What are the HIPAA Telephone Rules?

The Federal Communication Commission has issued a Declaratory Ruling and Order to clarify the HIPAA telephone rules regarding calls and patients.

Some healthcare providers have had trouble understanding the rules in relation to HIPAA and patient telephone calls, and how the rules adhere to the Telephone Consumer Protection Act (TCPA). Now, 19 years and 24 years after the respective Acts were passed, the Federal Communications Commission (FCC) has issued a Declaratory Ruling and Order to clear up any misunderstanding.

The ruling explains the rules regarding HIPAA and patient telephone calls made by covered entities and their business associates. The ruling also exempts HIPAA covered entities and business associates from specific TCPA legislation in certain situations.

HIPAA and Patient Telephone Call Rules

The FCC’s order explaining the rules regarding HIPAA and patient telephone calls says that if a patient provides a contact telephone number to a healthcare provider, the provision of that telephone number constitutes explicit consent for telephone calls to be made, subject to certain HIPAA restrictions. Consent applies to calls and text messages in relation to:

  • Providing medical treatment
  • Healthcare checkups
  • Reminders of appointments
  • Laboratory test results
  • Pre-operative guidelines
  • Post discharge follow up phone calls
  • Notifications and alerts relating to prescriptions
  • Instructions for home healthcare
  • Pre-registration hospital instructions

When a telephone call must be made, healthcare providers must first give their name and contact details. The FCC recommends that calls should be short and limited, in most cases, to just 60 seconds. In relation to text messages, they should be kept to 160 characters. The regularity of communications is also restricted. Patients should only ever receive at most three calls per week, and only one text message per day is allowed.

The content of all telephone communications is still subject to certain HIPAA restrictions – for example the Minimum Necessary Standard. Calls can only be made for the purposes mentioned above, and cannot involve any telemarketing, advertising or solicitation. Some telephone calls and text messages exempted from TCPA Rules are still governed by certain restrictions:

  • Telephone calls and text messages must not be paid for by the client, or counted against plan limits, and those calls can only be made to the wireless telephone number given by the patient.
  • Patients may have given previous express consent to receive voice calls and text messages, but that consent can be taken away. Patients should be aware of that fact and given a means of refusing future communications.
  • If a message is left on a telephone answering machine, patients should be given a toll-free telephone number to contact their healthcare supplier.
  • Calls are still subject to TCPA rules if made in relation to Social Security disability eligibility, payment notifications, debt collections, accounting issues, and other financial matters.

The FCC’s Declaratory Ruling and Order to outline the rules regarding HIPAA and patient telephone calls also covers the provision of previous express consent by a third party, such as when a patient is incapacitated. If consent cannot be given by a person due to incapacity, the FCC will permit a third party to provide that consent, but only when the patient is incapable of doing so themselves. Should a patient recover the ability to give consent themselves, the consent provided by the third party would no longer be valid and the healthcare provider would be required to obtain permission from the patient.

HIPAA Compliant Automated Telephone Calls to Patients

An area in which the ruling still holds a little ambiguity is HIPAA compliant automated telephone calls to patients. Although going into great detail about what constitutes an autodialing device, the FCC ruling does little to reconcile HIPAA compliance with the 2013 ban on telephone calls and text messages to mobile phones from an automatic telephone dialing system.

Before the ban, consent could be inferred by a previous relationship between the sender and the recipient (the healthcare provider and the patient). From October 16 2013 onward, the FCC requires previous written, unambiguous consent from the person receiving calls on a mobile phone from an autodialing device.

Although an exemption was issued for HIPAA compliant automated calls to patients’ landlines, healthcare providers can avoid liability for breaches of ECPA rules by asking their patients for written consent to receive text messages on the mobile phones, which may include text messages sent by an autodialing device.

Ironically, automated appointment reminders shared to mobile devices via a third-party texting service are permitted under the FCC ruling, provided that the texting service provider signs a Business Associate Agreement (BAA) with the covered entity. It is hoped that the situation in relation to HIPAA compliant automated calls to patients will be updated soon to address these ambiguities.

A complete copy of the ruling can be viewed here.