Operating a medical practice or health system requires compliance with various state and federal regulations, especially in today’s digitally-driven world where patient communication via text messaging and phone calls have become the leading communication solutions.
These regulations govern everything from consumer protection to patient safety. Two of the most crucial security and privacy regulations are the Telephone Consumer Protection Act (TCPA) and Telephone Robocall Abuse Criminal Enforcement and Deterrence Act (TRACED Act).
This blog explains these two acts and how their rules apply to healthcare.
What Is TCPA?
The United States Congress legislated the Telephone Consumer Protection Act (TCPA) in 1991 to prevent telemarketers from making unwanted and non-consensual contact with consumers via phone and fax. The law restricts telemarketing from using automated dialing systems and prerecorded voice messages on specific phone calls and text messages.
TCPA also regulates collections’ actions by phone. Patients may file complaints with the Federal Communications Commission (FCC) when TCPA is violated in healthcare. Since TCPA governs consumer rights, patients who suffer violations may also file lawsuits.
The FCC adopted rules to implement TCPA in 1992, including requiring telephone marketers to maintain ‘do-not-call’ lists. The FCC then partnered with the Federal Trade Commission (FTC) in 2003 to establish a national Do Not Call Registry, with exceptions made for nonprofits. In 2012, the FCC revised the rules relating to TCPA, requiring businesses to get signed written consumer consent for robocalls to mobile phones or calls using pre-recorded voice messages and providing automated opt-outs.
For healthcare providers, there are some exemptions to TCPA rules.
What Are the TCPA Exemptions for Healthcare Providers?
The following three exemptions are allowed by the FCC under the TCPA for healthcare providers:
1. Healthcare Messages
Medical practices can make calls to residential landlines from an entity covered by HIPAA, including its business associates, using a prerecorded message to deliver a medical-related message without the called party's consent.
Text messages or phone calls to mobile devices using an automatic telephone dialing system (ATDS) or prerecorded voice that delivers a medical-related message are subject to the TCPA. Still, they only require prior express consent rather than the customarily required prior express written consent.
2. Healthcare Treatment Purpose Exemption
Medical practices can place auto-dialed and prerecorded text and voice messages to mobile devices without consent to convey “healthcare messages,” as HIPAA defines.
3. Urgent Healthcare Messages via the 2015 Order
The 2015 Order (FCC-15-72) is for healthcare calls that are not emergencies but are considered urgent. Calls must have a specific purpose: appointment reminders, wellness checkups, prescription notifications, pre-registration instructions, lab results, and exam confirmations to qualify. According to the FCC, calls are not covered if they include account communications, payment notifications, or Social Security disability eligibility.
While the FCC agrees that urgent calls are essential, the FCC still established a long list of conditions that calls must meet to qualify for the TCPA healthcare exemption. The exemption conditions also include healthcare-covered entities that deliver health-related messages to patients, as long as they comply with HIPAA and other specific conditions. The TCPA healthcare exception conditions include the following.
- All methods of communication must offer an easy cancellation.
- Cancel requests must be honored immediately.
- Send every message to the provided telephone number only.
- Every message must expressly state the name and contact information of the medical practice entity.
- Messages should be strictly medical-related under HIPAA and may not include any promotional or financial solicitation.
- Messages must be brief, with voice messages under one minute and text messages under 160 characters.
- There must not frequently be more than one message per day, with a maximum of three per week.
The TCPA healthcare exemption encourages medical practices to promote public health using reasonable and fair communication channels while protecting patients and consumers from unwanted telemarketing calls and text messages.
What Is the TRACED Act?
The regulations of the Telephone Robocall Abuse Criminal Enforcement and Deterrence Act (TRACED Act) fight illegal or unwanted robocalls. Caller ID authentication allows voice service providers to verify that the caller ID information transmitted with a specific call matches the caller’s actual number, which, in turn, helps to determine whether the call should be blocked or labeled.
Widespread deployment of caller ID authentication reduces the effectiveness of illegal spoofed caller ID, allows law enforcement to identify bad actors more efficiently, and enables phone organizations to block illegal calls before they reach the patient or consumer. Here’s more about the TRACED Act and the FCC’s implementation efforts.
The Implementation of STIR/SHAKEN
The TRACED Act required the FCC to mandate the Signature-based Handling of Asserted Information Using toKENs (SHAKEN) and the Secure Telephone Identity Revisited (STIR) caller identification framework. STIR/SHAKEN lets phone organizations verify that the caller ID information transmitted with a call matches the caller’s actual phone number.
Assess Barriers to Implementing STIR/SHAKEN
The TRACED Act required the commission to assess the burdens and barriers providers may face in implementing the STIR/SHAKEN framework on their networks and permitted the commission to grant extensions for phone companies that face undue hardship in implementation, so long as those companies perform robocall mitigation to ensure they are not the source of illegal robocalls.
How Do TCPA and the TRACED ACT Protect Patients?
The TCPA and TRACED Act protects patients from unwanted, fraudulent, disruptive, and potentially harmful solicitations by telemarketers and nefarious spammers via phone calls or text messages. They also might inadvertently interfere with how public safety leaders issue vital news and information to subscribed citizens or travelers in the path of an emergency.
The comprehensive guide, the governing bodies, legislation, and technical terminology define this complex issue and help public safety leaders understand its short and long-term implications for citizen emergency communications. For healthcare providers to follow the rules of TCPA and the TRACED Act, they must know two important things:
1. Patient communications must, at any cost, comply with HIPAA
HIPAA establishes many rules related to protecting patient privacy and security. The Privacy Rule and the Security Rule offer provisions for covered entities to implement safeguards that minimize unauthorized use, exposure, or access of Protected Health Information (PHI) as it is created, communicated, and maintained. When sending healthcare-related messages under the TCPA or the TRACED Act, they must always comply with HIPAA.
2. Secure prior consent from patients before communicating with them with an automated dialer system
Under the TCPA’s healthcare exemption, individuals who provide a mobile number express consent to receive phone calls or text messages for communications related to their health. Entities using automated dialers or prerecorded messages may distribute medical information to patients’ provided mobile phone numbers. Medical information is also limited to that which addresses a patient’s health information, such as:
- Appointment confirmations and reminders
- Wellness checkups
- Hospital pre-registration instructions
- Home healthcare instructions
- Preoperative instructions
- Lab test results
- Post-discharge follow-up
- Prescription notifications
It’s vital to note that any healthcare organization or medical practice that wants to distribute financial information or promotional marketing via automated dialers or prerecorded messages must gather prior written consent. All promotional or financial communications require prior express written consent, regardless of whether you’re calling a cell phone or residential landline.
TCPA and HIPAA Compliance Is Curogram’s Utmost Priority
Although the TCPA landscape is challenging, navigating it is still possible. Using a solid HIPAA-compliant platform such as Curogram and taking steps to implement TCPA and TRACED Act rules can significantly mitigate default risks. Curogram provides secure, HIPAA-compliant patient communication via 2-way text messaging that allows your practice to scale your patient outreach and adhere to regulations for automated communications. Book a demo with Curogram today to know more about secure TCPA-compliant messaging to patients.