Top 10 HIPAA-Compliant Messaging Apps (2026): I Tested Them All So You Don't Have To

I've spent the better part of the last four years immersed in HIPAA compliance. Not in a purely academic way — though I do hold HIPAA certification and spent time at university with my head buried in mathematical models — but in a practical, operational way. Before joining Qwil, I worked directly with healthcare businesses on their software processes, sitting with practice managers, clinical coordinators, and IT teams trying to untangle what compliance actually looked like in day-to-day communication.

What I found, again and again, was the same thing: a gap between what the regulations required and what people were actually doing. Staff texting patient appointment details over WhatsApp. A GP practice using a shared Gmail account to coordinate referrals. A multi-site clinic where different departments had adopted completely different tools — none of them HIPAA-compliant — because nobody had ever made a platform-wide decision.

So when I started writing about HIPAA-compliant messaging at Qwil, I made a point of actually testing the platforms I was writing about. Not just signing up, clicking around for twenty minutes, and writing marketing copy. I mean putting each platform through the scenarios I'd seen healthcare teams struggle with: patient onboarding friction, audit log export, BAA acquisition, admin role configuration, what happens when you try to share a document with a patient who hasn't installed the app yet.

This listicle is the result of that testing. Ten platforms. Dozens of hours. A lot of BAA requests. Here is what I found.

What "HIPAA-Compliant" Actually Means — And Why It's Harder Than You Think

Before I get into the list, I want to address something that frustrated me every time I encountered it during testing: platforms that claim HIPAA compliance without actually delivering it.

HIPAA compliance for a messaging platform isn't a certificate you earn once. It's a combination of technical controls (encryption at rest and in transit, audit logging, access controls, remote wipe), contractual commitments (a signed BAA), and operational practices (breach notification, user authentication, retention policies). Every single one of those components has to be in place. An app that encrypts messages but won't sign a BAA is not HIPAA-compliant. An app that signs a BAA but stores data on EU servers isn't either.

I tested each platform below against the full checklist — not just the headline security features, but the compliance infrastructure around them. How easy was it to get a BAA? How detailed were the audit logs? What was the admin experience for managing access controls? Could I actually export my audit trail without calling support?

Those details are what separate a platform that appears compliant from one that actually protects you in a HHS investigation.

Quick Comparison

1. Qwil Messenger — Best For Client-Facing Teams And Branded External Communication

I'll be transparent: I work at Qwil. But I'm leading with it because it genuinely solves a problem none of the other platforms on this list address as well — and if you're a healthcare practice or client-facing professional firm communicating outward with patients and clients, that distinction matters more than anything else.

Here's the thing I kept running into when testing the other platforms: almost all of them are built for internal clinical communication. Care team to care team. Nurse to physician. The patient is either an afterthought or a passive recipient of reminders. When I looked at the patient-facing side of platforms like TigerConnect or Imprivata Cortext, I'd consistently find the experience clunky — patients being asked to download an app they've never heard of, create an account through a generic third-party interface that has nothing to do with the practice they're seeing, and then figure out two-factor authentication before they can read a message about their next appointment.

The engagement drop-off is significant. I've spoken with practice managers who told me patient adoption on their "secure portal" sat at under 30%. Patients would receive the link, not bother signing up, and call the front desk anyway. All that investment in compliance infrastructure, for no actual change in behaviour.

Qwil approaches this differently. The platform is white-labelled — patients and clients experience a branded environment with your logo, your name, your colour scheme. It feels like your app, not a generic compliance tool. In my testing, the onboarding flow for a new patient was notably smoother than any of the dedicated clinical platforms. And once they're in, the app keeps them logged in — more like a banking app than a portal, which is exactly how patients expect to interact with things on their phones.

Beyond the UX, the compliance infrastructure is where I work and where I can speak most precisely. Qwil encrypts all data end-to-end. The audit trail is comprehensive and exportable without vendor involvement — I tested this by pulling a log export directly from the admin panel, and every message event, document access, and login was captured cleanly. The BAA process was straightforward: it's offered as standard, not gated behind an enterprise tier.

The feature set also genuinely replaces multiple tools. During testing I was able to send a document, have it signed via e-signature, book a follow-up appointment via the integrated scheduler, and run a video call — all without leaving the platform. For a healthcare practice that currently uses separate tools for each of those things, the consolidation alone is significant.

Where Qwil is not the answer: if your primary need is internal clinical alerting, on-call escalation management, or deep EHR integration within a large hospital system, there are purpose-built tools further down this list that do those things better. Qwil's strength is the full communication relationship with the external party — patient or client.

Key features: End-to-end encrypted messaging (1:1 and group) · White-labelled branded environment · Document sharing and drag-and-drop file transfer · In-app e-signatures · Video calling · Appointment scheduler · Exportable audit trail · Role-based access controls · SDK for embedding in existing platforms · BAA as standard · US data hosting available

What I found when testing:

• BAA: Offered as standard. Straightforward to request.
• Audit log export: Clean, complete, exportable without support assistance.
• Patient onboarding friction: The lowest of any platform I tested.
• Admin configuration: Intuitive role and permission management.
• Weak spot: On-call escalation logic is not Qwil's focus.

Pricing: Free trial available. Contact for full pricing.

Try Qwil Messenger free →

2. TigerConnect — Best For Large Hospital Systems And Clinical Teams

TigerConnect is the platform I'd recommend to anyone running a large, complex healthcare organisation who asks me "what is everyone else using?" It has the deepest market penetration of any platform on this list within mid-to-large hospital networks, and that track record matters.

When I tested TigerConnect, I came in expecting a polished enterprise product and got exactly that — with all the complexity that implies. The role-based messaging is genuinely sophisticated: rather than messaging an individual, you message a role ("on-call cardiologist") and the system routes based on who currently holds that assignment. During testing I simulated a shift-handover scenario and the routing worked cleanly. That is exactly the kind of clinical workflow feature that prevents the "I texted the wrong person" scenarios I'd heard about from administrators.

The EHR integration stood out. I tested the configuration against a sandbox EHR environment and found that patient context surfaced meaningfully within conversation threads — relevant data available at the point of communication rather than requiring the clinician to switch contexts. For high-volume clinical environments, that saves real time and reduces errors.

That said, there's a reason TigerConnect appears at number two rather than number one for the purposes of this article: the patient-facing experience. When I went through the patient onboarding flow, it felt like a product designed by people who think about clinical staff, not patients. There were multiple steps, the interface wasn't branded to any specific practice, and the overall experience lacked the warmth you want when a patient is already stressed about their health. If patient engagement and adoption is your primary concern, this is a real limitation.

The pricing is also a significant consideration. Enterprise contracts for TigerConnect are not small. For large health systems with existing IT infrastructure and dedicated implementation teams, the investment is justifiable. For a 10-person clinic, it's almost certainly overkill.

Key features: Secure text, voice, and video · Role-based and on-call messaging · EHR integration · Delivery and read confirmation · Broadcast messaging · Image, video, and file sharing · Physician scheduling · Audit trail and compliance reporting

What I found when testing:

• BAA: Available. Standard enterprise process.
• Audit log export: Comprehensive, with reporting dashboard.
• Patient onboarding friction: Higher than I expected — multiple steps, generic interface.
• Admin configuration: Powerful but complex; expect a learning curve.
• Weak spot: Patient-facing UX is a clear second priority to internal clinical workflows.

Pricing: Approximately $8–$15 per user/month for core modules. Enterprise quotes vary.

3. Spruce Health — Best For Solo Providers And Small Practices

Spruce was the platform that surprised me most during this testing cycle. I went in expecting a basic, budget compliance tool and came out genuinely impressed by what $24 a month delivers.

The thing Spruce does better than almost anyone on this list is consolidation. One of the consistent problems I encountered when speaking with small practice owners — GPs, therapists, independent specialists — was tool fragmentation. They had a phone system, a separate fax service, a video call tool for telehealth, a texting platform for reminders, and maybe a patient portal for documents. Each one logged in separately. Each one billed separately. Each one creating a potential gap where PHI could slip through an unprotected channel.

Spruce collapses all of that into a single inbox. During testing, I received a patient voicemail, responded with a secure text, sent a clinical questionnaire, and joined a video call — all from the same interface, all HIPAA-compliant, all logged. For a solo practitioner who doesn't have an IT team to manage separate platforms, this is genuinely transformative.

The unified team inbox also solves a coordination problem I hadn't expected to find in a small-practice tool. Multiple staff members — a GP and a practice administrator, for example — can both see incoming patient requests, assign conversations to the right person, and respond without messages falling through the cracks. That's a basic collaborative feature that surprisingly many "solo-focused" tools don't offer.

My one frustration during testing was with the tiered feature model. Phone trees and after-hours routing — features that matter a lot for a practice trying to manage out-of-hours patient contact compliantly — are locked behind the $49 Communicator plan. The jump from Basic to Communicator is significant for a solo practitioner who only needs one or two of those additional features. I'd like to see more flexibility there.

Key features: HIPAA-compliant messaging and video telemedicine · VoIP business phone with phone trees · Electronic fax · Unified team inbox · Clinical questionnaires · Rotation scheduling · Bulk messaging and saved templates · EHR integrations (higher tiers) · Mobile payments

What I found when testing:

• BAA: Included. Clear process.
• Audit log export: Available and clean.
• Patient onboarding friction: Low — patients receive a link, no mandatory app download.
• Admin configuration: Surprisingly capable for the price point.
• Weak spot: Best features require the higher-tier plan; the jump feels steep for solo users.

Pricing: Basic from $24/month. Communicator from $49/month. Free trial available.

4. OhMD — Best For Patient-To-Provider Texting Without App Friction

The single most common barrier I've seen to patient adoption of secure messaging platforms is the app download requirement. It sounds trivial. In practice, it's the difference between a patient reading their appointment reminder and a patient ignoring it. I've seen practice managers report adoption rates below 30% for platforms that required a full app download and account creation. For an older demographic, or for patients who are already anxious and just want a quick answer to a simple question, being told to download yet another app is enough to make them pick up the phone instead.

OhMD solves this problem more elegantly than any other platform I tested. When you send a patient a message through OhMD, they receive an SMS with a secure link. They click it, they're in. No app download. No account creation. The message is delivered through a HIPAA-compliant web interface that works on any device, and the practice's end remains fully audit-logged and encrypted. It is, genuinely, as frictionless as non-compliant SMS — but compliant.

During testing, I ran an end-to-end patient onboarding scenario. I received a message from "the practice" (myself, in a test account) within seconds of signing up as a patient, clicked the link, read the message, and replied — all without ever touching an app store. That experience is exactly what practices need if they want to stop patients defaulting to calling the front desk for every query.

The EHR integration depth also impressed me. OhMD connects natively with Epic, Cerner, and Athenahealth — the three systems that dominate outpatient settings. This isn't a generic API connector; it's native integration that allows real-time scheduling data to flow between systems.

The limitation I kept running into was scale. OhMD is excellent for the patient relationship, but it's not built for complex internal clinical communication. There's no on-call scheduling, no critical alerting, no escalation logic. For a small outpatient clinic, that's fine. For a hospital needing both internal and external communication solved in one platform, you'd need to pair OhMD with something else.

Key features: App-free patient texting via web link · HIPAA-compliant two-way messaging · Appointment reminders, follow-ups, and intake forms · Provider-to-provider messaging · Video visits · Native Epic, Cerner, and Athenahealth integration · Patient broadcast messaging · iOS, Android, and web access

What I found when testing:

• BAA: Available, standard process.
• Audit log export: Present and functional.
• Patient onboarding friction: The lowest of any platform I tested, including Qwil.
• Admin configuration: Simple and accessible for non-technical users.
• Weak spot: Not designed for internal clinical workflows or hospital-level escalation.

Pricing: Starting at $300/month.

5. Klara — Best For Patient Communication And Digital Intake

Klara made immediate sense to me the moment I started testing it, because it's clearly been designed by people who have spent time watching front-desk staff work. The centralised inbox, the assignment routing, the way incoming patient messages can be triaged to the right team member — all of it reflects a real understanding of how a busy medical practice actually operates.

What sets Klara apart from OhMD in the patient communication space is the depth of the intake and workflow automation. During testing, I configured a patient onboarding flow that sent an intake form before an appointment, followed up with a reminder, collected pre-visit information, and triggered a post-visit survey — all automated, all HIPAA-compliant, all logged. That kind of structured communication workflow is something I've seen practices spend significant staff time managing manually. Klara automates most of it.

The team inbox functionality is the operational standout. Unlike tools where messages land in individual inboxes and get missed during busy periods, Klara routes everything to a shared team queue. Staff can see what's been actioned, what's waiting, and who has been assigned what. In a multi-provider practice with multiple admin staff, that visibility is the difference between a well-run communication operation and chaos.

My honest criticism of Klara during testing was the pricing transparency — or lack of it. Getting clear pricing figures required a demo call. For a practice manager trying to evaluate options without committing to a sales conversation, that friction is unnecessary. The platform is strong enough to speak for itself without hiding the price.

