Rules Regarding HIPAA and Patient Telephone Calls Confirmed by FCC

by | Jan 5, 2016

The Federal Communication Commission has released a Declaratory Ruling and Order to clear up any confusion the rules in relation to HIPAA and patient telephone calls.

Some healthcare suppliers have had difficulty with the rules regarding HIPAA and patient telephone calls, and how the rules relate to the Telephone Consumer Protection Act (TCPA). Now, 19 years and 24 years after the respective Acts were enacted, the Federal Communications Commission (FCC) has issued a Declaratory Ruling and Order to address any confusion.

The ruling clarifies the rules in relation HIPAA and patient telephone calls made by covered entities and their Business Associates. The ruling also exempts covered entities and Business Entities from certain TCPA legislation on certain occasions.

Rules in Relation to HIPAA and Patient Telephone Calls

The FCC’s order clarifying the rules in relation to HIPAA and patient telephone calls states that, if a patient supplies a contact telephone number to a healthcare supplier, the provision of that telephone number represents express consent for telephone calls to be completed, subject to certain HIPAA restrictions. Consent applies to calls and text messages linked with:

  • Providing medical treatment
  • Regular health checkups
  • Calls relating to appointments and reminders
  • Laboratory test results
  • Pre-operative instructions and guidelines
  • Post discharge follow up contact
  • Notifications related to prescriptions
  • Home healthcare guidelines
  • Hospital pre-registration details

When a telephone call is completed, healthcare providers must first give their name and contact details. The FCC recommends that calls should be short, and limited, in most instances, to 60 seconds. In the case of text messages, they should be limited to 160 characters. The frequency of communications is also controlled. Patients should only ever receive, at most, three calls per week, and only one text message per day is permissible.

The content of all communications is still subject to certain HIPAA limits – for example the Minimum Necessary Rule. Calls can only be made for the purposes referred to above, and cannot include any telemarketing, advertising or solicitation. Some telephone calls and text messages exempted from TCPA Rules are still subject to certain restrictions:

  • Telephone calls and text messages must not be expensed to the client, or counted against plan restriction, and those calls can only be made to the wireless telephone number supplied by the patient.
  • Patients may have given prior express consent for voice calls and text messages, but that consent can be withdrawn. Patients should be reminded of that fact and given a way of opting out of future communications.
  • If a message be recorded on an answering machine, patients should be given a toll-free telephone number to contact their healthcare provider.
  • Calls are still subject to TCPA rules if made regarding Social Security disability eligibility, payment notifications, debt collections, accounting issues and other financial matters.

The FCC’s Declaratory Ruling and Order to clarify the rules in relation to HIPAA and patient telephone calls also includes the provision of prior express consent by a third party, such as when a patient is incapacitated. If consent cannot be given by a patient due to incapacity, the FCC will permit a third party to provide that consent, but only when the patient is incapable of doing so on their own. Should a patient recover the ability to confirm consent personally, the consent provided by the third party would no longer be current and the healthcare provider would be required to  obtain consent from the patient at that time.

There is still a little ambiguity in relation to HIPAA compliant automated calls to patients. Although going into great detail in relation to what constitutes an autodialing device, the FCC ruling does little to reconcile HIPAA compliance with the 2013 ban on telephone calls and text messages to mobile phones from an automatic dialing system.

Before the ban, consent could be inferred by a current relationship between the sender and the recipient (the healthcare provider and the patient). From October 16 2013 onwards, the FCC requires prior written, unambiguous consent from the person receiving calls on a mobile phone from an autodialing device.

Although an exemption was put in place for HIPAA compliant automated calls to patients’ landlines, healthcare providers should go on avoiding liability for breaches of ECPA by asking their patients for written consent to receive messages on the mobile phones that may have been created by an autodialing device.

Ironically, automated appointment reminders send to mobile devices using a third-party texting service are permitted under the FCC ruling provided that the texting service provider completes a Business Associate Agreement (BAA). It is hoped that the situation in relation HIPAA compliant automated calls to patients will be clarified in the near future.

All details of the ruling can be viewed here.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy