The FCC has recently clarified it the rules regarding HIPAA and patient telephone calls, but fails to properly consider automated telephone calls.
There has been some confusion reported by healthcare authorities over the rules regarding HIPAA and patient telephone calls, and how rules outlined by HIPAA comply with the Telephone Consumer Protection Act (TCPA). The Federal Communications Commission (FCC) has recently issued a Declaratory Ruling and Order to clear up any confusion, 24 years after the TCPA was introduced.
The FCC ruling clarifies the rules regarding HIPAA and patient telephone calls made by covered entities and their Business Associates (BAs). The ruling also exempts covered entities (CEs) and Business Entities from certain TCPA legislation under some specific circumstances.
Rules Regarding HIPAA and Patient Telephone Calls
The FCC´s order clarifying the rules regarding HIPAA and patient telephone calls are outlined as follows. If a patient provides a contact telephone number to a healthcare provider, the provision of that telephone number constitutes express consent for telephone calls to be made to that patient, subject to certain HIPAA restrictions. This given consent applies to calls and text messages dealing with:
• The provision of medical treatment.
• Health checkups.
• Appointments and reminders.
• Lab test results.
• Pre-operative instructions.
• Post discharge follow up calls.
• Notifications about prescriptions.
• Home healthcare instructions.
• Hospital pre-registration instructions.
When a telephone call is made, healthcare providers must first provide their name and contact details to the patient. The FCC recommends that calls should be concise, and limited, in most cases, to 60 seconds. In the case of text messages, they should be restricted to 160 characters. The FCC has also recommended that the number of calls made to a patient should be limited to a maximum of three calls per week. Furthermore, only one text message per day is acceptable.
The content of all communications is still subject to certain HIPAA restrictions, such as the Minimum Necessary Rule. The nature of the calls are described above. If they are used for other purposes, such as any telemarketing, advertising or solicitation, it would be a violation of HIPAA.
Some telephone calls and text messages exempted from TCPA Rules. However, these are still subject to certain restrictions, such as:
• Telephone calls and text messages must not be charged to the client, or counted against plan limits, and those calls can only be made to the wireless telephone number provided by the patient.
• Patients may have given prior express consent to receive voice calls and text messages, but that consent can be rescinded. Patients should be reminded of that fact and given a means of opting out of future communications.
• If a message be left on an answering machine, patients should be provided with a toll-free telephone number to contact their healthcare provider.
• Calls are still subject to TCPA rules if made regarding Social Security disability eligibility, payment notifications, debt collections, accounting issues and other financial matters.
The FCC´s Declaratory Ruling and Order to clarify the rules regarding HIPAA and patient telephone calls also covers the provision of prior express consent by a third party, such as when a patient is incapacitated. If consent cannot be provided by a patient due to incapacity, the FCC will allow a third party to provide that consent on the patient’s behalf. Should a patient recover the ability to provide consent personally, the consent provided by the third party would no longer be valid and the healthcare provider would be required to obtain consent from the patient themselves.
HIPAA Compliant Automated Calls to Patients
The FCC ruling failed to clear ambiguity regarding HIPAA compliant automated calls to patients.The FCC ruling fails to completely reconcile HIPAA compliance with the 2013 ban on telephone calls and text messages to mobile phones from an automatic dialing system. Despite this failing, the FCC does go into great detail about what constitutes an autodialing device.
Prior to the ban, consent could be inferred by an existing relationship between the sender and the recipient (the healthcare provider and the patient). From October 2013 onwards, the FCC requires prior written, unambiguous consent from the individual receiving calls on a mobile phone from an autodialing device.
Although an exemption was made for HIPAA compliant automated calls to patients´ landlines, healthcare providers should continue to avoid liability for breaches of ECPA by asking their patients for written consent to receive messages on the mobile phones that may have been generated by an autodialing device.
Under the FCC ruling, provided that the texting service provider signs a Business Associate Agreement (BAA), automated appointment reminders sent to mobile devices via a third-party texting service are allowed. It is hoped that the situation regarding HIPAA compliant automated calls to patients will be clarified in the near future by a future FCC ruling.