What are the HIPAA rules regarding telephoning patients?

While there are now more options than ever for organizations to communicate with patients, both through physical written correspondence and electronic messages much as emails, it is good policy for groups to familiarize and refresh themselves on the Health Insurance Portability and Accountability Act (HIPAA) rules regarding telephoning patients.

There is a certain amount of commonality and complementarity between the HIPAA rules and the rules of another law, the Telephone Consumer Protection Act (TCPA). While it is generally up to the Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general to enforce HIPAA, the areas that were leading to confusion in relation to telephone calls were cleared up through a Declaratory Ruling and Order that was issued by the Federal Communications Commission.

Through this Declaratory Ruling, HIPAA covered entities and their business associates have their obligations under HIPAA laid out, and receive exemptions in certain areas of the TCPA.

Patient Telephone Call Rules under HIPAA and the TCPA

The ruling from the FCC addresses key areas such as consent. It has been established in the order that when a contact number is provided by a patient to a healthcare provider, this action carries with it the implicit and express consent for the healthcare provider to contact the patient using this telephone number, so long as other conditions under HIPAA are met. Contact methods covered by this consent include both telephone calls and text messages, so long as these are in relation to one of the following areas:

  • The provision of medical treatment.

  • Health checkups.

  • Appointments and reminders.

  • Lab test results.

  • Pre-operative instructions.

  • Post discharge follow up calls.

  • Notifications about prescriptions.

  • Home healthcare instructions.

  • Hospital pre-registration instructions.

There are certain elements that a healthcare must provide upon calling a patient, such as their name and contact details. The official guidance is that calls should be short in nature, recommending that they not exceed 60 seconds. Text messages should not exceed 160 characters in length. There are also limits placed on the acceptable frequency of contact: three calls per week and one text message per day.

In keeping with other areas of HIPAA, the Minimum Necessary Rule should be applied. Telemarketing and other commercial calls are not permitted. Even contacts that are freed from TCPA requirements must meet certain standards:

  • Calls and text messages cannot be billed to the patient, or counted against plan limits. Calls to non-landmines can only be made to the wireless telephone number provided by the patient.

  • Even though consent may have been received to call or text patients, text messages, consent can be revoked and patients should be reminded this and allowed to opt out of future communications.

  • Should a message be left on an answering machine, a toll-free contact number should be provided to patients to reach their healthcare provider.

  • Calls regarding Social Security disability eligibility, payment notifications, debt collections, accounting issues, and other financial matters remain subject to TCPA rules.

The ruling includes information pertaining to instances where consent was received from a third party, for example if the patient was unconscious or unresponsive. In these cases, the third party’s consent is valid only until the patient regains the ability to provide or withhold consent themselves. The healthcare provider wold therefore need to reacquire consent from the patient.

Automated Telephone Calls

A certain gray area remains in relation to automated phone calls. In 2013, telephone calls and text messages to mobile phones from automatic dialing systems was prohibited in separate legislation. Prior unambiguous written consent was required from the individual before an autodialing device could be used to make calls to a mobile telephone. While landline telephones do not require such express consent, healthcare providers should ensure they do not contact a mobile telephone number by accident; or better still, systematically seek consent from patients to do so.

A practice that remains HIPAA and TCPA complaint is the sending of automated appointment reminders to mobile devices via third-party texting services. This is permitted in circumstances where the texting service provider has signed a Business Associate Agreement (BAA).