FCC Confirms Rules Regarding HIPAA and Patient Telephone Calls
The Federal Communication Commission has issued a Declaratory Ruling and Order to clarify the position on making telephone calls to patients in compliance with HIPAA and TCPA
In the past, there has been some misunderstanding about making telephone calls to patients in compliance with Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Telephone Consumer Protection Act of 1991 (TCPA). To resolve any remaining misunderstandings, the American Association of Healthcare Administration Management petitioned the Federal Communications Commission (FCC) to clarify areas of the TCPA rules.
The recently published TCPA Omnibus Declaratory Ruling and Order clarifies the federal government´s position on making telephone calls to patients by HIPAA Covered Entities and also exempts Covered Entities from complying with a ban on automated calls to patients´ landline telephones. However, questions still remain about automated calls to patients´ mobile telephones when not made by a third party service provider with whom a BAA has been signed.
The Federal Position on Making Telephone Calls to Patients
The FCC´s Declaratory Ruling and Order states that, if a patient provides a telephone number to a Covered Entity (either landline or mobile), the provision of the number constitutes consent for the Covered Entity to make calls and send SMS text messages to the patient on that number. However, the Covered Entity may only use the telephone number to call or send messages to for specific purposes:
- Hospital pre-registration instructions.
- Appointments and reminders.
- Notifications about prescriptions.
- Lab test results.
- The provision of medical treatment.
- Health checkups.
- Pre-operative instructions.
- Post discharge follow up calls.
- Home healthcare instructions.
The FCC recommends that, when a Covered Entity calls a patient, the call should start with the Covered Entity identifying themselves, the nature of the call should be made clear immediately, and the call should last no longer than sixty seconds. SMS text messages to patients should be restricted to 160 characters and include the Covered Entity´s contact details. In all cases, patients should receive no more than three calls per week or one text message per day.
Regardless of the nature of the communication, compliance with the HIPAA Privacy Rule is still required. The content of calls and text messages is still subject to the Minimum Necessary Standard and communications cannot be related to telemarketing, advertising, or solicitation. Additionally, some other TCPA Rules apply:
- Calls and text messages must not be charged to the patient or counted against plan limits.
- Patients can rescind consent to receive communications whether implied or expressed.
- Messages left on answering services should include a toll-free number for the patient to call back.
- Calls made regarding Social Security disability eligibility, payments, debt collections, accounting issues and other financial matters are still subject to TCPA rules.
The FCC´s Declaratory Ruling and Order also covers third party consent if a patient is incapacitated and unable to give their own consent for a contact telephone number to be included in their record. In this circumstance, the FCC allows a third party to give consent on the patient´s behalf until such time as the patient is able to provide consent personally. At this point, the consent provided by the third party is no longer valid according to the FCC.
The Position on Automated Calls to Patients is Still Confusing
The Declaratory Ruling and Order fails to resolve the issue of automated calls to patients following a 2013 ban on communications sent to patients´ mobile phones via an automated dialing system. Prior to the ban, consent could be inferred by an existing relationship between the Covered Entity and the patient. However, since 2013, the FCC has required Covered Entities to obtain prior consent before sending communications to a mobile phone from an autodialing device.
Although an exemption now exists for automated calls to patients´ landlines, and for automated appointment reminders send to mobile devices via a third-party texting service (subject to a Business Associate Agreement being in place), Covered Entities can avoid liability for breaches of TCPA by asking patients to provide written consent to receive relevant text messages on their mobile phones if they have been generated by an autodialing device.
Update: In April 2021, the Supreme Court ruled that automatic dialing systems that do not have the capacity to store or produce a telephone number using a random or sequential number generator do not meet the statutory definition of autodialing devices.
While this ruling allows Covered Entities with these types of automated dialing systems to make unsolicited calls and send unsolicited texts to mobile devices, Congress promised to draft new legislation to close this loophole in the TCPA.
As no new legislation was forthcoming, some states passed their own. In December 2021, Florida made changes to its Telemarketing Act and Do Not Call Act which removed existing exemptions, required written consent for all types of calls made from automated dialing machines, and gave residents a private right of action against non-compliant companies.
Oklahoma passed similar legislation in May 2022, but with exceptions where an existing business relationship exists. Whether or not a Covered Entities existing relationship with a patient is considered to be a “business relationship” is open to interpretation, and HIPAA Covered Entities are advised to continue obtaining patient consent before sending communications to patients´ mobile phone via an automatic dialing machine.
Does the new ruling affect sharing patient information with families over the phone?
No. Covered Entities can continue to share patient information with families over the phone provided the patient has not objected to the information being shared. Covered Entities should give patients the opportunity to object where possible, and always verify the identity of callers.
Can a hospital have its own HIPAA telephone rules?
Covered Entities are required to develop policies and procedures based on a risk analysis. As different risks may exist in different hospitals, it is possible that HIPAA telephone rules differ in each hospital. However, whatever rules are developed, it is important they comply with the Privacy Rule.
Are all HIPAA communications subject to the Telephone Consumer Protection Act?
The Telephone Consumer Protection Act only applies to non-exempted communications between Covered Entities and patients. All other HIPAA communications – for example between Covered Entities or between Covered Entities and their Business Associates – are not subject to TCPA.
If a hospital discloses my health information without my consent, who do I complain to?
There are circumstances in which hospitals are allowed to disclose health information without consent (i.e., treatment, payment, and healthcare operations), so it may be the case that a complaint is not justified. Therefore, the first course of action is to obtain an accounting of disclosures from the hospital to find out who the health information was disclosed to and why.
If a complaint is justified, you should complain to the hospital´s HIPAA Privacy Officer. If you then decide to escalate the complaint, you should speak with your state´s Department of Health and Human Services. They will inform you if you can pursue a private course of action, or whether your complaint should be made to the HHS Office for Civil Rights via the OCR complaints portal.