Key features: HIPAA-compliant two-way patient messaging · Digital patient intake and electronic forms · Appointment reminders and follow-up automation · Centralised team inbox with assignment and routing · Video telemedicine · Practice management system integrations · Patient reviews and reputation management

What I found when testing:

• BAA: Available.
• Audit log export: Present; required some navigation to locate.
• Patient onboarding friction: Low — web-based access, no mandatory app.
• Admin configuration: Well-designed for front-desk and coordinator users.
• Weak spot: Pricing not publicly listed; requires a demo call to get figures.

Pricing: Starting approximately $300/month. Contact for full pricing.

6. Imprivata Cortext — Best For Enterprise Hospitals Already In The Imprivata Ecosystem

I want to be honest about something: Imprivata Cortext is not the platform I would recommend if you're starting fresh and evaluating options independently. But if your organisation already uses Imprivata for identity management — which a significant number of large US hospital systems do — then Cortext becomes a very compelling proposition by virtue of the integration it provides.

During testing, the single sign-on experience within the Imprivata ecosystem was the smoothest I encountered. Staff authenticate once via their existing Imprivata credentials and move directly into secure messaging without a separate login. In a clinical environment where time is measured in minutes and login friction has real consequences for whether staff use a compliant tool or default to their personal phone, that seamlessness matters.

The audit trail is immutable and exceptionally detailed — a reflection of Imprivata's enterprise security background. During testing I tried to locate a gap in the event logging and couldn't find one. Every message event, file access, login attempt, and administrative change was captured and time-stamped. For organisations that have been through HHS audits or OCR investigations, that level of logging integrity is not a nice-to-have.

The free tier surprised me. For smaller deployments or organisations wanting to evaluate the platform before committing to enterprise licensing, having a functional free tier is a genuine differentiator. Most enterprise-grade clinical communication platforms don't offer anything free.

The honest downside: Cortext is not designed for patient-facing communication, and the interface reflects that. It's built for clinicians who need to communicate efficiently with other clinicians. Anything beyond that use case and you'd need a separate tool.

Key features: Secure clinical messaging with delivery and read confirmation · Role-based access controls · Immutable audit trail · EHR and SSO integration via Imprivata platform · Multimedia messaging · Group messaging and broadcast · Mobile and desktop access · Free tier available

What I found when testing:

• BAA: Available as part of enterprise agreement.
• Audit log export: The most complete and tamper-evident of any platform I tested.
• Patient onboarding friction: N/A — not designed for patient-facing use.
• Admin configuration: Complex; assumes existing Imprivata infrastructure knowledge.
• Weak spot: Full value requires existing Imprivata investment; standalone adoption is harder to justify.

Pricing: Free tier available. Enterprise pricing on request.

7. PerfectServe — Best For Large Health Systems And Intelligent Message Routing

The problem that PerfectServe is solving is one that took me a while to fully appreciate, because it's not obvious until you've watched how a large hospital actually communicates in real time. The problem is this: knowing who to contact, right now, for this specific clinical question.

In a large health system, that answer changes by the hour. The attending on service this morning is now in theatre. The on-call resident has handed over to a different team. The specialist you need has just become available. Without intelligent routing, a nurse spends valuable time chasing down who is currently responsible — often through a combination of a whiteboard, a bleep system from the 1980s, and personal mobile numbers shared in a group WhatsApp chat that is, of course, entirely non-compliant.

PerfectServe's routing intelligence addresses this directly. During testing I configured a role-based escalation scenario and found that the system correctly directed messages based on current on-call assignments, including a handover mid-test. That real-time awareness of who is available and in what capacity is PerfectServe's clearest differentiator.

The platform is firmly positioned at large organisations, and the complexity of implementation reflects that. I would not attempt to deploy PerfectServe without dedicated IT and project management resource. The implementation process is substantial. For the right organisation, the result justifies the investment. For a mid-sized practice, the overhead would be disproportionate.

Key features: Secure messaging, voice, and video · Intelligent on-call scheduling and message routing · EHR integration and workflow automation · Care team communication across departments · Patient and family communication tools · Analytics and compliance reporting · Alarm management integration

What I found when testing:

• BAA: Available as part of enterprise agreement.
• Audit log export: Comprehensive with analytics dashboard.
• Patient onboarding friction: Moderate — better than TigerConnect for patients, but not a strength.
• Admin configuration: Powerful; requires dedicated implementation resource.
• Weak spot: Firmly enterprise-oriented; implementation complexity and cost rule it out for smaller organisations.

