An SMS compliance checklist for nonprofits and healthcare organizations covers the core requirements that apply before any text messaging program goes live: obtaining and documenting TCPA-compliant express written consent, configuring opt-out handling, observing quiet hours, completing 10DLC brand and campaign registration with carriers, and, for healthcare organizations, layering HIPAA requirements including a signed Business Associate Agreement, encryption in transit and at rest, access controls, and audit logging. Organizations that get these checkpoints right before launch avoid the filtering, liability, and program disruption that come from skipping them.

The SMS compliance checklist

Work through each item before sending your first message. Healthcare organizations should complete all items; nonprofits, schools, and government agencies complete the universal items plus any sector-specific ones that apply.

  1. Obtain express written consent before texting anyone. A phone number alone is not consent. Use a web form with a dedicated SMS opt-in checkbox, a text-to-join keyword, a paper form with a separate SMS consent section, or documented verbal confirmation. Your consent language must name the message types the subscriber will receive and state that message and data rates may apply.
  2. Store consent records with timestamp, source, and exact consent language. Documentation is your primary defense in a compliance audit or legal dispute. Records must be retrievable quickly and kept for as long as you send to that number.
  3. Configure opt-out functionality (STOP keyword). Every message must provide a clear way to unsubscribe. "Reply STOP to unsubscribe" must appear in your welcome message and periodically thereafter. Your platform must process opt-out requests immediately.
  4. Process opt-out requests without delay. Batching unsubscribes weekly or on any schedule is non-compliant. Remove opted-out numbers from active lists as soon as the request is received.
  5. Enforce quiet hours: no messages before 8 AM or after 9 PM in the recipient's local time zone. This applies to promotional messages and fundraising appeals. Emergency alerts and urgent clinical reminders may be exempt, but document your rationale in writing.
  6. Complete 10DLC brand registration with The Campaign Registry (TCR). All organizations sending application-to-person (A2P) messages in the United States are required to register before major carriers will deliver their messages. You will need your EIN, business type, and contact information.
  7. Complete 10DLC campaign registration and obtain carrier approval. Describe your messaging use case (appointment reminders, fundraising appeals, emergency alerts, and similar), submit sample message templates, and wait for approval from each carrier. Unregistered campaigns are actively filtered or blocked.
  8. For nonprofits: submit 501(c)(3) verification during brand registration (if applicable). Verified nonprofit status can improve deliverability and increase message throughput. Have your IRS determination letter ready during registration.
  9. For healthcare organizations: confirm your SMS platform will sign a Business Associate Agreement. If your messages may contain protected health information (PHI) including appointment details, patient identification, or any health-related content, your vendor must sign a BAA acknowledging their responsibility to protect that information. Consumer platforms and general-purpose marketing tools typically will not sign BAAs.
  10. For healthcare organizations: verify encryption in transit (TLS 1.3) and at rest (256-bit AES). Messages containing PHI must be protected both while traveling across networks and while stored on the platform. Ask your vendor for their specific encryption standards in writing.
  11. For healthcare organizations: confirm audit logging is enabled and accessible. HIPAA requires a complete audit trail showing who accessed which messages, when, and from where. Verify that your platform logs all message activity and makes those logs available for compliance reviews.
  12. For healthcare organizations: configure role-based access controls and multi-factor authentication. Only authorized staff should be able to read or send patient messages. Your platform should support granular role permissions, MFA, and automatic session timeouts.
  13. For healthcare organizations: include SMS consent in patient intake paperwork. Beyond TCPA consent, obtain explicit authorization from patients to communicate via text about healthcare matters. Clearly state what types of information may be sent, how patients can opt out, and the limitations of standard SMS. Document this consent in the patient record.
  14. Review all message templates for content compliance. For healthcare, remove PHI from standard SMS templates and use generic language ("You have an appointment tomorrow at 2 PM" rather than including a diagnosis, provider name, or facility name in the same message). For all organizations, confirm that opt-out instructions appear in templates.
  15. Train every staff member who will send messages or manage the program. Training should cover: what constitutes valid consent and how to verify it; how to process opt-out requests immediately; what content is and is not permitted; quiet hours; documentation practices; and what to do when someone reports a potential violation. For healthcare teams, add training on PHI identification, secure versus standard messaging decisions, audit log access, and incident response.
  16. Assign ongoing compliance monitoring responsibility. Someone on your team should review a sample of outgoing messages monthly, audit opt-out processing, check consent records for completeness, monitor carrier delivery feedback, and update policies when regulations change.

