Communicating with Patients Under HIPAA and the TCPA: The Good, the Bad and the "Do-Not-Call"
Using telephone, text messages or FAX messages to communicate with your patients just got a little less risky, but you have to do it “just right” to avoid violations of the Health Insurance Portability and Accountability Act (“HIPAA”) and the Telephone Consumer Protection Act (TCPA). This has important operational implications for HIPAA covered entities—providers, insurers, and your business associates. Here’s how.
HIPAA is a federal law that protects the privacy and security of health care information held and used by covered entities. TCPA is a federal “do not call” law that regulates how individuals may be contacted through the use of certain technologies. “Calls” subject to TCPA include information passed through calling and receiving technologies, such as landline and mobile phones, and include text messages, internet-to-phone text messages, FAX and automated telephone dialer systems sending live or artificial voice automated or pre-recorded robocalls.
TCPA has been around since 1991 to protect consumers from unwanted calls and the invasion of their privacy. Under the TCPA, anyone “calling” an individual must identify themselves and the person or entity on whose behalf the call is being made and must provide an address or phone number at which that person or entity may be contacted. Calls are prohibited before 8 am or after 9 pm and the caller must immediately comply with any do-not-call request. In 2003, a national Do-Not-Call list was established and many states also have statewide do-not-call lists for residents. Calls may not be made without the prior express written consent of the called party. HIPAA controls the content of calls. The combination of HIPAA and the TCPA made it difficult for HIPAA covered entities or their business associates to call patients without having the patient sign an express written consent in advance of such calls. This situation was not realistic or helpful to patients in this information age.
On July 10, 2015, the Federal Communications Commission (FCC), issued a Declaratory Ruling and Order that re-calibrated the rights of patients to privacy and the need of covered entities and their business associates to communicate with their patients with “health care messages.” Health care messages are now divided into non-marketing “informational” messages and marketing messages, with different requirements for each type of calls.
The Declaratory Ruling clarifies the rules related to the differing consent requirements for non-marketing informational calls and marketing calls. For non-marketing informational calls, consent is presumed to be met by an individual’s act of providing their telephone number to a covered entity or business associate, or by providing written, electronic or verbal consent.
Non-marketing informational calls are considered those that relate to healthcare treatment and include: appointments, wellness and exam confirmations and reminders, hospital pre--registration instructions, pre-operative instructions, lab results, post-discharge follow up information intended to prevent readmission, follow up care calls, outreach, recall recare, prescription or eyeglass notifications and home health care instructions.
For non-marketing informational calls, after the consent requirement is met by obtaining an on-file telephone number or other form of express consent, the following additional requirements must be satisfied before the call may be made by a covered entity or business associate. The call must be made without charge to the patient—including not being charged against any calling plan limits that may apply—made only to the number of the patient, the call must include the name and contact number of the caller, be limited to only the above permitted purposes, be one minute or less for voice calls and 160 characters or less for texts. Finally, the call must offer an easy method to “opt out” of receiving future calls, including and interactive method for voice calls and a “stop” reply for texts. The caller must immediately honor any opt-out request. Covered entities or their business associates are limited to one “good” call per day with a weekly limit of three calls.
All other calls—marketing calls—require the HIPAA covered entity or business associate to have the patient’s express written consent on file in advance of a call being made. Marketing calls that require express written consent include: market focused messages, advertising, telemarketing, debt collection, billing, accounting, financial matters or calls that do not meet the additional requirements listed above. A “bad call” —one for marketing without express written consent—or one for non-marketing information that does not meet the additional requirements above—such as not including identifying or contact information or not informing recipients of opt-out steps—exposes the covered entity or business associate to FCC warning citations and uncapped statutory fines. The TCPA also permits private right of action lawsuits, and class action lawsuits are increasing.
Examples of types of business associates of covered entities that may be subject to these regulations include: third-party administrators, claims processors, patient relationship management service providers all along the care delivery continuum, health communication and technology vendors, reminder and call services regardless of the method or technologies they use. Simply put—anyone who has the ability to call your patients for any reason whatsoever is subject to the TCPA.
Covered entities and their business associates can take some practical steps to ensure compliance with HIPAA and the FCC rules.
• Calls to patients must be divided into non-marketing informational calls and marketing calls. Each type of call must meet the requirements unique to it. Special care must be taken with respect to marketing calls, including obtaining and documenting express written consent in the patient’s record or file. Covered entities and their business associates should develop policies and procedures regarding calls, with a line drawn between non-marketing informational calls and marketing calls.
• Business associates of covered entities must be contractually obligated through affirmative performance standards to meet not only HIPAA but TCPA legal requirements. Express written consent must be on file and auditable, particularly for high risk calls that are part of calling campaigns with market/advertising/finance focused messages or non-marketing informational calls which do not meet the additional requirements for only a phone number, verbal or electronic exception. These requirements should be included in written contracts, with the contractual promises of TCPA as well as HIPAA compliance.
• Amended Policies & Procedures. Covered entities and their business associates should amend their HIPAA Notice of Privacy Practice and Privacy Policies and Procedures to specifically include the TCPA consent requirements, as they differ for non-marketing informational calls and marketing calls. Consent practices, and their documentation, are an important component of this.
• Periodic internal and external audits should become part of a formal compliance program.
The ready availability of calling and receiving communication technologies in the health care industry has had and will continue to play an even larger part in communications between providers, insurers, their business associates and patients. The new FCC rules under the TCPA need to be incorporated into HIPAA practices as covered entities, business associates, patients and clients embrace new means of communicating with one another. The line between information and harassment is a fine one. The FCC receives more TCPA complaints than any other category of complaints. Don’t let your business be the target.
If you would like additional information about this Alert, please contact one of the individuals listed below or any other Butzel Long attorney.