TCPA Policy for SMS Communications
Created January 1, 2020
It is a basic and fundamental objective and commitment of Adventist Healthcare (“Adventist”) to conduct all activities in a manner that meets or exceeds compliance with all applicable laws, rules and regulations, regulatory guidance, and internal policies. To this end, all policies and processes are to be documented and managed in a manner that ensures key components are covered, reviewed and updated in order to maintain consistency and solid control of its operations while adapting to the changing business environment and best practices.
All policies and procedures should provide personnel with sufficient information needed to efficiently perform job functions in a manner designed to prevent violations and to detect or prevent associated risks of harm to patients.
This is considered a universally applicable policy and should be applied to the healthcare operations of Adventist without exception.
Congress enacted the Telephone Consumer Protection Act (“TCPA”) in 1991. In connection with enacting the TCPA, Congress authorized the Federal Communications Commission (“FCC”) to implement rules and regulations enforcing the statute (47 U.S.C. § 227(b), (c)). Under its rulemaking authority, the FCC has set forth specific compliance obligations that form the basis for most TCPA litigation (see 47 C.F.R. § 64.1200). The TCPA regulates certain aspects of hospital communications with patients including, but not limited to, the tools that can be used to make phone calls to consumers, the type of telephone line contacted, and the use of fax machines in telemarketing activities. The TCPA also addresses the use of automatic telephone dialing systems and artificial prerecorded voice technology in contacting consumers.
In 2012, the FCC clarified that “prior express consent” must be in writing for telemarketing calls, and also created certain limited exemptions for healthcare messages that are subject to HIPAA, such as health screening and immunization reminders, medical supply renewal requests, and generic drug migration recommendations.
In 2013, the TCPA was amended to expressly include calls placed to both residential and wireless phone numbers. In addition, the former “established business relationship” exemption was eliminated.
In July 2015, the FCC issued a Declaratory Ruling and Order (“2015 Ruling”) to clarify select requirements under the TCPA. The TCPA essentially prohibits telephone calls and text messages to residential and wireless numbers using an automatic dialing system or a pre-recorded message when the recipient has not granted prior express consent. The 2015 Ruling was issued in response to numerous FCC petitions from healthcare and business entities that sought to clarify certain requirements and ambiguities under the TCPA. The ruling has wide reaching implications for any entity that utilizes wireless phone numbers for contacting consumers.
The TCPA authorizes damages of $500 per TCPA violation that can be trebled to $1,500 for willful or knowing violations under the statute's private right of action. Monetary damage awards can be significant as there is no maximum cap on liability. The cost of TCPA actions and settlements can be exorbitant and damaging to the reputation of a company. Providers should review their communication policies, specifically related to text messaging, to ensure that appropriate procedures are in place for obtaining proper consent to send text messages and for safeguarding against ongoing communications to patients who have revoked consent via opt-out mechanisms.
It is also important for providers to assess the HIPAA implications of communicating with patients via SMS text message platforms which are not secured by encryption. Transmitting PHI via unsecure methods could be viewed as impermissible under HIPAA unless the patients are advised of the security risks and they consent anyway. Therefore, including a notice regarding security of text messages may be advisable.
Obtaining proper consent for text messaging should also be obtained as part of a provider's obligations under the Health Insurance Portability and Accountability Act (HIPAA). Under HIPAA, all providers should have proper privacy and security measures in place if they wish to send text messages to patients. Providers should remind patients of the privacy issues involved and that privacy is not guaranteed if they are messaging on an unsecure platform because there may be a risk that the information could be viewed by an unintended third party.
Healthcare Exemptions for Certain Autodialed Calls and Texts
The FCC has exempted certain useful healthcare calls to wireless numbers. Under this declaratory ruling and order, calls are exempt from TCPA requirements if they are exigent and made with a healthcare treatment purpose. Specifically, the FCC has exempted healthcare calls and texts for:
- Appointment and exam confirmations and reminders.
- Wellness checkups.
- Hospital pre-registration instructions.
- Pre-operative instructions.
- Lab results.
- Post-discharge follow-up intended to prevent readmission.
- Prescription notifications.
- Home healthcare instructions.