Universal requirements: TCPA and 10DLC

The Telephone Consumer Protection Act applies to all text messaging programs in the United States regardless of your organization type, message volume, or whether your program is commercial or mission-driven. TCPA compliance for nonprofits and healthcare organizations requires three foundational elements: express written consent before texting anyone, an immediate and functional opt-out mechanism, and adherence to quiet hours.

A common mistake nonprofits make is assuming that a donor who submitted a web form automatically consented to SMS fundraising appeals. Unless that form included a separate, explicit SMS opt-in checkbox with disclosure language, you do not have TCPA-compliant consent to send text solicitations. Email and SMS consent must be collected and recorded separately.

10DLC registration is the other universal requirement. The major carriers now require all A2P messaging to route through registered brands and campaigns in The Campaign Registry. Registration involves two steps: brand registration (your organization's identity and EIN) and campaign registration (your specific messaging use case with sample templates). Unregistered messages are subject to filtering or complete blocking. The 10DLC registration process is handled during onboarding for organizations using a platform built for mission-driven senders.

Quiet hours

No promotional, fundraising, or non-urgent messages before 8 AM or after 9 PM in the recipient's local time zone. Carriers and the FCC take this restriction seriously. If your organization sends to contacts across multiple time zones, your platform should calculate and enforce quiet hours per recipient, not per your organization's local time.

Peer-to-peer texting for nonprofits

Peer-to-peer texting, where volunteers or staff send individual messages from their personal phones, occupies a distinct regulatory space. The FCC generally treats genuine one-to-one human-initiated messages as personal communication rather than A2P messaging. However, if your program uses software to facilitate, queue, or centrally manage what appears to be individual outreach, consult telecommunications counsel about whether your specific setup falls under TCPA's A2P framework. Compliance documentation also becomes substantially harder when personal devices are involved.

State telemarketing laws

Several states have enacted telemarketing laws that go beyond federal TCPA requirements. If your organization operates across state lines or your supporter or patient base spans multiple states, verify that your consent practices and opt-out handling meet the strictest applicable state standard. An attorney with experience in telecommunications law can identify the specific states that are most relevant to your program.

Healthcare-specific requirements: HIPAA and patient SMS

Healthcare organizations must comply with TCPA and 10DLC and layer on HIPAA requirements for any messaging that involves protected health information. HIPAA-compliant text messaging for healthcare providers centers on four platform requirements: a signed BAA with your SMS vendor, encryption in transit (TLS 1.3) and at rest (256-bit AES), audit logging, and access controls.

Not every SMS platform is built to support HIPAA compliance. Before selecting a vendor, ask directly whether they will sign a BAA and request their encryption documentation. Platforms that decline to sign a BAA or are vague about their encryption standards are not appropriate for patient communication containing PHI.

What counts as PHI in a text message

The threshold for PHI is lower than many healthcare teams expect. Any message that could connect an individual to a health condition, treatment, or provider may constitute PHI. A message that says "Your appointment at [clinic name] with Dr. [name] is tomorrow at 2 PM" contains identifiers that link a person to a healthcare relationship. A message that says only "You have an appointment tomorrow at 2 PM" is generally considered lower-risk, though most compliance advisors recommend using a HIPAA-supported platform for all patient communication to eliminate ambiguity.

