HIPAA Compliant Phone Calls
The Telephone Consumer Protection Act (TCPA) enacted in 1991 established rules on telemarketing calls, pre recorded messages, and the use of automatic phone dialing systems. TCPA was established to protect consumer privacy and limits telemarketing calls through text messages, voice calls, and fax. Recently the Federal Communications Commission (FCC) clarified how healthcare providers are exempt from TCPA standards under certain circumstances. HIPAA compliant phone calls to patients in some instances require covered entities (CEs) or business associates (BAs) to leave messages or send texts.
What is Permissible for HIPAA Compliant Phone Calls?
HIPAA compliant phone calls include calls and texts in relation to:
- Appointments and reminders
- Health checkups
- The provision of medical treatment
- Lab test results
- Notifications about prescriptions
- Pre-operative instructions
- Post-discharge follow up calls
- Home healthcare instructions
- Hospital pre-registration instructions
For a phone call to be HIPAA compliant, covered entities must state their name and contact information before addressing the purpose of their call. The FCC has also provided recommendations for the length of phone calls and text messages, 60 seconds for a phone call and 160 characters for a text message. In addition, healthcare providers should not excessively contact patients; patients should not be contacted via phone more than three times a week and text messages should be limited to one message per day.
Healthcare providers are not permitted to contact patients for reasons beyond those listed above including advertising, telemarketing, or solicitation. The FCC also stated that express third-party consent for phone calls is permitted when a patient is unable to give consent. However, should the patient recover the ability to give consent, third-party consent is no longer valid and healthcare providers must receive consent from the patient. Additionally, providers must stick to the HIPAA Minimum Necessary Rule by divulging only the information pertaining to the reason for their call.
There are additional restrictions for HIPAA compliant phone calls including:
- Patients cannot be charged for phone calls or text messages and calls can only be made to the wireless phone number the patient provided.
- Patients reserve the right to revoke their consent to receive phone calls or text messages at any time. Patients must be provided with a way to opt-out of future communications.
- When leaving a message on an answering machine, providers must leave a toll-free number patients can contact them with.
- TCPA applies to calls in regards to payment notifications, Social Security disability eligibility, accounting problems, debt collections, and other financial issues.
Automated Phone Calls and HIPAA Compliance
The law on HIPAA compliant automated phone calls has not been clarified. Previously, the FCC banned automatic dialing calls and text messages to cell phones, however this did not apply to landline phones. The FCC mandated that patients must give explicit consent for providers to use automatic dialing device to contact them on their cell phones.
However, third-party texting services are permitted to send automated appointment reminders to patients’ cell phones. Third-party texting services must first sign a business associate agreement (BAA) with the healthcare provider before protected health information (PHI) is permitted to be sent to them.
HIPAA compliant phone calls are restricted to calls for a specific purpose and must be used in a limited capacity. Healthcare providers must only contact patients via phone for the reasons stated above such as reminding patients of appointments, lab test results, health checkups, etc. Healthcare providers may not contact patients for telemarketing, advertising, or solicitation. The use of automatic dialing systems should only be used when a patient has given explicit consent to be contacted using this method or for third-party appointment reminders.