Privacy rules under HIPAA also control the content of the information in these messages. These exemptions are also subject to strict conditions.
Conditions for TCPA Exemptions
The FCC has exempted the above financial and healthcare calls from the TCPA, but only under the following conditions:
- Voice calls and text messages must:
- be sent, if at all, only to the wireless telephone number provided by a patient;
- state the healthcare provider's name and contact information;
- be only for the reasons listed above and not include any:
- debt collection,
- advertising and marketing content, or
- accounting, billing or other financial content if it is a healthcare call;
- comply with HIPAA privacy rules, if it is a healthcare call; and
- be concise, generally one minute or less for voice calls and 160 characters or less for text messages.
- A healthcare provider may initiate only one message (whether by voice call or text message) per day, up to a maximum of three voice calls or text messages combined per week from a specific healthcare provider.
- A healthcare provider must offer recipients within each message a means to opt out of future messages. The TCPA Ruling identifies the required opt-out methods.
- A healthcare provider must immediately honor opt-out requests.
If a healthcare provider initiates a call or a text to a wireless number without the called party's consent, it should first verify that the above conditions are met. The provider could otherwise be liable for violating the TCPA.
Exempt outbound calls for healthcare providers must satisfy seven conditions.
While the limited healthcare exemption allows calls to be placed outside of the permitted scope of consent, entities and providers must adhere to the following restraints to qualify for the exemption.
- The voice call or text message must be sent to the wireless phone number that the patient provides. With respect to text messages, the patient cannot be charged, nor can the text be counted against the limits of a wireless telephone plan.
- The name and contact information of the healthcare provider or organization must be stated at the outset of a voice call or prominently noted within a text message.
- The voice call or text message must comply with HIPAA privacy rules and cannot include telemarketing, solicitation, or advertising content, nor can it pertain to accounting, debt collection, or other financial information.
- The message must be concise, e.g., one minute or less for voice calls and 160 characters or less for text messages.
- Healthcare providers are limited to one voice call or text message a day, up to a maximum of three combined calls/messages per week per provider.
- Recipients must be offered an easy “opt-out” option within each message, e.g., a press-activated mechanism or a toll-free number for voice calls and replying “STOP” for text messages.
- All opt-out requests must be honored immediately.
Best TCPA Strategies and Practices for Healthcare Providers
If a healthcare company exceeds the limited exemption described above, it is important to comply with the TCPA. Protecting healthcare companies’ starts with a risk analysis of existing telecommunication practices and system functions that are subject to the TCPA, as follows:
- Define all telecommunication methods utilized by the healthcare entity, its providers, and third-party vendors to communicate with patients, including but not limited to:
- automated calling equipment
- predictive dialers
- artificial or prerecorded voices
- text messaging
- fax advertising
- telemarketing practices
- Provide an assessment of current safeguards, such as the seven conditions delineated above, in order to sufficiently gauge the existing state of compliance with regulatory requirements.
- Audit vendors and third-party administrators, whose actions are subject to the TCPA, in order to ensure that their practices and safeguards remain compliant as well.
- Organizational leaders are urged to thoroughly review and confirm that all consent and HIPAA-related documents contain the requisite provisions to secure a patient’s prior express consent to all non-exempt autodialed calls.
- Records of patient consent should be meticulously preserved, as well as all instances of consent revocation, do-not-call requests, or reassigned numbers. When a patient’s consent status c changes, swift action is required to immediately terminate any call that is both unconsented and subject to the TCPA.
- A formal and written protocol that delineates the phone number collection process is another effective safeguard for reinforcing staff expectations. The protocol must ensure that wireless and residential numbers are easily distinguished in both patient care and business records.
- With respect to placed calls, a written or electronic log should track which phone numbers are manually dialed and which are autodialed.
- Hospital leadership must work closely with legal counsel to ensure that all telemarketing messages, fax advertisements, and other marketing activities comply with the privacy safeguards articulated in HIPAA, the FCC regulations, and the TCPA.
- Annual staff training, jointly presented by legal counsel and risk management, is an additional measure to help maintain compliance levels regarding relevant updates and/or clarifications to the TCPA and associated FCC regulations.