Standard SMS versus secure messaging for healthcare

Standard SMS routes through carrier networks and does not provide the same level of protection as a secure messaging channel. A common approach for healthcare organizations is to use standard SMS for generic appointment and scheduling messages that contain no identifying health details, and to route anything involving PHI through a platform that provides the required security controls. Whatever hybrid approach your organization takes, document the policy in writing and train staff on which channel to use for which content.

Patient consent and intake documentation

Healthcare organizations should collect SMS consent as a distinct item in patient intake paperwork or HIPAA authorization forms. The consent should name the types of information that may be sent via text, explain that standard SMS is not appropriate for urgent or emergency communication, describe the opt-out process, and note that the patient accepts the inherent limitations of SMS as a channel. Record this consent in the patient's file.

Documentation and training

Documentation should be centralized, consistently maintained, and accessible without delay when an audit or complaint occurs.

Records to maintain

  • Consent records including the date, time, source (form URL, keyword, paper intake), and exact consent language presented to the subscriber
  • Opt-out log showing the date of each request and the timestamp when the number was removed from active lists
  • Staff training records showing who completed training, when, and on what topics
  • Platform audit logs for all message activity, particularly for healthcare organizations
  • Signed BAAs with every vendor that handles PHI
  • 10DLC registration confirmations and campaign approval records from each carrier
  • Written SMS compliance policies and procedures reviewed and dated annually

What training should cover

Every team member who sends messages or administers your SMS program needs training that covers consent verification, immediate opt-out processing, content restrictions, quiet hours, documentation requirements, and your escalation process when a potential violation is reported. For healthcare teams, training should also address PHI identification, the distinction between standard and secure messaging channels, how to access audit logs, and incident response steps if a potential breach occurs.

Conduct training when new staff join, annually at minimum, and any time your platform or applicable regulations change.

Common violations to avoid

  • Texting without documented consent. A phone number collected during registration, at checkout, or in a donor database is not consent to receive SMS messages. Explicit written permission with disclosure language is required.
  • Batching opt-out processing. Systems that group unsubscribe requests and process them on a delay are non-compliant. Opt-outs must be honored immediately.
  • Using a platform without a signed BAA for patient communication. General-purpose marketing and mass-texting tools are not built for HIPAA compliance. Confirm your vendor's BAA status before your first message to a patient.
  • Sending PHI over standard SMS. Even with a HIPAA-supported platform, standard SMS that routes through carrier networks is an inherently lower-security channel. Limit health information in standard SMS and route PHI through appropriate secure channels.
  • Skipping 10DLC registration. Carriers actively filter messages from unregistered senders. Your program's deliverability and your organization's sender reputation both depend on completing registration before launch.
  • Using personal devices for professional messaging. Staff members texting patients or constituents from personal phones creates documentation gaps and significant liability exposure. A dedicated platform keeps records centralized and auditable.
  • Assuming one consent covers all message types. Consent is use-case specific. A patient who consented to appointment reminders has not consented to fundraising or advocacy messages. A donor who consented to campaign updates has not consented to text solicitations unless your form specifically said so.

Choosing the right SMS platform

Your platform determines whether compliance is straightforward or a persistent source of risk. At minimum, any platform you evaluate should provide built-in TCPA opt-out processing, immediate opt-out removal, automatic quiet hours enforcement by recipient time zone, exportable consent records, and clear answers about 10DLC registration support. Healthcare organizations must also confirm a willingness to sign a BAA and receive documentation of encryption standards, audit log access, and access control options before committing to a vendor.

A vendor built for mission-driven organizations should answer compliance questions directly and provide written documentation. Vague or evasive responses about BAAs or encryption are a meaningful signal about operational risk.

FRANSiS™ is built specifically for nonprofits and healthcare organizations. TCPA compliance features, 10DLC registration handled during onboarding, and HIPAA compliance supported with a signed BAA for healthcare customers are built into the platform. Pricing is flat, predictable, and includes unlimited messaging so your team can focus on the communities you serve.

