Are phone calls a HIPAA violation?

The rules regarding HIPAA compliance and patient telephone calls have been clarified with a Declaratory Ruling and Order issued by the Federal Communication Commission (FCC).

Many healthcare providers have called on the FCC to clarify the rules regarding HIPAA and patient telephone calls by healthcare providers, as the original legislation was deemed ambiguous. The healthcare providers further requested information on how the rules comply with the Telephone Consumer Protection Act (TCPA). In response to these requests, the FCC has issued a Declaratory Ruling and Order to remove any ambiguity. This clarification comes over two decades after the TCPA was introduced.

The ruling clarifies the rules regarding HIPAA and patient telephone calls made by covered entities (CEs) and their Business Associates (BAs). The ruling also exempts CEs and Business Entities from certain TCPA legislation when certain conditions are met.

Rules Regarding HIPAA and Patient Telephone Calls

The FCC´s order clarifying the rules regarding HIPAA and patient telephone calls are outlined as follows. If a patient provides a contact telephone number to a healthcare provider, the provision of that telephone number constitutes express consent for telephone calls to be made, subject to certain HIPAA restrictions. Consent applies to calls and text messages related to:

  • The provision of medical treatment.
  • Health checkups.
  • Appointments and reminders.
  • Lab test results.
  • Pre-operative instructions.
  • Post discharge follow up calls.
  • Notifications about prescriptions.
  • Home healthcare instructions.
  • Hospital pre-registration instructions.

When a telephone call is made, healthcare providers must first provide their name and contact details to the patent. The FCC recommends that calls should be concise. Their recommendation states that in most cases, the call should be limited to 60 seconds. Likewise, in the case of text messages, they should be restricted to 160 characters. The FCC has also recommended that the number of calls made to a patient should be limited to a maximum of three calls per week. They further deem a single text message sent to the patient per day to be acceptable.

The content of all communications is still subject to certain HIPAA restrictions. One such restriction is the Minimum Necessary Rule. This states that calls can only be made for the purposes described above. If the calls were used for any other purpose, such as telemarketing, advertising or solicitation, this would be a violation.

Some telephone calls and text messages exempted from TCPA Rules are still subject to certain restrictions:

  • Telephone calls and text messages must not be charged to the client, or counted against plan limits, and those calls can only be made to the wireless telephone number provided by the patient.
  • Patients may have given prior express consent to receive voice calls and text messages, but that consent can be rescinded. Patients should be reminded of that fact and given a means of opting out of future communications.
  • If a message be left on an answering machine, patients should be provided with a toll-free telephone number to contact their healthcare provider.
  • Calls are still subject to TCPA rules if made regarding Social Security disability eligibility, payment notifications, debt collections, accounting issues and other financial matters.

The FCC´s Declaratory Ruling and Order to clarify the rules regarding HIPAA and patient telephone calls also covers the provision of prior express consent by a third party, such as when a patient is incapacitated. If consent cannot be provided by a patient due to incapacity, the FCC will allow a third party to provide that consent, but only in the extreme circumstance in which the patient is incapable of doing so personally. Should a patient recover the ability to provide consent personally, the consent provided by the third party would no longer be valid and the healthcare provider would be required to obtain consent from the patient.

HIPAA Compliant Automated Calls to Patients

Despite addressing many issues in their ruling, the FCC failed to remove the ambiguity in HIPAA compliant automated calls to patient. They detailed what constitutes an autodialling device, but failed to reconcile HIPAA compliance with the 2013 ban on telephone calls and text messages to mobile phones from an automatic dialling system.

Prior to the ban, consent could be inferred by an existing relationship between the healthcare provider and the patient. A new ruling in October 2013 stated that the FCC requires prior written, unambiguous consent from the individual receiving calls on a mobile phone from an autodialling device.

Although an exemption was made for HIPAA compliant automated calls to patients´ landlines, healthcare providers should continue to avoid liability for breaches of ECPA by requiring their patient to provide written consent to receive messages on the mobile phones that may have been generated by an autodialling device.

Under the FCC ruling, provided that the texting service provider signs a Business Associate Agreement (BAA), automated appointment reminders sent to mobile devices via a third-party texting service are allowed. It is hoped that the situation regarding HIPAA compliant automated calls to patients will be clarified soon by a future FCC ruling.


Update: In April 2021, the Supreme Court ruled certain types of automatic dialing systems that do not have the capacity to store or produce a telephone number using a random or sequential number generator do not meet the statutory definition of autodialing devices.

While this ruling allows companies with these types of automatic dialing systems to make unsolicited calls and send unsolicited texts to mobile devices, Congress has promised to draft new legislation to close this loophole in the Telephone Consumer Protection Act.

Due to likely future changes in the HIPAA telephone rules, Covered Entities are advised to continue asking patients for written consent before making unsolicited calls or sending unsolicited text messages to a mobile phone from an autodialing device.