HIPAA and Patient Telephone Call Rules Confirmed by FCC

The Federal Communication Commission has published a Declaratory Ruling and Order to state the rules in relation to HIPAA and patient telephone calls.

Some healthcare suppliers have had trouble relating to the rules regarding HIPAA and patient telephone calls, and how the rules adhere with the Telephone Consumer Protection Act (TCPA). Now, almost 20 years after the respective Acts were passed, the Federal Communications Commission (FCC) has issued a Declaratory Ruling and Order to clear up any confusion.

The ruling states the rules regarding HIPAA and patient telephone calls made by covered group and their Business Associates. The ruling also removes covered entities and Business Entities from being subject to specific TCPA legislation in certain instances.

HIPAA and Patient Telephone Calls Rules

The FCC’s order clarifying the rules in relation to HIPAA and patient telephone calls states that, if a patient gives a contact telephone number to a healthcare supplier, that constitutes express permission for telephone calls to be made, subject to some HIPAA restrictions. Consent is given for calls and text messages related to:

  • Providing medical treatment
  • Regular health checkups
  • Reminders for appointments
  • Laboratory test results
  • Instructions pre-operative
  • Follow up calls after discharge
  • Alerts about about prescriptions
  • Instructions for home healthcare
  • Instructions for hospital pre-registration

When a telephone call takes place, healthcare suppliers must first give their name and contact details. The FCC advises that calls should be short, and limited, in most cases, to 60 seconds. In the case of text messages, they should be limited to 160 characters. The frequency of communications is also minimal. Patients should only ever be subjected to a maximum of three calls per week, and only one text message per day is permissible.

The content of all communications within the remit of HIPAA rules – such as the Minimum Necessary Rule. Calls can only be made for the purposes included above, and cannot include any telemarketing, advertising or solicitation. Some telephone calls and text messages removed from TCPA Rules are still subject to certain limits:

  • The cost of telephone calls and text messages must not be charged to the client, or included in plan limits, and those calls can only be completed to the wireless telephone number provided by the patient.
  • Patients may have given previos express consent to receive voice calls and text messages, but that consent can be taken away. Patients should be reminded of this and given a means of opting out of future communications.
  • If a message is recorded on an answering machine, patients should be given a toll-free telephone number to get in touch with their healthcare provider.
  • Calls come within TCPA rules if made in relation to Social Security disability eligibility, payment notifications, debt collections, accounting issues and other financial matters.

The FCC’s Declaratory Ruling and Order to explain the rules regarding HIPAA and patient telephone calls also includes the provision of prior express consent by a third party, such as when a patient is incapacitated. If consent cannot be given by a patient due to some sort of incapacity, the FCC will permit a third party to provide that consent, but only when the patient is incapable of doing so themselves. Should a patient regain the ability to provide consent personally, the consent provided by the third party would no longer be valid and the healthcare provider would be required to receive obtain consent from the previously incapacitated individal.

Automated Calls to Patients and HIPAA Compliance

There is still some ambiguity regarding HIPAA and automated calls to patients. Although going into great details  about what an autodialing device is, the FCC ruling does not really reconcile HIPAA compliance with the 2013 ban on telephone calls and text messages to mobile phones from an automatic dialing system.

Before the ban, consent could be inferred by a previous relationship between the sender and the recipient (the healthcare provider and the patient). From October 16 2013 onwards, the FCC requires previous written, unambiguous consent from the person receiving calls on a mobile phone from an autodialing device.

Although an exemption was created for HIPAA compliant automated calls to patients’ landlines, healthcare providers should still avoid liability for breaches of ECPA by asking their patients for written consent to receive messages on the mobile phones that may have been completed by an autodialing device.

Strangely, automated appointment reminders send to mobile devices using a third-party texting service are permitted under the FCC ruling provided that the texting service provider completes a Business Associate Agreement (BAA). It is enviasaged that the situation regarding HIPAA compliant automated calls to patients will be outlined soon.

All details of the ruling can be read here.

HIPAA Violation Penalties

Most Common HIPAA Violations Causes