Share this article on:
The Federal Communication Commission has issued a Declaratory Ruling and Order to clarify the rules regarding HIPAA and patient telephone calls.
Some healthcare providers have had trouble understanding the rules regarding HIPAA and patient telephone calls, and how the rules comply with the Telephone Consumer Protection Act (TCPA). Now, 19 years and 24 years after the respective Acts were introduced, the Federal Communications Commission (FCC) has issued a Declaratory Ruling and Order to clear up any confusion.
The ruling clarifies the rules regarding HIPAA and patient telephone calls made by covered entities and their Business Associates. The ruling also exempts covered entities and Business Entities from certain TCPA legislation in certain circumstances.
Rules Regarding HIPAA and Patient Telephone Calls
The FCC´s order clarifying the rules regarding HIPAA and patient telephone calls states that, if a patient provides a contact telephone number to a healthcare provider, the provision of that telephone number constitutes express consent for telephone calls to be made, subject to certain HIPAA restrictions. Consent applies to calls and text messages related to:
- The provision of medical treatment.
- Health checkups.
- Appointments and reminders.
- Lab test results.
- Pre-operative instructions.
- Post discharge follow up calls.
- Notifications about prescriptions.
- Home healthcare instructions.
- Hospital pre-registration instructions.
When a telephone call is made, healthcare providers must first provide their name and contact details. The FCC recommends that calls should be concise, and limited, in most cases, to 60 seconds. In the case of text messages, they should be restricted to 160 characters. The frequency of communications is also restricted. Patients should only ever receive a maximum of three calls per week, and only one text message per day is acceptable.
The content of all communications is still subject to certain HIPAA restrictions – for example the Minimum Necessary Rule. Calls can only be made for the purposes described above, and cannot include any telemarketing, advertising or solicitation. Some telephone calls and text messages exempted from TCPA Rules are still subject to certain restrictions:
- Telephone calls and text messages must not be charged to the client, or counted against plan limits, and those calls can only be made to the wireless telephone number provided by the patient.
- Patients may have given prior express consent to receive voice calls and text messages, but that consent can be rescinded. Patients should be reminded of that fact and given a means of opting out of future communications.
- If a message be left on an answering machine, patients should be provided with a toll-free telephone number to contact their healthcare provider.
- Calls are still subject to TCPA rules if made regarding Social Security disability eligibility, payment notifications, debt collections, accounting issues and other financial matters.
The FCC´s Declaratory Ruling and Order to clarify the rules regarding HIPAA and patient telephone calls also covers the provision of prior express consent by a third party, such as when a patient is incapacitated. If consent cannot be provided by a patient due to incapacity, the FCC will allow a third party to provide that consent, but only when the patient is incapable of doing so personally. Should a patient recover the ability to provide consent personally, the consent provided by the third party would no longer be valid and the healthcare provider would be required to obtain consent from the patient.
HIPAA Compliant Automated Calls to Patients
An area in which the ruling still leaves a little ambiguity is HIPAA compliant automated calls to patients. Although going into great depth about what constitutes an autodialing device, the FCC ruling does little to reconcile HIPAA compliance with the 2013 ban on telephone calls and text messages to mobile phones from an automatic dialing system.
Prior to the ban, consent could be inferred by an existing relationship between the sender and the recipient (the healthcare provider and the patient). From October 16 2013 onwards, the FCC requires prior written, unambiguous consent from the individual receiving calls on a mobile phone from an autodialing device.
Although an exemption was made for HIPAA compliant automated calls to patients´ landlines, healthcare providers should continue to avoid liability for breaches of TCPA by asking their patients for written consent to receive messages on the mobile phones that may have been generated by an autodialing device.
Ironically, automated appointment reminders send to mobile devices via a third-party texting service are allowed under the FCC ruling provided that the texting service provider signs a Business Associate Agreement (BAA). It is hoped that the situation regarding HIPAA compliant automated calls to patients will be clarified in the near future.
Full details of the ruling can be viewed here.
Update: In April 2021, the Supreme Court ruled certain types of automatic dialing systems that do not have the capacity to store or produce a telephone number using a random or sequential number generator do not meet the statutory definition of autodialing devices.
While this ruling allows companies with these types of automatic dialing systems to make unsolicited calls and send unsolicited texts to mobile devices, Congress has promised to draft new legislation to close this loophole in the Telephone Consumer Protection Act.
Due to likely future changes in the HIPAA telephone rules, Covered Entities are advised to continue asking patients for written consent before making unsolicited calls or sending unsolicited text messages to a mobile phone from an autodialing device.