When to consult legal counsel

SMS compliance involves federal law, evolving FCC guidance, and state-level variation that no checklist can fully substitute for. Engage telecommunications or healthcare privacy counsel before launch if you operate across multiple states or internationally, if you are scaling a peer-to-peer texting program and are uncertain whether it falls under A2P rules, if your organization handles high-risk healthcare populations such as behavioral health or substance use treatment, if you plan to use SMS for advocacy or legislative calls to action, or if you have already received a complaint or cease-and-desist letter related to your messaging.

The investment in a compliance review before launch is substantially smaller than the cost of a TCPA dispute or a HIPAA investigation after the fact.

Documentation is your first line of defense. Every consent record, opt-out log, and training record that exists before a complaint is received is evidence that your program was built with compliance in mind.

Frequently asked questions

Do I need consent to send appointment reminders?

Yes. Even transactional and informational messages like appointment reminders require prior express consent under TCPA. Consent can be collected at intake when a patient or client provides their phone number, as long as your intake form includes clear language stating they will receive text reminders. A phone number in your system without that explicit disclosure is not sufficient.

Can I text people who gave me their phone number but did not explicitly opt in to texts?

No. Having someone's phone number does not constitute consent to send them text messages. TCPA requires express written consent specifically for SMS communication, separate from any other contact information they provided. This includes donors who gave their number during a gift transaction and patients who provided a contact number on intake forms without a specific SMS disclosure.

What is the difference between TCPA and HIPAA compliance for text messaging?

TCPA is a federal telecommunications law that applies to all SMS programs and requires consent, opt-out capability, and quiet hours. HIPAA is a healthcare privacy law that adds requirements specifically for the protection of patient health information: a signed BAA with your vendor, encryption in transit and at rest, audit logging, and access controls. Healthcare organizations must satisfy both frameworks simultaneously.

What does 10DLC registration involve for a nonprofit?

10DLC registration requires your organization to complete two steps through The Campaign Registry: brand registration (your identity, EIN, and business type) and campaign registration (your messaging use case with sample templates). Nonprofits with verified 501(c)(3) status may qualify for improved deliverability and higher message throughput. Registration fees are set by the carriers and TCR; your SMS platform should be able to walk you through the current process and handle submission on your behalf.

Can staff use personal phones to text patients or donors?

For healthcare: personal devices are not appropriate for messages that may contain PHI. Personal phones do not provide the encryption, audit logging, or access controls that HIPAA compliance requires. For nonprofits: one-to-one human communication from a personal phone generally sits outside A2P TCPA rules, but creates significant recordkeeping and documentation gaps. Best practice for all organizations is a dedicated platform that centralizes records and maintains a complete audit trail.

What should we do if we receive a TCPA complaint?

Stop messaging the complainant immediately. Retrieve and review their consent record. Document every step of your review. If consent documentation is unclear or missing, treat the situation as a compliance gap and consult legal counsel. Your ability to produce complete consent and opt-out records is the foundation of any defense, which is why documentation practices matter before any complaint arrives.

Do HIPAA requirements apply to every text we send to a patient?

HIPAA requirements apply when your messages involve protected health information. A genuinely generic message with no identifying health details ("Your appointment is tomorrow at 2 PM," no clinic name, no provider name, no condition or treatment reference) is generally considered low-risk. However, because the threshold for PHI is easy to cross inadvertently, most healthcare compliance advisors recommend using a HIPAA-supported platform for all patient communication rather than making case-by-case judgments about what does and does not constitute PHI.

Does TCPA apply to advocacy and legislative action messages from nonprofits?

Yes, for most nonprofit advocacy messaging. The narrow TCPA exemption for certain political messages applies to communications from candidates or campaign committees about elections, not to issue-based advocacy, calls to action on legislation, or voter registration drives conducted by nonprofits. If your organization uses SMS for any advocacy purpose, TCPA-compliant consent is required.