Rules Concerning HIPAA and Patient Telephone Calls Confirmed by FCC

by

A Declaratory Ruling and Order to clarify HIPAA rules concerning patient telephone calls has been issued by the Federal Communication Commission (FCC)

Understanding of and compliance between the Telephone Consumer Protection Act (TCPA) and patient telephone call rules under HIPAA have long caused trouble for a number of healthcare providers. Finally, 24 years after the introduction of the TCPA and 19 years after the introduction of HIPAA, the Federal Communication Commission (FCC) has issued a Declaratory Ruling and Order to clarify the situation.

The Ruling addresses regulations concerning patient telephone calls, HIPAA, and covered entities and their Business Associates. The Ruling further liberates covered entities and Business Entities from a subset of TCPA regulations, should certain conditions are met.

HIPAA Rules Concerning Patient Telephone Calls

In the FCC Order on regulations affecting patient telephone calls and HIPAA, it is stated that if a patient provides a contact telephone number to a healthcare provider, the provision of that telephone number constitutes express consent for telephone calls to be made, subject to certain restrictions under HIPAA. This consent covers both text messages and calls, provided they are in relation to:

  • Health checkups.
  • Notifications about prescriptions.
  • The provision of medical treatment.
  • Laboratory test results.
  • Appointments and reminders.
  • Pre-operative instructions.
  • Hospital pre-registration instructions.
  • Post discharge follow up calls.
  • Home healthcare instructions.

When making a call, providers of healthcare are obligated to give their name and details with which the patient can contact them. FCC recommendations outline that telephone calls should be concise – limited to 60 seconds in most instances. Text messages should not exceed 160 characters. Frequency is restricted such that patients should not receive more than three calls per week and a maximum of one text message per day.

All communications content remains subject to relevant HIPAA restrictions, one such restriction being the Minimum Necessary Rule. Only calls made for the purposes outlined above are permitted and they cannot include any advertising, solicitation or telemarketing. Telephone calls and text messages that are exempt from TCPA regulations remain subject to other restrictions;

  • Telephone calls and text messages cannot be charged to the client, or counted against plan limits, and those calls can only be made to the wireless telephone number provided by the patient.
  • Patients may have given prior express consent to receive voice calls and text messages, however consent can be rescinded. Patients should be reminded of this and given a means of opting out of future communications.
  • If a message is left on an answering machine, patients should be given a toll-free telephone number on which they can contact the healthcare provider.
  • Calls remain subject to TCPA rules if they are made regarding Social Security disability eligibility, payment notifications, debt collections, accounting issues and other financial matters.

Also covered by the FCC Declaratory Ruling and Order clarifying regulations relating to HIPAA and patient telephone calls is the provision of prior express consent accorded to a third party, for example in cases where a patient may be incapacitated. If, due to incapacity, a patient cannot personally give consent, the FCC allows for a third party to give consent. In cases where the patient recovers their capacity and is in a position to personally give consent, consent provided by a third party would not be valid and consent would need to be sought by the healthcare provider from the patient.

Automated Calls to Patients and HIPAA compliance

Even following this Ruling, some ambiguity remains – particularly in relation to the HIPAA compliance of automated telephone calls to patients. While great detail is given as to what may be considered auto-dialing devices, the FCC Ruling does not go far enough in explaining how the ban on automatic dialing systems contacting mobile telephone devices by either telephone call or text message may impact otherwise HIPAA compliant communication actions.

Before the ban was enacted, an existing patient-healthcare provider relationship allowed for consent to be inferred. Following October 16, 2013, however, prior written and unambiguous consent is required by the FCC from the receiver of the calls authorizing contact to be made to a mobile telephone from an auto-dialing system.

While HIPAA compliant automated telephone calls to patients’ landlines were exempted, patients should be asked to provide written consent to healthcare providers authorizing the provider to contact them on their mobile telephones using auto-dialing systems in order to avoid liability for possible breaches of the Electronic Communications Privacy Act (ECPA).

Currently, the FCC Ruling allows for appointment reminders to be sent to patients’ mobile devices via third party texting services, so long as the third party has signed a Business Associate Agreement (BAA). Further clarification of the HIPAA compliance of automated telephone calls is hoped for in the near future. For full details of the Declaratory Ruling and Order, please click here.