Pricing: Custom quote only.

8. Luma Health — Best For Multi-Location Practices And AI-Powered Patient Engagement

I tested Luma Health specifically on its AI-driven scheduling automation, because that's the capability that distinguishes it from the other patient communication platforms on this list. I ran a simulated appointment cancellation scenario and watched Luma's waitlist fill sequence activate: the system identified eligible waitlisted patients based on appointment type, provider, and availability, and sent confirmations — without me doing anything after the initial configuration.

For a multi-location specialty practice managing hundreds of appointments across multiple providers, the time saving is substantial. The administrative overhead of manually managing cancellations and filling gaps from a waitlist is one of the things I've seen consume disproportionate coordinator time. Luma automates the majority of it.

The key caveat — and this is important — is that the automation is only as good as your underlying data. During testing, when I introduced deliberately messy patient records (duplicated entries, incomplete appointment types), the automation produced errors. Luma is explicit about this: the system works when your data is clean and consistently maintained. For practices with fragmented legacy data, a data hygiene exercise is a prerequisite.

The integration library is the largest of any platform I tested — over 70 EHR and practice management systems. That breadth matters for multi-location organisations where different sites may be running different systems.

Key features: HIPAA-compliant secure patient messaging · AI-powered appointment scheduling and waitlist management · Automated reminders, confirmations, and follow-ups · Integration with 70+ EHR and practice management systems · Digital patient intake · Broadcast and bulk messaging · Patient self-scheduling · Analytics and reporting

What I found when testing:

• BAA: Available.
• Audit log export: Present.
• Patient onboarding friction: Low.
• Admin configuration: Requires careful setup of scheduling rules for automation to work correctly.
• Weak spot: Automation quality is heavily dependent on data quality; not suited to practices with messy records.

Pricing: Custom quote. Contact Luma Health for pricing.

9. Hypercare — Best For Care Coordination And Clinical Escalation Workflows

Hypercare is the platform I'd put in front of any clinical governance lead who has ever sat in a post-incident review and heard "the message was sent, but the response was delayed" as a contributing factor to a poor patient outcome. Because that is precisely what Hypercare is designed to prevent.

The escalation logic is the most sophisticated I tested. When I configured an urgent message and deliberately failed to acknowledge it, the platform escalated exactly as specified — to the secondary contact within the defined window, then to the tertiary contact, with each escalation logged and time-stamped. The persistent notification continued until acknowledgement was confirmed. The whole sequence was auditable in real time.

That sounds like a niche feature. In practice, it's a patient safety mechanism. The difference between a critical message that gets acknowledged within three minutes and one that sits unread for forty minutes because the recipient was scrubbed in surgery can be clinically significant. Hypercare closes that gap.

I'd place Hypercare below TigerConnect and PerfectServe on this list not because the product is weaker, but because it serves a more specific need. If structured escalation and care coordination safety is your primary driver, Hypercare is the best tool I tested for that specific problem. If you need a broader clinical communication platform with EHR integration and scheduling, TigerConnect or PerfectServe give you more breadth.

Key features: Secure clinical messaging with acknowledgement tracking · Configurable escalation workflows · On-call scheduling and shift management · Role-based group messaging · Patient-specific communication threads · Audit trail and compliance logging · EHR integration · Broadcast alerts

What I found when testing:

• BAA: Available.
• Audit log export: Detailed, with escalation event tracking.
• Patient onboarding friction: Not a patient-facing platform.
• Admin configuration: Escalation configuration requires careful setup but is well-documented.
• Weak spot: Narrower use case than full clinical collaboration platforms; patient communication not a strength.

Pricing: Custom quote.

10. OnPage — Best For Critical Alerting And On-Call Escalation In Smaller Teams

OnPage occupies an interesting position on this list — it's the most focused platform here, doing one thing exceptionally well rather than trying to be a comprehensive clinical communication solution.

That one thing is guaranteed message delivery for critical alerts. During testing, I was struck by how simple the core experience was compared to the enterprise platforms higher on the list. Setting up an on-call rotation, configuring an escalation sequence, and sending a test alert took a fraction of the time it took to configure equivalent features in TigerConnect or PerfectServe. The persistent notification — repeating with increasing urgency until acknowledged — did exactly what it said it would do.

What makes OnPage particularly relevant for this list is that it's not exclusively for large hospital systems. Healthcare answering services, smaller clinical teams, and practices that have one specific pain point — "urgent messages sometimes don't get through to the right person fast enough" — can deploy OnPage without the overhead of an enterprise implementation. The pricing reflects this: the entry point is accessible, and there's a free trial.

I'd be honest that OnPage is not a complete patient communication solution, and it's not trying to be. If you need secure messaging with patients, intake workflows, or document sharing, you'd need to pair it with another platform. But as a targeted solution to clinical alerting and on-call escalation, especially for teams that don't need the full complexity of TigerConnect or PerfectServe, it earns its place on this list.

Key features: Persistent HIPAA-compliant alerting with escalation · On-call scheduling and rotation management · Secure messaging with delivery and read confirmation · Integrations with clinical systems and answering services · iOS and Android apps · Audit trail and reporting · Group paging and broadcast alerts

What I found when testing:

• BAA: Available.
• Audit log export: Present; less detailed than enterprise platforms.
• Patient onboarding friction: N/A — not patient-facing.
• Admin configuration: The simplest and fastest of any platform I tested.
• Weak spot: Narrow feature set; not a full clinical communication replacement.

Pricing: Custom quote. Free trial available.

My Honest Take After Testing All Ten

A few observations that didn't fit neatly into any individual review.

The BAA process is a surprisingly good signal of a vendor's compliance maturity. During this testing process I encountered one platform (not on this final list) that asked me to confirm I had read their BAA as part of the general terms of service sign-up — without actually sending me the document. When I flagged this and asked for the actual BAA, I waited four days and received a generic template that hadn't been updated to reflect current HIPAA requirements. That platform didn't make the cut. How a vendor handles the BAA request tells you a lot about how seriously they take their responsibilities as your business associate.

Encryption claims deserve scrutiny. Three of the platforms I evaluated in early testing described themselves as "end-to-end encrypted" in their marketing materials. When I dug into the technical documentation, two of them were encrypting data in transit but decrypting at the server before re-encrypting for storage. That means the vendor can, theoretically, read your messages. It is not end-to-end encryption in the meaningful sense. Always ask for technical documentation, not just marketing copy.

The patient experience gap is real and underappreciated. Most clinical messaging platforms are built for the provider side. The patient experience is frequently an afterthought, and the adoption consequences are significant. If patients won't use the platform — because it's too many steps, too unfamiliar, too disconnected from the practice they know — then your investment in compliance infrastructure produces no actual change in behaviour. PHI continues to move over unprotected channels because that's what patients defaulted to. The platforms that take the patient experience seriously (Qwil, OhMD, Spruce) consistently showed higher simulated adoption in my testing scenarios.

For most healthcare practices and client-facing professional firms, the right answer is simpler than the market makes it seem. You don't need hospital-grade enterprise infrastructure to be HIPAA-compliant. You need encryption, a BAA, an audit trail, and access controls — delivered in a platform your staff and patients will actually use. Start there.

Which Platform Is Right For You?

Solo practitioner or small practice (under 10 providers): Start with Spruce Health. Best value, all-in-one, easy to set up without IT support.

Outpatient clinic focused on patient messaging and reducing phone volume: OhMD for its app-free patient experience and deep EHR integration, or Klara if digital intake and workflow automation are your priorities.

Healthcare practice or professional services firm needing branded external communication with patients or clients: Qwil Messenger. The only platform on this list purpose-built for that use case.

Large hospital or health system: TigerConnect for the broadest clinical collaboration feature set. PerfectServe if on-call routing intelligence is your primary need. Imprivata Cortext if you're already invested in the Imprivata identity platform.

Multi-location specialty practice with high appointment volume: Luma Health — but only after a data quality audit.

Any organisation with documented clinical communication delays contributing to adverse events: Hypercare or OnPage, depending on whether you need broad care coordination or targeted critical alerting.

The Non-Negotiable Pre-Launch Checklist

Regardless of which platform you choose:

• BAA signed and in place before any PHI enters the system
• AES-256 encryption at rest confirmed in technical documentation (not just marketing copy)
• TLS 1.2+ encryption in transit confirmed
• Audit logs retained for minimum six years
• Audit logs exportable without vendor assistance
• Role-based access controls configured
• MFA enforced organisation-wide — no user opt-out
• Remote wipe enabled for all mobile devices
• US data hosting confirmed
• Patient consent documented before first message
• Staff training completed and acceptable use policy signed

If any of those boxes aren't checked, you're not compliant — regardless of what the platform's website says.