The TCPA and Healthcare: Consent, Exemptions and Risk Mitigation

Health Highlights

February 26, 2020

Editor’s Note: The average cost of a Telephone Consumer Protection Act (TCPA) settlement is estimated at $6.6 million—and healthcare is among the top three industries being targeted for TCPA litigation. Though its sponsors in 1991 intended it for small claims court, the TCPA has turned into high-cost litigation with serious business, and even personal, consequences. Last year, an Illinois federal judge ruled that the CEO of a medical supply company was personally liable for $7.8 million in TCPA violations.

How can you protect your organization—and yourself? Manatt shared the answer at its recent webinar. In part one of our article summarizing the webinar, published in our January “Health Update,” we provided an overview of the TCPA; examined consent requirements; and explained how an auto-dialer is defined, including relevant litigation. In part two of our summary, below, we explain informational vs. marketing calls, consent standards, the primary exemptions for healthcare calls and risk mitigation strategies.

Click here to view the full program free on demand, download a free copy of the presentation and access our new TCPA Quick Reference Guide. (Available free, the new TCPA Quick Reference Guide includes easy-to-use flow charts that help guide you to the right decisions around TCPA consent rules, as well as a valuable list of TCPA “dos and don’ts.”)

Informational vs. Marketing Calls

Informational calls include debt collection calls, appointment reminders, survey calls and payment reminders. In contrast, under the TCPA, advertising calls are those that include “any materials advertising the commercial availability or quality of any property, goods or services” (47 C.F.R. Section 64.1200(f)(1)). Telemarketing is the “initiation of a telephone call or a message for the purpose of encouraging the purchase or rental or investment in property, goods, or services, which is transmitted to any person” (47 C.F.R. Section 64.1200(f)(12)).

Of course, a lot of healthcare calls have a dual purpose and include both informational and marketing content. For example, a pharmacy may call patients to remind them to renew their prescriptions and, in the same call, market a product or service that the pharmacy is providing. The statute considers dual-purpose calls as marketing, and, as a result, TCPA requirements apply.

Consent Standards and the Kolinek Case

Neither the TCPA nor the Federal Communications Commission (FCC) provides a specific definition of “prior express consent.” The FCC has ruled, however, that the standard may be satisfied if the consumer voluntarily provides his or her phone number. If a patient gives a physician or health plan his or her phone number, the general rule is that act provides some consent to receive a call. But what kind of call? The scope of consent is important. Recent case law considers the context in which the phone number was provided, as well as the consumer’s reasonable expectations. Although consent can be verbal or written, it is better to have the consent in writing and ensure the scope is clear.

Kolinek v. Walgreens Co. (N.D. Ill.) illustrates how scope can impact the general rule that providing a phone number means giving consent. In the Kolinek case, Mr. Kolinek provided his phone number to Walgreens when he picked up his prescription. He alleged in his complaint that the sales representative at the counter told him that his phone number would only be used to verify his identity for future refills. When Mr. Kolinek received text messages from Walgreens with refill reminders, he filed a TCPA class action. Walgreens filed a motion to dismiss and prevailed, arguing that Mr. Kolinek had voluntarily provided his phone number and that meant he was consenting to receive messages or calls.

Plaintiffs filed a motion for reconsideration, arguing that although the FCC had soon after the enactment of the TCPA noted that providing a phone number voluntarily gave consent to receive calls, it had since clarified that scope is context-specific. The manner in which consumers give their phone numbers to a business can determine scope. The court agreed and granted the motion for reconsideration, noting that questions remained about the context in which Mr. Kolinek provided his number and his expectations for how it would be used. As a result, the value of the case increased exponentially, and it ultimately settled for $11 million.

What Does Prior Express Consent Require?

