As healthcare organizations and providers are working tirelessly to care for patients amidst the COVID-19 pandemic, communication solutions, such as automated texting and calling, can help them keep patients updated on when, where, and how to stay connected to their doctors. That’s why health-related businesses must understand how to comply with security and privacy regulations, including the Telephone Consumer Protection Act (TCPA) and the newly enacted Telephone Robocall Abuse Criminal Enforcement and Deterrence (TRACED) Act signed into law in 2019.


What is the Telephone Consumer Protection Act?

In 1991, Congress enacted the TCPA to protect consumers from unsolicited telemarketing calls. TCPA regulations prohibit businesses from using auto-dialers to call individuals who have not provided consent. All marketers, common carriers, and businesses are subject to the TCPA rules which were adopted by the Federal Communications Commission (FCC) in 1992.

TCPA rules prohibit telemarketers from using auto-dialers and prerecorded messages to communicate with consumers who have not provided prior express written consent. The rules also require businesses to follow procedures for maintaining a do-not-call list and providing an “opt-out” option for each robocall.

While healthcare marketing is subject to TCPA compliance, there are slightly different rules based on the FCC’s TCPA healthcare exception.


What is the TCPA healthcare exemption?

The Telephone Consumer Protection Act’s healthcare exemption allows healthcare-covered entities to deliver health-related messages to patients and consumers as long as they comply with HIPAA and certain conditions. TCPA healthcare exception conditions include:

  • Messages must be healthcare-related under HIPAA, and may NOT include any promotional or financial solicitation.
  • Messages must be sent only to the telephone number provided.
  • Messages must explicitly state the name and contact information of the healthcare entity.
  • Messages must be concise, with voice messages under 1 minute and text messages under 160 characters.
  • Message frequency must be no more than once per day, and up to three times per week.
  • All communications must offer an easy opt-out.
  • Opt-out requests must be honored immediately.

The healthcare exemption encourages healthcare providers and payers to promote public health using reasonable and fair communication channels while still protecting patients and consumers from unwanted marketing calls and text messages.

The new TRACED Act enforces TCPA compliance by strengthening regulations for robocalls. At the end of 2019, President Donald Trump signed the TRACED Act into law, which requires the FCC to implement new regulations aimed at eliminating illegal telemarketing calls using automated dialers.

The TRACED Act supports the Telephone Consumer Protection Act by requiring the FCC to:

  • Establish new rules to prevent unauthenticated calls and texts to consumers, including the implementation of an authentication framework dubbed SHAKEN/STIR (Signature-based Handling of Asserted Information Using toKENs (SHAKEN) and the Secure Telephone Identity Revisited (STIR)). SHAKEN/STIR allows phone providers to validate that a phone call is indeed coming from whoever seems to be calling.
  • Authorize up to $10,000 in fines per call violation.
  • Provide annual reports on regulation enforcements to Congress.
  • Convene an interagency task force to revisit the prosecution of robocall violators.


What do healthcare entities need to know about TRACED Act and TCPA compliance?

Healthcare entities that don’t comply with the TCPA and Traced Act can face expensive fines, so it’s important to understand the requirements for compliance. The TRACED Act doesn’t change anything about the existing rules for TCPA compliance. Rather, it adds an extra layer of accountability for the FCC to ensure compliance with the Telephone Consumer Protection Act and regulations to eliminate unsolicited robocalls.

Here’s what healthcare entities need to know.


All consumer and patient communications must comply with HIPAA.

The Health Insurance Portability and Accountability Act (HIPAA) encompasses multiple rules related to protecting patient privacy and security. Both the Privacy Rule and the Security Rule offer provisions for covered entities to implement safeguards that minimize unauthorized use, exposure, or access of protected health information (PHI) as it is created, communicated, and maintained.

Most reasonable safeguards are subjective when it comes to HIPAA compliance and text messaging programs. However, these 5 HIPAA rules regarding text messaging can help healthcare organizations comply with HIPAA.


Healthcare entities must obtain prior express consent if they communicate with patients or consumers using an automated dialer system.

Under the Telephone Consumer Protection Act’s healthcare exemption, individuals who provide a cell phone number are expressing consent to receive calls or texts for communications related to their health. For entities using automated dialers or prerecorded messages, healthcare information may be distributed to landlines and cell phones for patients and consumers who have provided their phone numbers. Healthcare information is limited to that which addresses an individual’s health and wellness, such as:

  • Appointment confirmations and reminders
  • Wellness checkups
  • Hospital pre-registration instructions
  • Preoperative instructions
  • Lab results
  • Post-discharge follow-up
  • Prescription notifications
  • Home healthcare instructions

It’s important to note that any healthcare entity who wants to distribute promotional marketing or financial information via automated dialers or prerecorded messages MUST collect prior express written consent. Prior express written consent is required for all promotional or financial communications, regardless of whether you’re calling a cell phone or residential landline.


Health-related consumer communications using autodialers must comply with messaging frequency and length regulations.

When communicating with consumers who have provided prior express consent for health-related information via text or voice channels, TCPA compliance requires entities to limit how often they can text or call. Automated communication via voice and text is limited to up to one time per day and three times per week.

In addition, the Telephone Consumer Protection Act requires recorded voice messages for telephones (both cell phones and residential landlines) to be under one minute in length. Similarly, text messages must be less than 160 characters. Both types of messages need to explicitly state the healthcare entity’s name and contact information. They also must offer opportunities for recipients to opt out of communications.


Healthcare communications must enable and honor opt-out requests.

Consumers must have a clear opportunity to opt out of automated voice and text communications in compliance with both the TCPA and TRACED Act. Healthcare entities need to consider how their communication workflows allow recipients to revoke any express consent for receiving healthcare information via autodialers and prerecorded messages. Opt-out requests must be honored immediately, so it’s important to implement policies and procedures for managing and responding to patient opt-outs.

The TRACED Act requires voice service providers to use authentication technology.

Finally, the TRACED Act offers consumers and patients more information regarding incoming calls so they can make informed decisions on whether or not to answer based on the caller ID and number. Voice service providers (and any related third parties providing automated communication technology solutions) must use caller ID authentication technology to validate that phone calls are coming from the number that appears to be calling. Regulations are subjective so long as service providers are making reasonable efforts to implement an authentication system that is reliable and free of charge.


TCPA and HIPAA compliance is our specialty.

As a technology solutions company for healthcare providers and practices, we’re well versed in HIPAA, the TRACED Act, and the TCPA. You can count on us to provide secure, HIPAA-compliant communication technology via text and voice that allows you to scale your patient outreach while protecting PHI and adhering to regulations for automated communications.

Talk to one of our experts today to see how we can help you send secure, TCPA-compliant messages to your patients.