HIPAA posture is the click-out it lands on, not the BAA on the vendor.
Treat consent that came with your partner’s list as covering the partner’s sends, not yours. Without your own express written consent or contractual business-associate coverage, the first message is the violation.
Register every brand and use case with The Campaign Registry, plan capacity against the tier-3 ceiling, and build the opt-out flow to CTIA spec. The carrier layer filters before TCPA enforcement gets the chance.
The four regimes
Four regimes govern healthcare SMS, and they enforce independently on different timelines. An audit, a class action, a carrier dispute, and a filter incident each demand a different exhibit.
TCPA (Telephone Consumer Protection Act) — federal SMS consent law. Requires prior express consent for automated SMS to mobile numbers. Enforced by class-action plaintiffs (private right of action at $500 per message) and the FCC. The FCC’s 2015 declaratory ruling carves out treatment-purpose messages from HIPAA-covered entities; the 2024 Consent Order codified cross-channel revocation.
HIPAA — PHI handling. Governs what protected health information can flow through which channel on which consent. Enforced by HHS OCR and state AGs in parallel through HITECH. Civil penalties run from $137 to roughly $2.1M per violation. SMS is permitted under specific architectural patterns.
10DLC (10-digit long code) — carrier registration for application-to-person SMS. Verizon, T-Mobile, and AT&T require every brand and use case to register with The Campaign Registry before traffic flows. Unregistered traffic is filtered, throttled, or blocked. Per-violation carrier penalties reach $10,000.
CTIA Messaging Principles — industry self-regulatory content standard. Published by the wireless trade association. Not law. Enforced by the carriers through 10DLC filtering and campaign suspension. The cost of noncompliance is filtering and lost reach.
Six tripwires, and how to avoid them
1. The mixed-content SMS converts a treatment-exempt message into marketing.
Appointment reminders, lab-result notifications, post-discharge follow-up, prescription nudges, and pre-op instructions all ride the FCC carve-out without prior express written consent. The carve-out evaporates the moment one send mixes a marketing hook in. “Your appointment is Tuesday at 2pm. Ask about our new weight management program!” reads as a reminder to the founder writing the template and as a marketing message to the FCC and plaintiff’s counsel. At $500 per message, one careless template underwrites a class action.
The fix is architectural, not editorial. Treatment-purpose, marketing, and billing each travel a separate code path with a separate consent gate. The content classifier sits upstream of the send, not downstream of legal review. If your engineer cannot point to the three flows on the system diagram, you have one flow and three liabilities.
2. The BAA chain breaks where you aren’t looking.
HIPAA permits PHI in SMS when the covered entity has a BAA with the SMS vendor and that vendor has equivalent BAAs with everyone the message touches: the carrier aggregator, the message routing service, the analytics tooling, the observability stack. The chain is only as strong as its weakest link, and the weakest link is rarely the one your counsel reviewed. Get the executed BAA before the first production message, then ask the vendor for written confirmation of downstream coverage and read the actual list of subcontractors. Vendors that have done this work hand you the list; vendors that have not give you a paragraph that begins “we maintain industry-standard.” Treat that paragraph as the answer on whether they are ready for production.
3. PHI belongs behind a click-out, not in the SMS body.
SMS is not a HIPAA-noncompliant channel. It is a channel with a specific architectural pattern: notification in the body, identified clinical content behind a click-out to a HIPAA-compliant surface. Lab values, full clinical narratives, sensitive diagnoses, medication changes, mental health, and sexual health content sit behind the click-out. The SMS announces that something is ready; the secure surface is where the patient sees it. The click-out has to authenticate the patient before displaying PHI and log access for the audit trail, or the BAA on the vendor is doing no work. The patient-initiated exception is the other path: when the patient texts in first, the practice can reply on the same channel under the 2013 Omnibus Rule preamble, after a one-time unencrypted-channel disclosure documented in the chart.
4. The patient list from your partner does not bring their consent with it.
When the startup receives a list from a payer or provider, the consent that runs with it is consent the patient gave to the partner, not to the startup. Two questions before first send. Does the partner’s notice of privacy practices cover communications by their business associates, and is the startup contracted as one? And is the content treatment-purpose? Yes to both means the inheritance plus the FCC carve-out cover the send. No to either means the startup needs its own express written consent before the first message. The 2024 TCPA Consent Order adds one more wire to trip on: cross-channel revocation, with the compliance deadline currently extended to January 31, 2027. An opt-out on any channel from any covered brand revokes consent across all channels from that brand. Build the handler to revoke globally by default; do not let the engineer ship the channel-local version because the global one is harder.
5. The carrier layer filters you before TCPA enforcement gets the chance.
Register the brand and every use case with The Campaign Registry before first send. Healthcare programs register Account Notification, Appointment Reminders, and Public Service Announcements as separate use cases. The throughput tier (1–3) caps per-second send rates; tier 3 is required for population scale and is gated by your brand trust score. Plan capacity against the tier-3 ceiling at launch; retrofitting after a campaign hits the tier-1 cap is a delay measured in weeks while clinical operations sit on their hands.
Build the opt-out and acknowledgment flow to CTIA spec, not the TCPA floor. STOP, HELP, and frequency disclosure at first message. Branded short-domain links, not bit.ly. Consistent sender ID across the use-case lifecycle. Clean content classification tagged to the registered use case. Programs that meet TCPA and miss CTIA get filtered before the recipient sees the message.
6. Retain two attorneys, not one.
A TCPA specialist for the federal SMS consent layer, the carve-out mechanics, the 2024 Consent Order, and the class-action exposure curve. A healthcare-regulatory specialist for HIPAA, state privacy, the corporate-practice-of-medicine questions, and the BAA chain. A generalist who opines across all four regimes from a single seat is the wrong choice; the deliverable is a memo that hedges everything and decides nothing. Come to each prepared, with the architecture document, the message-type buckets, and the BAA-chain status in hand. The attorney is most valuable on the discrete decisions you have already framed, not on building the frame.
Primary sources
FCC 2015 Omnibus Declaratory Ruling (FCC 15-72) • FCC 2024 TCPA Consent Order (FCC 24-24), §64.1200(a)(10); cross-channel revocation deadline Jan 31, 2027 • 45 CFR § 164.522(b) and 2013 HIPAA Omnibus Rule preamble • The Campaign Registry A2P 10DLC framework • CTIA Messaging Principles and Best Practices. Distilled from the SMS vs. Apps Field Guide (May 2026), §3.3 and Appendix A.2.


