The HIPAA Privacy Rule and the Federal Communications Commission

The content of provider telephone calls to patients is regulated by the HIPAA Privacy Rule; the Telephone Consumer Protection Act (TCPA) of 1991; and the regulations issued under the Telephone Consumer Protection Act by the Federal Communications Commission (FCC).

In 2015, the Federal Communications Commission, the agency that enforces and administers the Telephone Consumer Protection Act, issued a Declaratory Ruling and Order to clarify the rules regarding HIPAA and patient telephone calls. 

The ruling outlines what kinds of calls a covered entity (provider) may make to a patient who has provided a contact telephone number to that provider.  

What Telephone Calls Do the Federal Communications Commission and the HIPAA Privacy Rule Permit?

The Federal Communications Commission Order provides that, if a patient provides a contact telephone number to a healthcare provider, the provision of that telephone number constitutes express consent for telephone calls to be made to the patient, subject to certain HIPAA Privacy Rule restrictions. Consent applies to calls and text messages related to:

  • The provision of medical treatment
  • Health checkups
  • Appointments and reminders
  • Lab test results
  • Pre-operative instructions
  • Post discharge follow up calls
  • Notifications about prescriptions
  • Home healthcare instructions
  • Hospital pre-registration instructions

What Must Providers Do When Making a Telephone Call?

Under the FCC Order, when a telephone call is made, healthcare providers must first provide their name and contact details. 

Under the Federal Communications Commission Order, calls must be concise, and limited, in most cases, to 60 seconds. Text messages are restricted to 160 characters. The FCC Order also restricts the frequency of communications. Patients should only ever receive a maximum of three calls per week, and a maximum of one text message per day. 

While the FCC order places limits on the frequency and length of communications, the HIPAA Privacy Rule places restrictions on the content of communications. Under the HIPAA Privacy Rule, the content of all communications is subject to the HIPAA Minimum Necessary Standard. Under the minimum necessary standard, covered entities must make reasonable efforts to ensure that access to protected health information (PHI) is limited, per the HIPAA Privacy Rule, to the minimum amount of information necessary to fulfill or satisfy the intended purpose of a particular disclosure, request, or use. 

In addition, per the FCC Order, calls can only be made for the purposes described above, and cannot include any telemarketing, advertising, or solicitation. 

Does the Federal Communications Commission Impose Additional Restrictions on Telephone Calls and Text Messages?

The Federal Communications Order imposes certain additional restrictions on telephone calls and text messages to patients. These restrictions include: 

  • The healthcare provider must offer recipients, within each message, an easy means to opt out of future such messages.
  • Voice calls that could be answered by a live person must include an automated, interactive voice- and/or key press-activated opt-out mechanism that enables the call recipient to make an opt-out request prior to terminating the call.
  • Voice calls that could be answered by an answering machine or voice mail service must include a toll-free number that the consumer can call to opt out of future healthcare calls.
  • Text messages must inform recipients of the ability to opt out by replying “STOP,” which will be the exclusive means by which consumers may opt out of such messages.
  • A healthcare provider must honor the opt-out requests immediately.