Facebook got sued under the Telephone Consumer Protection Act, which puts restrictions on spam callers (according to my cell phone, not nearly enough restrictions!!), for sending texts to members. But the court noted that Facebook used numbers it already knew from members it already had, not randomly generated or sequentially stored numbers. In other words, the TCPA rules don't apply if there's some sort of intelligence or customer-related information that determines who gets the call or text.
This helps providers who want to use patients' cell phone numbers they have to send text reminders, but can't charge for them, must allow opt-out/unsubscribe, and can't do billing, advertising, or marketing that way. That's nice, but the key is you must still comply with HIPAA, and there's a lot of good reasons to say that texting might not be HIPAA-compliant at all.
I don't think texting automatically violates HIPAA, but some patients do. Texting definitely isn't as secure as using encrypted email or a portal -- most people set their phones so they can see the name of the sender and the first line of the most recently received text before unlocking the phone. That means random people picking up the phone can see who sent the text and some of the content. Obviously, that's problematic.
If you're considering this, think about ways to limit your HIPAA exposure. Have the patients sign a consent anyway, making sure they understand the risks before agreeing to accept texts. Allow them to opt out at any time. Make the "sender" name as generic as possible, especially if the provider name is obviously connected to a particular disease. Make sure the first line or two is a generic greeting; the less PHI visible, the better.
There's more, obviously. Definitely something you want competent HIPAA counsel to help you with. So, text me, OK?