HIPAA Compliant Platform

HIPAA Compliant Appointment Reminders You Can Trust

Appointment Reminder is built from the ground up to protect patient health information. We sign a BAA with every healthcare customer, encrypt all data in transit and at rest, and maintain the administrative, technical, and physical safeguards required by HIPAA.

Start Free Trial Request a BAA

14+

Years in Healthcare

400+

Healthcare Practices

5M+

Patient Reminders Sent

100%

BAA Coverage

Why It Matters

Patient Reminders Contain PHI — Your Vendor Must Be HIPAA Compliant

Every appointment reminder you send contains Protected Health Information (PHI) — patient names, appointment dates, provider names, and sometimes procedure types. Under HIPAA (45 CFR 164.502), any vendor that creates, receives, maintains, or transmits PHI on your behalf is a Business Associate and must sign a BAA.

Using a non-compliant reminder service puts your practice at risk for HIPAA violations ranging from $100 to $50,000 per violation, with annual maximums of $1.5 million per violation category. The OCR has increased enforcement actions significantly since 2020.

Common Mistake

Many practices use generic SMS or email tools (Mailchimp, Twilio directly, Google Voice) for patient reminders without a BAA. This is a HIPAA violation — even if the messages seem harmless.

HIPAA Penalty Tiers

Tier 1$100 – $50,000

Did not know and could not have known

Tier 2$1,000 – $50,000

Reasonable cause, not willful neglect

Tier 3$10,000 – $50,000

Willful neglect, corrected within 30 days

Tier 4$50,000+

Willful neglect, not corrected

Annual maximum: $1.5M per violation category (45 CFR 160.404)

Business Associate Agreement (BAA)

A BAA is a legally binding contract required by HIPAA (45 CFR 164.502(e)) between a covered entity (your practice) and a business associate (Appointment Reminder). It defines how we handle, protect, and limit our use of your patients' PHI.

We sign a BAA with every healthcare customer — it's included as part of your account setup at no additional cost. No enterprise plan required, no legal negotiation needed.

BAA executed before any PHI is transmitted

Covers SMS, email, and voice reminder channels

Includes breach notification obligations (within 60 days per 45 CFR 164.410)

Defines permitted uses and disclosures of PHI

No extra cost — included on all plans

Get Your BAA

Start your free trial and we'll have your BAA ready to sign before you send your first reminder.

Start Free Trial

14-day free trial · Cancel anytime

Technical Safeguards

Enterprise-Grade Security for Every Practice

Our infrastructure meets the technical safeguard requirements specified in 45 CFR 164.312.

Encryption

AES-256 encryption at rest for all stored PHI
TLS 1.2+ encryption for all data in transit
Encrypted database backups with separate key management
End-to-end encrypted API connections

Access Controls

Role-based access control (RBAC) for all users
Unique user identification and authentication
Automatic session timeout after inactivity
Complete audit trail of all PHI access

Infrastructure

SOC 2 Type II certified data centers
Geo-redundant backups across multiple regions
DDoS protection and web application firewall
24/7 infrastructure monitoring and alerting

Audit Controls

Detailed activity logs for compliance reporting
Immutable audit trail — logs cannot be altered
Automated alerts for suspicious access patterns
Log retention per HIPAA requirements

Availability

99.9% uptime SLA for reminder delivery
Automated failover and disaster recovery
Regular data backups with tested restoration
Redundant delivery channels (SMS, email, voice)

Transmission Security

Secure API endpoints with authentication tokens
PHI never included in URLs or query strings
Message content controls to limit PHI in SMS
Compliant carrier partnerships for voice/SMS

PHI Handling

What PHI We Access and How We Protect It

We follow the HIPAA Minimum Necessary Standard (45 CFR 164.502(b)) — we only access the PHI needed to deliver your reminders, nothing more.

PHI We Process

Patient name— Used in personalized reminders

Phone number / email— Required for reminder delivery

Appointment date & time— Core to reminder content

Provider name— Included in reminder context

Appointment type— Optional — you control what's included

PHI We Never Access

Medical records or clinical notes

Diagnoses or treatment plans

Insurance or billing information

Social Security numbers

Lab results or imaging data

HIPAA Compliance Checklist

How We Meet Every HIPAA Requirement

Business Associate Agreement

Signed with every healthcare customer before PHI transmission begins.

Administrative Safeguards

Security officer designated, workforce training, access management policies, and incident response procedures.

Physical Safeguards

SOC 2 certified facilities with biometric access, video surveillance, and environmental controls.

Technical Safeguards

AES-256 encryption, role-based access, audit logging, automatic session management, and integrity controls.

Breach Notification

Written procedures for breach detection, investigation, and notification within HIPAA-required timeframes.

Minimum Necessary Standard

We only access the specific PHI elements needed to deliver reminders — nothing more.

Data Retention & Disposal

PHI retained only as long as needed, with secure deletion when accounts are closed.

Risk Analysis

Annual risk assessments to identify and address potential vulnerabilities to PHI.

