Are You Ready for the New TCPA Rules? 

In less than two months, new rules for the Telephone Consumer Protection Act (TCPA) will go into effect. For healthcare providers, that means knowing how to comply with them — or risk costly penalties. 

What is the TCPA? It was enacted by Congress in 1991 to protect consumers from unsolicited telemarketing calls and messages. 

TCPA regulations prohibit businesses from using auto-dialers to contact individuals who have not provided consent. The Act also specifies that these entities are not to use prerecorded messages to communicate with these consumers and must follow procedures for maintaining a do-not-call list and providing an “opt-out” option for each call. 

TCPA Exemption Rules 

All marketers, common carriers and businesses are subject to the TCPA rules, which were adopted by the Federal Communications Commission (FCC) in 1992. Healthcare marketing is subject to TCPA compliance, but there are slightly different rules based on the FCC’s TCPA healthcare exemption. 

This exemption encourages healthcare providers and payers to promote public health using reasonable and fair communication channels while still protecting patients and consumers from unwanted marketing calls and text messages. It enables healthcare-covered entities to deliver health-related messages to patients and consumers — as long as they comply with HIPAA regulations and certain conditions, including:

  • Messages must be healthcare-related under HIPAA and may not include any promotional or financial solicitation (i.e., accounting, billing or debt collection)
  • Messages can only be sent to the cell phone number provided by the patient.
  • Messages must explicitly state the name and contact information of the healthcare entity.
  • Messages must be concise, with voice messages under one minute and text messages with fewer than 160 characters.
  • Calls must be free to the end user.
  • Callers may contact residential consumers only between 8:00 AM and 9:00 PM (recipient’s time zone).
  • All communications must offer an easy opt-out.
  • Opt-out requests must be honored immediately.

Soon-to-be Implemented Rules 

The new TCPA rules for some exempt calls are scheduled to go into effect on July 20, 2023. The new guidelines added call limits and opt-out requirements for the following types of artificial or prerecorded voice calls: 

  • Non-commercial calls to a residence
  • Commercial calls to a residence that do not include an advertisement or constitute telemarketing
  • Tax-exempt nonprofit organization calls to a residence
  • HIPAA-related calls to a residence.

Also, under the new rule, to be exempt from the TCPA’s consent requirements, callers are limited to three calls per week (one per day) for healthcare-related calls. They must include an opportunity to opt out of prerecorded calls as part of the message. 

Penalties for Non-compliance 

Violations of the TCPA aren’t as expensive as those for the Do Not Call (DNC) provision of the Telemarketing Sales Rule (TSR), the maximum for which has increased to $46,517. However, fines for TCPA non-compliance range from $500 to $1500 per individual violation, with willful action being higher.  Plus, penalties can be assessed multiple times per phone call if it violates more than one aspect of the TCPA’s regulations. 

Fines for TCPA violations aren’t as high as those for the Telephone Robocall Abuse Criminal Enforcement and Deterrence (TRACED) Act, which was signed into law in 2019. Under the TRACED Act, penalties for robocall violations carry a maximum fine of up to $10,000, even in situations where no criminal intent is present. This law doesn’t change anything about the existing rules for TCPA compliance, but it adds an extra layer of accountability for the FCC to ensure compliance with the TCPA. 

Protecting Healthcare Providers from Non-Compliance

There are four primary points you should know about both the TCPA and TRACE Act to ensure you keep compliant with them. 

1. All patient communications must comply with HIPAA.

HIPAA includes multiple rules for protecting patient privacy and security. Both the Privacy and the Security Rules offer provisions for covered entities to implement safeguards that minimize unauthorized use, exposure or access of protected health information (PHI) as it is created, communicated and maintained. 

2.    Healthcare entities must obtain prior express consent if they use an automated dialer system. To communicate with patients.

Under the TCPA’s healthcare exemption, individuals who provide a cell phone number are expressing consent to receive calls or texts for communication related to their health. For entities using automated dialers or prerecorded messages, healthcare information may be distributed to landlines and cell phones for patients and consumers who have provided their phone numbers. Information is limited to that which addresses an individual’s health and wellness, such as:

  • Appointment confirmations and reminders
  • Wellness checkups
  • Hospital pre-registration instructions
  • Preoperative instructions
  • Lab results
  • Post-discharge follow-up
  • Prescription notifications
  • Home healthcare instructions 

Any healthcare entity attempting to distribute promotional marketing or financial information via automated dialers or prerecorded messages must collect prior express written consent. This consent is required for all promotional or financial communications, regardless of whether you’re calling a cell phone or residential landline. 

3.    Health-related patient communications using autodialers must comply with messaging frequency and length regulations.

When communicating with patients who have provided prior express consent for health-related information via text or voice channels, TCPA compliance requires entities to limit how often they can text or call. And, recorded voice messages for telephones (both cell phones and residential landlines) must be under one minute in length. Similarly, text messages must be fewer than 160 characters. Both types of messages need to explicitly state the healthcare entity’s name and contact information and offer opportunities for recipients to opt out of communications. 

4.    Healthcare communications must enable and honor opt-out requests.

Patients must have a clear opportunity to opt out of automated voice and text communications in compliance with both the TCPA and TRACED Acts. Healthcare entities need to consider how their communication workflows allow recipients to revoke any express consent for receiving healthcare information via autodialers and prerecorded messages. Opt-out requests must be honored immediately, so it’s important to implement policies and procedures for managing and responding to patient opt-outs. 

Connect with Ryan on LinkedIn for more information on healthcare rules and regulations.