Do I need a BAA with my messaging vendor?

HHS has not addressed whether email and SMS providers who facilitate such transmissions are HIPAA business associates, but HHS’s narrow view of the “conduit exception” for transmission services and the need for most providers to store your messages for logging purposes mean that in most cases you will need to put a business associate agreement in place.

Some providers offer BAAs readily (e.g., Mailgun, Google G Suite Zendesk).

Others may offer special configuration instructions, but will try to avoid accepting liability (e.g. Twilio). In either case, you should consult an attorney if you have questions about potential legal risk.

What about push notifications?

Push notifications are often sent over encrypted protocols, but check with your provider. You may still need a business associate agreement if you are sending PHI in the notification.

Do I need an opt-in if I'm sending emails that don't contain PHI?

It is not clear. Protected Health Information, or PHI, is the combination of individually identifiable information (such as an email address, phone number, or device identifier) and health information. HHS has not clarified whether an email address used in a healthcare context constitutes PHI. Many healthcare providers do send routine transactional and marketing emails to users without collecting an opt-in. If you do so, take care to limit the personalized content of the communications and consider consulting an attorney.