How to Set Up Automated Patient Communication at a Clinical Trial Site Without Violating HIPAA

Many clinical research coordinators are told, with varying levels of accuracy, that automating patient communication at a clinical trial site creates HIPAA liability problems that are best avoided by keeping everything on phone calls and paper forms. This is not a correct reading of HIPAA, and it is preventing sites from implementing automation that would save coordinator hours without creating any actual compliance risk.

What HIPAA Actually Restricts in Automated Communication

HIPAA's Privacy Rule restricts the disclosure of protected health information — information that identifies a patient AND relates to their health condition, treatment, or payment. The key is the combination: identifying information alone is not PHI, and health information alone is not PHI. Both together are PHI.

An automated SMS that says "Your research visit is scheduled for Tuesday October 15 at 9 AM at [Site Name], [Address]. Reply STOP to unsubscribe." does not contain PHI. It contains scheduling information, a site name, and an address. None of that is health information. It is fully compliant for standard SMS delivery.

An automated SMS that says "Reminder: your scheduled visit for your Type 2 Diabetes study" combines an identifier (the patient's phone number) with health information (the condition). That message should not be sent via standard unencrypted SMS.

The Practical Rule

The practical rule for automated patient communication in clinical trial context is straightforward: appointment reminders, scheduling confirmations, and logistical messages that do not name the condition, study drug, or diagnosis are compliant for standard SMS. Pre-screening questions that ask about health conditions should go through a secure channel or a consent-to-receive-health-information acknowledgment flow. All patient data stored in any automation platform must be covered by a Business Associate Agreement with the platform vendor.

Getting a BAA With Your Automation Platform

GoHighLevel, Twilio, and most enterprise communication platforms offer Business Associate Agreements for healthcare use cases. A BAA does not require a separate enterprise contract in most cases — it is a standard agreement available to any healthcare organization using the platform for patient communication. Having a BAA in place with every platform that handles any patient data is the foundational compliance requirement for automated patient communication.