Workforce Training

All employees complete HIPAA training upon hire and annually thereafter.

Subcontractor Management

All subcontractors with PHI access sign BAAs and meet our security requirements.

Your Control

You Control What Goes in Every Message

HIPAA doesn't prohibit sending appointment reminders — it requires you to limit the PHI disclosed to the minimum necessary. With Appointment Reminder, you have full control over message templates and can choose exactly how much detail to include.

Customizable message templates for SMS, email, and voice

Choose to include or exclude appointment type, provider name, or location

Secure patient portal links for full appointment details

Patient opt-out management built in

Example: Minimal PHI

"Hi Sarah, you have an upcoming appointment on Tuesday, March 10 at 2:00 PM. Reply C to confirm or R to reschedule."

No provider name, no appointment type

Example: Standard

"Hi Sarah, this is a reminder of your appointment with Dr. Chen on Tuesday, March 10 at 2:00 PM. Reply C to confirm or R to reschedule."

Includes provider — common and compliant

Trusted by Healthcare Practices Nationwide

"As a mental health practice, HIPAA compliance isn't optional — it's everything. Appointment Reminder gave us a signed BAA on day one, and their message controls let us keep patient information private while still reducing no-shows by 40%."

Dr. Rachel Goldstein

Clinical Psychologist, Private Practice

"We evaluated five reminder platforms before choosing Appointment Reminder. They were the only vendor that could walk us through their exact HIPAA controls and provide a BAA without requiring an enterprise plan."

Mark Henderson

Practice Manager, Lakeside Family Medicine

"Our compliance officer specifically asked about encryption, audit logs, and breach procedures. Appointment Reminder had clear answers for every question. We've been using them for three years without a single concern."

Jennifer Wu, RN

Director of Operations, Valley Dental Group

TCPA Compliance

Phone & SMS regulations

SMS Reminders

HIPAA-compliant texting

SMS Templates

Ready-to-use messages

Healthcare

Industry solutions

HIPAA Compliance FAQ

Yes. We sign a Business Associate Agreement (BAA) with every healthcare customer. It's included at no extra cost on all plans — no enterprise tier required. Your BAA is ready to sign before you send your first reminder.

Yes, when done correctly. HIPAA does not prohibit texting patients — it requires that PHI be protected with appropriate safeguards. Appointment Reminder provides encrypted transmission, message content controls so you choose how much PHI to include, patient opt-out management, and a signed BAA covering SMS communications.

All data at rest is encrypted with AES-256, the same standard used by banks and government agencies. All data in transit is protected with TLS 1.2 or higher. Database backups are encrypted with separate key management. Our API connections use authenticated, encrypted endpoints.

We maintain a documented breach response plan per 45 CFR 164.408. In the unlikely event of a breach involving PHI, we will notify the covered entity within the timeframes specified in our BAA (and within 60 days as required by HIPAA). We also assist with breach investigation, documentation, and any required notifications to affected individuals or HHS.

Yes. Every SMS reminder includes opt-out instructions (reply STOP). Patients can also opt out through your practice directly. We maintain suppression lists to ensure opted-out patients never receive messages, which supports your HIPAA compliance by respecting patient preferences.

Yes. All Appointment Reminder employees complete HIPAA privacy and security training upon hire and annually thereafter. Access to systems containing PHI is restricted to authorized personnel only, following the principle of least privilege.

All data is stored in SOC 2 Type II certified data centers within the United States. We use geo-redundant backups to ensure data availability. Physical access to our data centers requires biometric authentication, and facilities are monitored 24/7.

When you close your account, we securely delete all PHI within 30 days per our data retention policy. We can provide written confirmation of data destruction upon request. This aligns with HIPAA's requirements for secure disposal of PHI (45 CFR 164.310(d)(2)).

Unlike many reminder tools that treat HIPAA as an afterthought or charge extra for compliance features, Appointment Reminder was built for healthcare from day one. Every plan includes a BAA, encryption, audit logging, and access controls. We don't gate security behind premium pricing.

Once you start a paid subscription, provide your Legal Company Name, Address, Privacy Officer name, and email address. We'll send you a BAA electronically to sign — typically the same day.

All customer data is stored in Microsoft Azure data centers in the United States. US data residency is maintained for all accounts regardless of where your business is located.

HIPAA compliance and a signed BAA are available on all paid plans at no additional cost — even the $29/month Basic plan. Solo practitioners and small clinics are fully covered.

Yes. Every reminder sent and every reply received can be forwarded to an email address you specify, giving you a complete audit trail. This is compatible with archiving platforms like Smarsh and Global Relay.

We do not currently hold SOC 2 certification. We are fully HIPAA compliant and provide a signed BAA. For additional security questions, we're happy to walk you through our practices on a call.

HIPAA Compliant Reminders — Starting Today

Join 400+ healthcare practices that trust Appointment Reminder to protect patient information while reducing no-shows. Free 14-day trial with BAA included.

Start Free Trial View Pricing