HIPAA and Patient Telephone Calls

The Federal Communication Commission has released a Declaratory Ruling and Order to state the rules in relation to HIPAA and patient telephone calls.

Some healthcare suppliers have had difficulty understanding the rules in relation to HIPAA and patient telephone calls, and how the rules comply with the Telephone Consumer Protection Act (TCPA). Now, 19 years and 24 years after these Acts were passed in law, the Federal Communications Commission (FCC) has released a Declaratory Ruling and Order to address any possible confusion.

The ruling explains the rules in relation to HIPAA and patient telephone calls completed by covered entities and their Business Associates. The ruling also exempts covered bodies and Business Entities from certain TCPA legislation in certain situations.

Rules in Relation to HIPAA and Patient Telephone Calls

The FCC´s order explaining the rules in relation to HIPAA and patient telephone calls says that, if a patient supplies a contact telephone number to a healthcare group, the provision of that telephone number is indicative of express consent for telephone calls to be completed, subject to certain HIPAA restrictions. Consent applies to calls and text messages about:

  • Medical treatment provision
  • Health checkups
  • Appointments and reminders for appointments
  • Laboratory test results
  • Instructions prior to surgery or operations
  • Follow up calls after discharge
  • Prescription notifications
  • Instructions for home healthcare
  • Instructions for hospital pre-registration

When a telephone call is completed healthcare suppliers must first give their name and contact details. The FCC recommends that calls should be short, and limited to one minute. In the case of text messages, they should be kept to 160 characters. The frequency of communications is also minimized. Patients should only ever receive a maximum of three calls in a one-week period, and only one text message per day is permitted.

The content of all communications is still subject to a number of HIPAA restrictions – for example the Minimum Necessary Rule. Calls can only be completed for the purposes outlined above, and may not include any telemarketing, advertising or solicitation. Some telephone calls and text messages exempted from TCPA Rules are still subject to certain limits:

  • Telephone calls and text messages must not be charged to the recipient, or counted against plan limits, and those calls can only be completed to the wireless telephone number given by the patient.
  • Patients may have given expressed consent to receive voice calls and text messages, but that consent can be taken away. Patients should be aware of this and given a means of opting out of future correspondence.
  • If a message be left on an answering machine, patients should be goven with a toll-free telephone number to reply to their healthcare provider.
  • Calls must be made in accordance with TCPA rules if made regarding Social Security disability eligibility, payment alerts, debt collections, accounting issues and other financial issues.

The FCC’s Declaratory Ruling and Order to clarify the rules regarding HIPAA and patient telephone calls also covers the supply of prior express consent by a third party, such as when a patient is incapacitated. If consent cannot be given by a patient due to incapacity, the FCC will permit a third party to supply that consent, but only when the patient is incapable of doing so themselves. If a patient recovers the ability to provide consent themselves, the consent given by the third party would no longer be valid and the healthcare provider would be required to get consent from the patient.

Patients and HIPAA Compliant Automated Calls

An area in which the ruling is still unclear on is HIPAA compliant automated calls to people. Although going into detail about what constitutes an autodialing device, the FCC ruling does little to reconcile HIPAA compliance in relation to the 2013 ban on telephone calls and text messages to mobile phones from an automatic dialing system.

Before the ban, consent could be inferred by an existing relationship between the sender and the recipient (the healthcare provider and the patient). From October 16 2013 to present, the FCC requires prior written, unambiguous consent from the individual receiving calls on a mobile phone from an autodialing machine.

Although an exemption was made for HIPAA compliant automated calls to patients’ landlines, healthcare groups should still avoid liability for breaches of ECPA by asking their patients for written consent to receive messages on the mobile phones that may have been generated by an autodialing device.

Automated appointment reminders broadcast to mobile devices via a third-party texting service are permitted under the FCC ruling provided that the texting service provider completes a Business Associate Agreement (BAA). It is predicted that the situation in relation to HIPAA compliant automated calls to patients will be addressed soon.

Full details of the ruling can be viewed here.