What do healthcare organizations need to do to obtain prior express written consent? If a business does need to get prior express consent, it is helpful to refer to the following checklist:

Identify each specific seller to whom consent is being provided.
Identify the consumer’s phone number.
Indicate an affirmative agreement (i.e., I agree/consent).
Ensure there is a clear and conspicuous disclosure that the consumer is authorizing the seller to engage in advertising or marketing (i.e., offers for products/services). (It is not sufficient just to ask permission broadly to make calls. It must be clear that telemarketing is going to occur.)
Ensure there is a clear and conspicuous disclosure that the calls will be made using automated technology.
Ensure there is a clear and conspicuous disclosure that the consumer is not required to provide consent as a condition of purchasing goods or services. (Consumers must be able to withhold consent and still maintain a relationship with the entity.)
Obtain a written signature from the consumer (either electronically through E-SIGN or handwritten).

Third-Party Intermediary Consent

It is common for businesses to hire vendors or third parties to manage the consent process. The FCC agrees that a caller may rely on consent obtained through a third party. The FCC cautions, however, that the business making the calls is liable for TCPA violations if it turns out that the consent that the intermediary provided is not sufficient.

The 2015 FCC Ruling and Revocation of Consent

In 2015, the FCC ruled that “a called party may revoke consent at any time and through any reasonable means.” Revocation of consent has three requirements. First, the called party must clearly express a desire not to be called. Second, the revocation method must be reasonable. Third, the revocation must not create an undue burden on the company.

The ruling has been challenged but continues to stand. There have been some cases, primarily in the Second Circuit, looking at whether it can be a condition of a contract that consent cannot be revoked. There also has been discussion around what it means to have a reasonable revocation method. For example, if a patient agreement includes specific instructions about how consent can be revoked and the patient revokes consent through another method, would the revocation have to be honored? The FCC would say “yes”—but a number of cases have seemed to disagree with the FCC.

There also have been a slew of cases brought by serial TCPA plaintiffs who respond to texts with long-winded messages revoking their consent. These kinds of long responses are not recognized by automated systems. Thankfully, the courts have held that long-winded responses are not reasonable.

We generally recommend that organizations include stop instructions in every message—or at least every several messages—so plaintiffs cannot argue that they had no idea how to stop text messaging. It is also important to tell people when they sign up for text messaging that they can revoke consent if they change their minds.

There have been some revocation of consent cases in the healthcare space. For example, in Wilkes v. CareSource Management Group Co. (No 4:16-cv-38 JVB, 2018 WL 4680028 (N.D. Sept. 29, 2018)), the plaintiffs applied for health insurance coverage under the Affordable Care Act through Healthcare.gov. The wife canceled the insurance policy but continued to receive automated welcome calls on her cellphone. The court ruled that there was prior express consent to have welcome messages sent to her phone, since she submitted her cell number as part of the application process and the content of the messages was reasonably related to the insurance coverage for which she provided her number. Cancellation of the coverage alone is not revocation under the TCPA.

This is an important ruling, because there were a number of cases that also argued ending a business relationship automatically triggered revocation. That turned out, however, not to be true under case law.

Primary Exemptions for Healthcare Calls

1. The Health Insurance Portability and Accountability Act (HIPAA) Exemption

Let’s look first at the HIPAA exemption for residential landlines. When we talk about residential landlines, we’re looking specifically at prerecorded voice messages or artificial voice messages, since those would require consent under the TCPA. Informational prerecorded message calls to residential landlines are generally exempt under the TCPA due to other exemptions, such as calls made for emergency purposes, noncommercial purposes or commercial purposes that are not advertising or marketing, as well as calls made by nonprofits or calls that delivered a healthcare message by or on behalf of a HIPAA-defined covered entity or business associate.

For calls to mobile phones, the triggers for TCPA consent are artificial voices, prerecorded messages or auto-dialers. If an organization is making those types of automated calls and is delivering a healthcare message by or on behalf of a covered entity or a business associate, only prior express consent is needed, even if the call constitutes an advertisement or telemarketing under the TCPA. Healthcare organizations have a less stringent standard than others applying the TCPA rules.

It is important to remember that automated calls to mobile phones require consent—it is just a matter of what kind of consent. Auto-dialed or prerecorded healthcare calls and texts to mobile phones generally require prior express consent. If the HIPAA exemption doesn’t apply and the call constitutes advertising or telemarketing, then prior express written consent is required.

When does the HIPAA exemption apply? To qualify for the HIPAA exemption, a call must constitute a “healthcare” message by a “covered entity” or “business associate,” as those terms are defined in the HIPAA Privacy Rule. The TCPA does not disrupt HIPAA’s definitions of “covered entities” or “business associates.” (If a call is not marketing, the more onerous consent requirements under the TCPA aren’t triggered.)

HIPAA defines marketing as “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.” HIPAA also includes three categories of carve-outs that it excludes from marketing (45 C.F.R. Section 164.501):

Communications that impart information about a product or service that is included in a healthcare benefits plan offered by a covered entity, such as a new benefit that is added to the plan
Communications that provide information concerning treatment, such as appointment reminders
Communications that describe goods or services for case management or case coordination, such as a doctor sharing a patient’s records with several behavioral management programs to determine the best option for the patient’s needs

The 2013 FCC order provides several examples of HIPAA exemption categories, including prescription refills, immunization reminders, post-hospital discharge follow-up, health screening reminders, medical supply renewal requests and generic drug migration recommendations. This list was repeated and expanded upon in the 2015 FCC ruling.

Case law, particularly Bailey v. CVS Pharmacy (D.N.J. 2018), helps clarify the contours of the exemption. In that case, the court decided that a generic flu shot reminder text message alert fell within the HIPAA healthcare exemption, stating that the plaintiff provided consent when she gave CVS her phone number, even though she never received or expressed interest in receiving flu shots from CVS.

2. The Emergency Purposes Exemption

Calls that are made for emergency purposes to mobile phones do not require prior express consent. “Emergency purposes” is defined as “calls made necessary in any situation affecting the health and safety of consumers” (47 C.F.R. Section 64.1200(f)(4)). Not all healthcare calls qualify for the emergency purposes exemption. In the ACA International case taken up by the D.C. Circuit, for example, the court clarified that a billing communication would not be considered for an emergency purpose, as timely delivery is not critical. In several cases, however, prescription reminders have been held to fall within the TCPA’s “emergency purposes” exemption, as people’s lives could be threatened if they did not have their medications.

3. The 2015 Exigent Exemption

The 2015 exigent exemption is designed for healthcare calls that are not emergencies but are urgent. To qualify, calls must have a specific treatment purpose. Types of calls that fall under the exigent exemption include appointment and exam reminders, wellness checkups, hospital preregistration instructions, preoperative instructions, lab results, post-discharge follow-up to prevent readmission, prescription notifications, and home healthcare instructions. According to the FCC, calls are not covered if they are about account communications, payment notifications or Social Security disability eligibility.

Although the FCC agrees exigent calls are important, it put together a long list of conditions that calls must meet to qualify for the exemption, including that they must:

Be free to the end user
Go only to a mobile number that the patient provided
Provide the caller’s name and contact information (at the beginning for voice calls)
Not be telemarketing, solicitations or advertising calls, or accounting, billing, debt collection or other financially related calls
Be short (one minute or less for voice and 160 characters or less for text)
Provide an easy means for opting out
Immediately honor opt-out requests
Be no more frequent than one message per day, with a maximum of three per week per provider

Risk Mitigation

We recommend that all healthcare organizations conduct a “health check” of their outbound call practices at least annually to minimize risk. The health check should include an audit of different types of calls the organization makes, the sources for phone numbers, an analysis of auto-dialer use, a review of consent practices and an assessment of how TCPA risk is being mitigated. Organizations also should evaluate how ready they are if they were to face a TCPA lawsuit.