Are phone calls a HIPAA violation?

The rules regarding HIPAA compliance and patient telephone calls have been clarified with a Declaratory Ruling and Order issued by the Federal Communication Commission (FCC).

Many healthcare providers have called on the FCC to clarify the rules regarding HIPAA and patient telephone calls by healthcare providers, as the original legislation was deemed ambiguous. The healthcare providers further requested information on how the rules comply with the Telephone Consumer Protection Act (TCPA). In response to these requests, the FCC has issued a Declaratory Ruling and Order to remove any ambiguity. This clarification comes over two decades after the TCPA was introduced.

The ruling clarifies the rules regarding HIPAA and patient telephone calls made by covered entities (CEs) and their Business Associates (BAs). The ruling also exempts CEs and Business Entities from certain TCPA legislation when certain conditions are met.

Rules Regarding HIPAA and Patient Telephone Calls

The FCC´s order clarifying the rules regarding HIPAA and patient telephone calls are outlined as follows. If a patient provides a contact telephone number to a healthcare provider, the provision of that telephone number constitutes express consent for telephone calls to be made, subject to certain HIPAA restrictions. Consent applies to calls and text messages related to:

  • The provision of medical treatment.
  • Health checkups.
  • Appointments and reminders.
  • Lab test results.
  • Pre-operative instructions.
  • Post discharge follow up calls.
  • Notifications about prescriptions.
  • Home healthcare instructions.
  • Hospital pre-registration instructions.

When a telephone call is made, healthcare providers must first provide their name and contact details to the patent. The FCC recommends that calls should be concise. Their recommendation states that in most cases, the call should be limited to 60 seconds. Likewise, in the case of text messages, they should be restricted to 160 characters. The FCC has also recommended that the number of calls made to a patient should be limited to a maximum of three calls per week. They further deem a single text message sent to the patient per day to be acceptable. The content of all communications is still subject to HIPAA restrictions such as the Minimum Necessary Standard.

Some telephone calls and text messages exempted from TCPA Rules are still subject to certain restrictions:

  • Telephone calls and text messages must not be charged to the client, or counted against plan limits, and those calls can only be made to the wireless telephone number provided by the patient.
  • Patients may have given prior express consent to receive voice calls and text messages, but that consent can be rescinded. Patients should be reminded of that fact and given a means of opting out of future communications.
  • If a message is left on an answering machine, patients should be provided with a toll-free telephone number to contact their healthcare provider.
  • Calls are still subject to TCPA rules if made regarding Social Security disability eligibility, payment notifications, debt collections, accounting issues, and other financial matters.

The FCC´s Declaratory Ruling and Order to clarify the rules regarding HIPAA and patient telephone calls also covers the provision of prior express consent by a third party, such as when a patient is incapacitated. If consent cannot be provided by a patient due to incapacity, the FCC will allow a third party to provide that consent, but only in the extreme circumstance in which the patient is incapable of doing so personally. Should a patient recover the ability to provide consent personally, the consent provided by the third party would no longer be valid and the healthcare provider would be required to obtain consent from the patient.

HIPAA Compliant Automated Calls to Patients

Despite addressing many issues in their ruling, the FCC failed to remove the ambiguity in HIPAA compliant automated calls to patient. They detailed what constitutes an autodialing device, but failed to reconcile HIPAA compliance with the 2013 ban on telephone calls and text messages to mobile phones from an automatic dialing system.

Prior to the ban, consent could be inferred by an existing relationship between the healthcare provider and the patient. A new ruling in October 2013 stated that the FCC requires prior written, unambiguous consent from the individual receiving calls on a mobile phone from an autodialing device.

Although an exemption was made for HIPAA compliant automated calls to patients´ landlines, healthcare providers should continue to avoid liability for breaches of ECPA by requiring their patient to provide written consent to receive messages on the mobile phones that may have been generated by an autodialing device.

Under the FCC ruling, provided that the texting service provider signs a Business Associate Agreement (BAA), automated appointment reminders sent to mobile devices via a third-party texting service are allowed. It is hoped that the situation regarding HIPAA compliant automated calls to patients will be clarified soon by a future FCC ruling.

Update

In April 2021, the Supreme Court ruled certain types of automatic dialing systems that do not have the capacity to store or produce a telephone number using a random or sequential number generator do not meet the statutory definition of autodialing devices.

While this ruling allows companies with these types of automatic dialing systems to make unsolicited calls and send unsolicited texts to mobile devices, Congress promised to draft new legislation to close this loophole in the Telephone Consumer Protection Act.

As the new federal legislation failed to materialize by the end of the year, both Florida and Oklahoma enacted their own state legislation in early 2022. The legislation prohibits any organization using an autodialing service to contact residents of the state without consent.

FAQs

Are phone calls a HIPAA violation?

Phone calls from healthcare providers to patients are not HIPAA violations unless the patient has expressed in writing that they do not want to receive phone calls. If phone calls containing health information are made to a family member or friend, the patient should be given the opportunity to object to the call being made unless they are incapable of giving/withdrawing consent, in which case a healthcare professional can use their judgement on the best source of action.

What if a family member calls to ask about a patient?

If a family member calls to ask about a patient, hospitals can disclose PHI over the phone unless the patient has objected to information being shared. The identity of the family member should be verified, and the information disclosed to the family member should only relate to the patient´s current condition. Hospitals are not allowed to disclose unrelated past medical histories to family members without the patient´s consent.

Are cell phone calls HIPAA-compliant?

Calls to patients´ cell phones are subject to the same HIPAA Privacy rules as calls to patients´ landline telephones – although if made over a VoIP service, Covered Entities are required to have a Business Associate Agreement with the telecommunications provider. However, calls from a patient to a healthcare provider´s cell phone could be in violation of HIPAA if the patient´s name and number is recorded in a healthcare professional´s cell phone and there are no safeguards in place to prevent the patient´s information being disclosed without authorization if the cell phone is lost or stolen.

If a hospital discloses my health information in a phone call, who do I complain to?

In the first instance, you should contact the hospital and request an accounting of disclosures. This will tell you who the information was disclosed to and for what reason. If the disclosure is not allowable, you should complain in the first instance to the hospital´s HIPAA Privacy Officer. If you then decide to escalate the complaint, you can call your state´s Department of Health & Human Services or file a complaint online via the OCR complaints portal.