Reaching Out Without Getting Burned: Understanding the Impact of the TCPA on Health Plan Member Communications
Many health care plans and other covered entities operating in the health care arena—including business associates and contractors—are aggressively exploring the use of less formal communication modalities to better serve their members. Today, health plans regularly communicate with members through email but are increasingly seeking to communicate via the telephone—whether through automated dialer calls or text messages. Health plans believe that connecting with their members using the same communication vehicles their members routinely use with their families, friends, and others will allow the health plan to share important targeted, timely information that will increase member awareness and ultimately enhance member health and wellness. Thus, from appointment and general preventive care reminders (e.g., flu shot reminders), to specific information targeted to encouraging medication/treatment compliance related to the member’s specific condition (e.g., regular glucose monitoring for a diabetic), health plans see great promise in employing automated dialer calls and text messages as member communication vehicles.
But with this great promise comes significant potential regulatory peril. Health plans already are keenly aware of the many HIPAA privacy and security issues that arise with respect to any member communication and routinely consider issues such as: whether the communication involves the use or disclosure of protected health information (PHI) and, if so, whether the use/disclosure is for treatment, payment, or health care operations or is for marketing purposes, or whether encryption technology must be employed in connection with the use/disclosure. These questions remain important and necessary considerations. But now, depending on the mode of transmission, there are other legal requirements that must inform health plan communications with members.
The Telephone Consumer Protection Act
The TCPA is one such requirement. The TCPA is designed to protect individuals from unsolicited, automated phone calls (which include text messages) by establishing a number of important requirements for these calls. The reach of this law is quite broad in that it covers calls and texts made by any entity (which would include health plans), and governs informational calls and texts, as well as marketing calls and texts (thereby implicating the full range of messages that health plans might be seeking to communicate).
The TCPA is not only broad, it also is quite complicated—and this complexity rests in the wide range of rules that address almost every facet of how, when, why, and who is making the call. Below is a sampling of the areas regulated by the TCPA, and the factors that impact how calls and texts health plans might wish to make to their members will be regulated:
- The content of the message
- The purpose of the call
- Whether calls/texts contain marketing or advertising messages versus informational messages
- The ways in which members can revoke consent, including oral revocation
- Whether calls/texts are made to residential landlines or wireless numbers
- The time of day during which the call/text can be made
- Whether the number can be contacted at all (phone numbers that are on do-not-call lists versus those that are not)
- Whether calls/texts are automated (like prerecorded voice calls or calls/texts made using an autodialer) or made manually
- When consent is required from the call recipient and what type of consent is necessary
- The ways in which an autodialer may be used to make calls or place texts
Finally, and importantly, the TCPA establishes special rules for calls and texts by HIPAA-covered entities and business associates delivering “health care messages.”
While these distinctions may seem innocuous to a lay person, they matter greatly in the world of the TCPA. And, the stakes are high. Not only do violations of the TCPA subject callers to the possibility of regulatory fines for each call/text that is not TCPA compliant, callers are also at risk of class action litigation under the TCPA, a provision that plaintiffs’ attorneys routinely invoke.
The Interactions of TCPA and HIPAA
Compliance with both TCPA and HIPAA requires carefully threading a path between two complex regulatory regimes. For example, in some circumstances, the TCPA requires that the entities making a call or sending a text have the consent of the call recipient before initiating the call/text. If the message being sent includes PHI, HIPAA also requires certain forms of authorization before that call or text can be sent. Importantly, obtaining consent under the TCPA is not the same as obtaining authorization under HIPAA. For example, TCPA consent does not always have to be in writing.
With all of this in mind—not to mention integrating the various HIPAA privacy and security requirements—it is critically important for health care companies to consider the intersection of HIPAA and the TCPA before reaching out to members via calls and texts (and before entering into a contract with a vendor to provide such calling/texting services to you). Failing to do so could result in significant health plan liability. Further complicating matters, courts are struggling to interpret this confusing regulatory regime and recent Agency guidance on application of the TCPA to health care messages created more confusion than clarity. Our TCPA team—which takes advantage of Wiley Rein’s deep expertise in both the communications and health care fields—routinely deals with calling/texting programs that implicate these complicated questions.