HIPAA and Patient Telephone Calls Rules Confirmed by FCC

by | Aug 1, 2015

The Federal Communication Commission (FCC) has released a Declaratory Ruling and Order to clarify the rules in relation HIPAA and patient telephone calls.

Some healthcare providers have had difficulty understanding the rules regarding HIPAA and patient telephone calls, and how the rules adhere with the Telephone Consumer Protection Act (TCPA). Now, 19 years and 24 years after the respective Acts were passed, the Federal Communications Commission (FCC) has issued a Declaratory Ruling and Order to clear up any failure to comprehend them.

The ruling clarifies the rules in relation to HIPAA and patient telephone calls made by covered bodies and their Business Associates. The ruling also exempts covered bodies and Business Entities from certain TCPA legislation in certain instances.

The FCC´s order clarifying the rules in relation to HIPAA and patient telephone calls states that, if a patient supplies a contact telephone number to a healthcare provider, the provision of that telephone number constitutes express consent for telephone calls to be made, subject to certain HIPAA restrictions. Consent applies in relation to calls and text messages related to:

  • The provision of medical care.
  • Some Health checkups.
  • Appointments and reminders of appointments.
  • Results of laboratory tests
  • Pre-operation instructions for patients.
  • Follow-up calls post discharge.
  • Prescription notifications.
  • Instruction on home healthcare.
  • Pre-registration hospital instructions.

During a telephone call, healthcare providers must first provide their name and contact details. The FCC recommends that calls should be short, and limited, in most cases, to 60 seconds. In the case of text messages, they should be kept to 160 characters. The frequency of communications is also controlled. Patients should only ever receive a maximum of three calls per week, and only one text message per day is permissable.

The content of all communications is still subject to certain HIPAA controls – for example the Minimum Necessary Rule. Calls can only be made for the purposes described above, and cannot include any type of telemarketing, advertising or solicitation. Some telephone calls and text messages exempted from TCPA Rules are still subject to certain control measures:

  • TText messages and telephone calls must not be charged to the client, or counted against plan limits, and those calls can only be made to the wireless telephone number supplied by the patient.
  • Patients may have given prior express consent to receive voice calls and text messages, but that consent can be taken away. Patients should be reminded of that fact and given a way of opting out of future communications.
  • If a message be left on an answering machine, patients should be supplied with a toll-free telephone number to contact their healthcare provider.
  • Calls are still subject to TCPA rules if made in relation to Social Security disability eligibility, payment notifications, debt collections, accounting issues and other financial matters.

The FCC´s Declaratory Ruling and Order to clarify the rules regarding HIPAA and patient telephone calls also takes into account the provision of prior express consent by a third party, such as when a patient is incapacitated. If consent cannot be supplied by a patient due to incapacity, the FCC will allow a third party to provide that consent, but only when the patient is incapable of doing so themselves. Should a patient recover the ability to supply consent personally, the consent provided by the third party would no longer be adequate and the healthcare provider would be required to obtain consent from the patient.

An area in which the ruling still leaves a lack of clarity is HIPAA compliant automated calls to patients. Although going into great depth about what an autodialing device actually is, the FCC ruling does little to reconcile HIPAA compliance with the 2013 ban on telephone calls and text messages to mobile phones from an automatic dialing system.

Before the ban, consent could be inferred by an existing relationship between the sender and the recipient (the healthcare provider and the patient). From October 16 2013 onwards, the FCC needs prior written, unambiguous consent from the individual receiving calls on a mobile phone from an autodialing system.

Although an exemption was made for HIPAA compliant automated calls to patients´ landlines, healthcare providers should persist in avoiding liability for breaches of ECPA by asking their patients for written consent to receive messages on the mobile phones that may have been generated by an autodialing device.

Strangely, automated appointment reminders send to mobile devices via a third-party texting service are permitted under the FCC ruling provided that the texting service provider completes a Business Associate Agreement (BAA). It is hoped that the situation regarding HIPAA compliant automated calls to patients will be addressed in the near future.

Full details of the ruling can be seen or downloaded here.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy