HIPAA and Patient Telephone Calls

by | Jul 28, 2018

The Federal Communication Commission has released a Declaratory Ruling and Order to clarify TCPA rules in relation to HIPAA and patient telephone calls.

Some healthcare suppliers have had difficulty understanding TCPA rules in relation to HIPAA and patient telephone calls, and now – 19 years and 24 years after these Acts were passed – the Federal Communications Commission (FCC) has released a Declaratory Ruling and Order to address any possible confusion.

The ruling explains the rules in relation to HIPAA and patient telephone calls made by covered entities and their Business Associates. The ruling also exempts covered entities and Business Associates from TCPA legislation in certain situations.

Rules in Relation to HIPAA and Patient Telephone Calls

The FCC´s order explaining the rules in relation to HIPAA and patient telephone calls says that, if a patient supplies a contact telephone number to a healthcare group, the provision of that telephone number is indicative of express consent for telephone calls and text messages, subject to certain HIPAA restrictions. Consent applies to calls and text messages about:

  • Medical treatment provision
  • Health checkups
  • Appointments and reminders for appointments
  • Laboratory test results
  • Instructions prior to surgery or operations
  • Follow up calls after discharge
  • Prescription notifications
  • Instructions for home healthcare
  • Instructions for hospital pre-registration

With regards to telephone calls, covered entities must also provide their name and details about the nature of the call at the start of the conversation. The FCC recommends calls should be short, and limited to one minute. In the case of text messages, communications should be kept within 160 characters. The frequency of communications is also stipulated. Patients should only ever receive a maximum of three calls in a one-week period, and only one text message per day is permitted.

The content of all communications is still subject to a number of HIPAA restrictions – for example the Minimum Necessary Rule. Calls can only be made for the purposes outlined above, and may not include any telemarketing, advertising or solicitation (see update below). Some telephone calls and text messages exempted from TCPA Rules are still subject to certain limits:

  • Telephone calls and text messages must not be charged to the recipient, or counted against plan limits, and those calls can only be completed to the wireless telephone number given by the patient.
  • Patients may have given express consent to receive voice calls and text messages, but that consent can be taken away. Patients should be aware of this and given a means of opting out of future communications.
  • If a message be left on an answering machine, patients should be given with a toll-free telephone number to reply to their healthcare provider.
  • Calls must be made in accordance with TCPA rules if made regarding Social Security disability eligibility, payment alerts, debt collections, accounting issues, and other financial issues.

The FCC’s Declaratory Ruling and Order to clarify the rules regarding HIPAA and patient telephone calls also covers the supply of prior express consent by a third party, such as when a patient is incapacitated. If consent cannot be given by a patient due to incapacity, the FCC will permit a third party to supply that consent, but only when the patient is incapable of doing so themselves. If a patient recovers the ability to provide consent themselves, the consent given by the third party would no longer be valid and the healthcare provider would be required to get consent from the patient.

Patients and HIPAA Compliant Automated Calls

An area in which the ruling is still unclear on is HIPAA compliant automated calls . Although going into detail about what constitutes an autodialing device, the FCC ruling does little to reconcile HIPAA compliance in relation to the 2013 ban on telephone calls and text messages to mobile phones from an automatic dialing system.

Before the ban, consent could be inferred by an existing relationship between the sender and the recipient (the healthcare provider and the patient). From October 16 2013, the FCC requires prior written, unambiguous consent from the individual receiving calls on a mobile phone from an automated dialing system.

Although an exemption was made for HIPAA compliant automated calls to patients’ landlines, healthcare groups should still avoid liability for breaches of TCPA by asking their patients for written consent to receive messages on the mobile phones that may have been generated by an autodialing device.

Automated appointment reminders broadcast to mobile devices via a third-party texting service are permitted under the FCC ruling provided that the texting service provider completes a Business Associate Agreement (BAA).

Full details of the ruling can be viewed here.

Update: In April 2021, the Supreme Court ruled certain types of automatic dialing systems that do not have the capacity to store or produce a telephone number using a random or sequential number generator do not meet the statutory definition of autodialing devices.

While this ruling allows companies with these types of automatic dialing systems to make unsolicited calls and send unsolicited texts to mobile devices, Congress has promised to draft new legislation to close this loophole in the Telephone Consumer Protection Act.

Due to likely future changes in the HIPAA telephone rules, Covered Entities are advised to continue asking patients for written consent before making unsolicited calls or sending unsolicited text messages to a mobile phone from an autodialing device.


Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Daniel Lopez

Daniel Lopez is an experienced HIPAA trainer with a particular focus on patient privacy as the best way to ensure HIPAA compliance. Daniel serves as a subject matter expert for ComplianceJunction's online HIPAA training, using his teaching experience to ensure that the online training clear and practical. Daniel also contributes expert articles providing advice about HIPAA.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy