Ensure your Twilio account is on an eligible plan (HIPAA-eligible products include Programmable SMS, Programmable Voice, and Verify); contact Twilio to execute a Business Associate Agreement (BAA) before transmitting any PHI.
Restrict PHI in message content to the minimum necessary; where possible, use tokenized links or appointment references rather than including full names, diagnoses, or dates of birth in message bodies.
Enable Twilio's Advanced Opt-Out and Message Delivery Logging features only where permitted by your BAA scope; disable message logging in the Twilio console if logs would store PHI beyond retention limits.
Use HTTPS for all webhook callbacks from Twilio to your server and validate the X-Twilio-Signature header on every inbound request to prevent spoofed callbacks.
Store Twilio Auth Tokens and API Keys in a secrets manager, not in source code; use API Keys rather than the master Auth Token for application-level access.
Implement patient consent tracking for SMS communications: record explicit opt-in consent, honor STOP opt-out replies immediately, and maintain consent audit logs.
Known gotchas
A Twilio BAA does not automatically cover all Twilio products or add-ons; review the BAA scope carefully—some features like Twilio Insights or third-party add-ons may be excluded and must not process PHI.
Twilio message logs in the console are stored by default and visible to Twilio staff; if messages contain PHI, configure log retention or disable logging per your BAA terms.
Carrier-level filtering can silently drop SMS messages that appear to be healthcare or pharmaceutical content; test delivery rates and consider using a dedicated short code or toll-free number registered for healthcare use.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp