Request a Demo

Category: Compliance & Regulations

Analysis of April 1, 2021 Supreme Court Ruling on the TCPA

Posted on by Brendan McClure
Big news for healthcare organizations that have been hesitant to fully leverage text messaging due to conservative interpretation of the Telephone Consumer Protection Act (TCPA). On April 1, 2021 the Supreme Court ruled that automated messaging did not fall under the TCPA if the system sending the messages was not an automatic telephone dialing system (ATDS). The court’s definition of an ATDS was very narrow. Whether storing or producing numbers to be called, the equipment in question must use a random or sequential number generator to be considered an ATDS. Therefore, if organizations, healthcare or not, are not using an ATDS to send messages, then those messages do not fall under the TCPA. The ruling provides additional protections that should persuade more conservative organizations to adopt prior express consent strategies. The TCPA was established in 1991 to protect consumers from the growing number of telephone marketing calls. In 2013 and 2015 a series of carve-outs added provisions for healthcare related calls and messages where consumers who have knowingly released their phone numbers to a HIPAA compliant entity (or its Business Associate) have effectively given their invitation or permission to be called at the number which they have provided, absent instructions to the contrary. The call or message must fall within the scope of the consent that it was provided. Most commonly, this means if an individual provides their mobile phone number e.g. filling out an application form (paper or online) for health coverage or signing up to a medical practice, then they have provided consent for that company or another operating under a BAA to use that number to contact that individual. If you applied to a state Medicaid agency for health coverage and provided your mobile number on that enrollment form, then after coverage was granted you received a message from the managed care organization you had been assigned to, it would not a be a surprise. More likely it would be a good experience. Maybe even expected. But some healthcare organizations have taken a more conservative interpretation of the law and require the strictest consent requirements: prior express written consent. Applying prior express written consent to the above example, in addition to providing their number when enrolling at the state level, the member would have to specifically provide written consent (typically, by providing their number again, checking a box to confirm consent, or texting in a keyword) in order to receive automated communications from that health plan managing their benefits. This approach significantly reduces the percentage of members who can benefit from valuable informational messages to help them manage their health. Unless healthcare organizations are using a system that has the capacity to generate and store random or sequentially generated phone numbers, which is extremely unlikely, this Supreme Court ruling means messages they send to patients and members do not fall under the TCPA. There is no law regulating their messaging, minimizing any risk of class action litigation. However, member consent is part of providing a positive experience. That’s best practice. So, what the ruling effectively means is that in addition to the protections afforded by consent, healthcare organizations have another layer of protection by falling outside of the ATDS definition. Depending on how organizations have previously interpreted TCPA, here is some guidance to help align on a new approach: Organizations that have historically obtained prior express consent
  • These organizations do not need to adjust their approach. Using prior express consent means they can engage the majority of the members and drive optimal value out of the SMS channel.
Organizations that have historically required prior express written consent
  • Business leads should work with their legal teams to transition to a prior express consent strategy. Any concerns about the prior express consent approach are mitigated by the additional protections afforded by the Supreme Court ruling.
Organizations that have historically received phone numbers from a 3rd party
  • Business leads should assess the context of how individual numbers were originally provided. If the number will be used to engage individuals on topics related to the scope of how it was provided, then the business leads should work with their legal teams to transition to a prior express consent strategy.
The definitions of ATDS apply to both pre-recoded voice calls and text messages. However, following the Supreme Court ruling, adapting consent strategies for text messaging is clean compared to pre-recorded voice calls or IVRs. Within the TCPA, pre-recorded voice calls have additional areas of regulation pertaining to how the mobile number was gathered and these areas must be taken into account when conducting automated calls. There are more protections for sending automated text messages than there are for pre-recorded voice calls. The ruling is favorable for organizations across industries, but it is unlikely to lead to dramatic changes to how organizations use the SMS channel. Firstly, considerable industry self-regulation exists, such as carriers’ ability to block automated spam calls. The CTIA (industry body for the wireless communications industry) provides strict guidance on how messaging programs should be managed and has the power to shut down non-compliant messaging programs. Secondly, it is in the interests of brands to follow best practices and deliver excellent consumer experiences. The Federal Communication Commission (FCC) that oversees the TCPA may react to the Supreme Court ruling by updating the law, but the manner and urgency of its response will in part be driven by whether brands put consumer interests at the fore and self-regulate best practices for consumer messaging engagement. If the FCC does act, and it has no obligation to do so, any new consent rules would have prospective effect only. For healthcare organizations that have been slow to adopt text messaging engagement due to TCPA regulations, the ball is firmly in their court. The TCPA is vague in parts and while many organizations see the opportunity the prior express consent approach, they hold-back because of uncertainty of the language. Now that the risk of class-action litigation has been largely ruled-out, these organizations have a significant opportunity to leverage the SMS channel more.

Our Reaction to the Two New TCPA Rulings from the FCC

Posted on by mPulse Team

This past Thursday, June 25, 2020, was a busy day for the Federal Communications Commission (FCC) and their oversight on the Telephone Consumer Protection Act of 1991 (TCPA). 

That law, and the FCC rules enforcing it, create the primary regulatory structure that guides how automated outreach via phone and text to cell phones lawfully happens in the US. As a result, mPulse is always monitoring FCC rulings, federal court cases, and Congressional actions that relate to how our customers can ensure they are always compliant with the TCPA. So, when the Commission issued two binding Declaratory Rulings relating to the TCPA last week, we knew it was important to examine what was (and wasn’t) changing as a result. Here is our breakdown of the two new rulings. (Note: I’m not a lawyer and this should not be taken as legal advice.) 

P2P Alliance Petition 

What it isThe FCC ruled on a 2018 request from the Peer 2 Peer (P2P) Alliance asking for clarification on what constitutes an “auto-dialer” that calls or texts cell phones. This definition is key to determining if the TCPA applies to a technology platform.  

What happened: The Commission’s Consumer and Government Affairs Bureau (CGB) made two key rulings. First, they clarified that an auto-dialer must store or generate random or sequential phone numbers and call them without human intervention. They specifically clarified that a technology platform where a human had to manually enter each number prior to calling or texting would not be subject to the TCPA, no matter how fast they would be able to call or text. Second, the FCC reiterated a long-standing view that, even when using an auto-dialer subject to the TCPA, calls and texts made to cell phones with the consumer’s prior express consent are permitted. They also took a moment in the ruling to note, “The Commission has repeatedly made clear that persons who knowingly release their telephone numbers for a particular purpose have in effect given their invitation or permission to be called at the number which they have given for that purpose, absent instructions to the contrary.” They finished by saying that if P2P was an auto-dialer, but was only calling or texting consumers who had provided their cell phone numbers to the calling parties, those calls/texts would be permissible because they were made with prior express consent. 

What it means: Because of our scale and the crucial nature of the calls and texts (among other channels) our platform powers for our healthcare customers, mPulse has always operated under the assumption we fall under the TCPA, even as the definition of an auto-dialer has been debated in federal courts. So, our operations won’t change due to any update to that definition. The reiteration that providing a mobile phone number constitutes prior express consent, absent instructions to the contrary, is a good and clear reinforcement of the FCC’s view of how consumers can opt into non-marketing text and phone outreach.   

Text of ruling: https://www.fcc.gov/document/cgb-issues-declaratory-ruling-p2p-alliance-petition  

Anthem Petition 

 What is it: The CGB also ruled on a 2015 request from Anthem that was asking for an expansion of the exemptions for healthcare messaging under the TCPA. Specifically, Anthem asked for the FCC to rule that calls and texts from Anthem (and plans or providers in general) that concern healthcare should not need to have prior express consent as long as consumers have an easy opportunity to opt out. The existence of a prior established relationship between the plan and members is enough, in their argument, to start that outreach. Second, they asked that broader healthcare calls/texts should be exempt from the TCPA entirely because they are welcomed by consumers and represent urgent healthcare concerns. Specifically, Anthem listed calls/texts on subjects like preventive medicine outreach, case management, to “educate members about available services and benefits,” and the use and maintenance of benefits.   

What happened: The Commission declined to grant Anthem’s requests. They emphasized that consent must be obtained prior to starting outreach regardless of an existing relationship, but noted that healthcare callers should have little problem obtaining that consent. The FCC also disagreed with a few of the Anthem petition’s arguments for making a content-based exception to the TCPA for non-emergency healthcare calls and texts.  

What it means: The FCC’s ruling is positive in a number of ways. This was the first time that the FCC directly addressed calls and texts that health plans typically send their members. The FCC’s treatment of Anthem as a healthcare entity – consistent with their definition of a “healthcare provider” as a HIPAA-covered entity and/or their business associates as those terms are defined under HIPAA – helps health plans get clarity that the TCPA protections for healthcare calls and texts – which require prior express consent instead of the prior express written consent that general marketing calls require – apply to their health-related messaging as well as those from hospitals or doctors’ offices. Ultimately the FCC’s move to look at health plan calls and texts and determine that no change was needed gives us confidence in the compliance procedures we have helped our plan customers follow for over a decade.

Text of ruling: https://www.fcc.gov/document/cgb-issues-declaratory-ruling-and-order-anthem-inc

Reaction and Analysis: Office of Civil Rights Takes a Position on Text Messaging in Healthcare

Posted on by Brendan McClure

If you ask a group of people that work in healthcare about whether texting is a compliant form of communication, you are likely to get a wide variety of answers: “you can,” “you can’t,” “you can, but no PHI,” “PHI is fine.” There has long been a desire for clarity on this grey and murky topic.  At HIMSS 2018, Roger Severino, Director of the US Department of Health and Human Services Office for Civil Rights (OCR), shed some much welcome light on compliance around healthcare texting.

Before we get to Severino’s comments, let’s address why everyone is so confused.

Two types of texting defined

There are two different types of texting that operate very differently and serve very different needs but are both commonly referred to as the same term, “texting.” The first type is what general consumers think of as texting, or Short Message Service (SMS) to use its technical term. This is the texting that is a default app on your phone and paid through your carrier that many people use to send and receive texts every day. It is unsecure. For clarity, I will refer to this as SMS. The second type is proprietary app based, with multiple different app providers. It is used by healthcare providers (mostly doctors and nurses) to communicate to one another on patient-related care inside and outside the walls of the health center. It can also be used by providers to communicate with patients provided the patient has downloaded and created an account for the app being used. It is secure. For clarity, I will refer to this as Secure Texting.

PHI and texting

Handling PHI through texting is the source of a lot of confusion and debate. Because of their Provider-to-Provider focus, Secure Texting needs to meet certain technical standards for HIPAA compliance:

  • encryption of message data in transit and at rest
  • reporting/auditability of message content
  • passcode enforcement
  • authentication
  • permissions management capabilities

With these safeguards in place, PHI of all risk levels can be communicated through that channel.

SMS is an unencrypted channel, so one might assume no PHI can be sent. Actually, that is not true. Encryption is not mandated. Instead healthcare companies must assess whether encryption is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting PHI. If encryption is not deemed reasonable and appropriate, the covered entity must implement alternative safeguards.

Because the SMS format is fundamentally incapable of encryption, companies have the discretion to make a case-by-case determination under HIPAA whether it is reasonable and appropriate for SMS texts to contain PHI.  A key factor is the nature of the PHI to be disclosed. Many healthcare companies are comfortable including low risk PHI in SMS texts, such as a patients first name, the fact the patient has a medical appointment, or has a medical condition (without specifying what the medical condition is). So, under current policy, while it is not explicitly defined, low risk PHI can be sent through the text channel within the boundaries of HIPAA guidelines.

The 2017 Clarification on Secure Texting and Patient Orders 

Since 2011, there has been considerable back-and-forth on whether Secure Texting can be used for communicating patient orders. In December 2017, the Joint Commission issued a clarification explicitly stating the use of Secure Texting for patient orders is prohibited. The document also recommended healthcare organizations should have policies prohibiting the use of SMS for communicating PHI. Expanding on this statement, the Joint Commission explained ‘Organizations are expected to incorporate limitations on the use of unsecured text messaging in their policies protecting the privacy of health information’ Joint Commission 2017. This position is in-line with the broader HIPAA Security Rule policy requiring healthcare organizations weigh the risks and benefits of sending unencrypted text messages.

The HIPAA Omnibus Final Rule

In 2013 the HIPAA Omnibus Final Rule allowed healthcare providers to communicate PHI with patients through unencrypted e-mail as long as the provider informs the patient that their e-mail service is not secure, gains the patient’s authorization to accept the risk, and documents the patient’s consent. This clarified the use of email for provider to patient communications. (Just to be clear providers cannot communicate PHI to one another using unencrypted e-mail).

Notably, the rule did not mention anything about SMS, which is somewhat frustrating as SMS is the most widely adopted communication channel by just about everybody. Some interpret the rule as applying to SMS as well because both are unencrypted electronic channels. Others want more clarity.

Clarity from OCR

Speaking at the HIMSS health IT conference in Las Vegas on March 6, Roger Severino, said that healthcare providers may share PHI with patients through standard (SMS) text messages. Providers must:

  • warn their patients that texting is not secure
  • gain the patients’ authorization
  • document the patients’ consent

Severino’s comments are yet to make it into policy, but the OCR has long-promised guidance on this topic. As the country is in a period of intense deregulation, it is reasonable to assume a ruling on the topic is imminent.

What does this mean for healthcare companies?

That depends on whether the healthcare company is already using SMS to reach and engage their patients. Many companies have well-established SMS programs. SMS has bubbled to the top as the most effective channel to engage patients about their health:

  • Increased chronic condition medication adherence from 30% to 44% in a non-adherent Medicare population read more
  • Reduction in members reporting they would use the Emergency Department for a minor condition from 11% to 4% read more
  • Reduction in procedural no-goes by 50%

Many healthcare companies are comfortable with the unencrypted nature of the channel and include PHI in line with their compliance department’s requirements. For these companies my advice would be to continue to drive as much value through the SMS channel while meeting current compliance guidelines. These companies will then be in a position to capitalize most when there is a change in policy that increases the breadth of use cases for which SMS can be used to engage patients and health plan members.

For companies that are not using the SMS channel to engage patients, I see this as clear notice that SMS is a channel where you should invest. 95% of the adult population uses the SMS channel and 98% of SMS texts are read. No other channel has that level of adoption and engagement. Because of this reach, the impact of the SMS on both clinical and administrative outcomes is well established and will only go up with policy that increases the breadth of use cases for which the channel can be used.

Healthcare Apps: The Good, The Bad, The Ugly

Posted on by mPulse Team

It is hard to imagine a week going by without hearing about a new app in the healthcare industry. It makes sense, though. As mobile devices become more sophisticated and better protected (was anyone else’s mind blown when Apple launched fingerprint technology?), consumers feel safer using them for important activities and sharing private information. The impact of apps in healthcare seems largely positive and they should only become more important as technology and regulations continue to evolve, but plenty of skepticism still remains.

First, a few quick facts to define the landscape:

To summarize, consumers continue to perform more activities on mobile devices than ever before, a very small portion of available health-related apps are downloaded, and the majority of apps are used only once.

There is a clear issue with getting consumers to actually use apps. After all the time, money, and energy spent building an app, marketing it, and finally earning a download only to find that consumers never come back is frustrating. These stats are even more depressing when there are so many valuable apps currently available and in development. Companies are spending big bucks to develop apps that may change healthcare forever.

Today alone, there are two featured stories on mobihealthnews.com about exciting new apps. One monitors respiration real-time while the other coaches kids to help them lose weight. This is not an unusual day. Apps with concepts like this are announced and released all the time. There are even companies like Zoom+ that are trying to bring healthcare almost entirely to the mobile phone. (Keyword being “almost.” It’s tough to imagine a phone performing an appendectomy.)

So the future for healthcare apps is simultaneously extremely bright and somewhat murky. The technology and abilities are mind blowing, yet adoption and use remain a challenge. Intelligent text messaging is a key to increasing adoption and getting consumers to complete the activities an app requires to remain valuable to them.

Here is an example:

There are a variety of apps that help consumers manage their health, be it overall fitness, diabetes, medication adherence, or any number of other health issues. Many of these apps require data from consumers in order to be effective. This data typically comes either from wearables that sync with the app, consumer-input data, or a combination of both. When consumers download the app, they typically log in, provide basic info, and then start looking around at all the features and overall experience. All is going fine and well until the consumer encounters something that requires a second effort on their end. Providing their current weight requires them to go step on scale and return; a prompt to sync a wearable could send them into an online shopping environment loaded with distractions. And then they lose momentum, interest wains, and they never return.

The challenge with apps is they require the consumer to click on them, and in healthcare likely log in, every time they use them. This is an unavoidable barrier unless security and regulations change dramatically. So how do organizations get consumers to care enough to log into an app regularly?

Here are some ideas:

  • Push Notifications: When a user enters an app for the first time, ask them to turn on push notifications. This enables the app to send alerts or reminders to the user on their mobile device. Downside: Many users (roughly 60%) do not opt-in to push notifications.
  • Digital Marketing: Once a consumer downloads the app, targeted online marketing can remind them about the necessity of the app. Downside: Expensive with limited data to judge success.
  • Text Messages: An intelligently-timed text message can encourage consumers to take the action the app requires (like measuring weight) and log back in with a simple tap of the link. Now the app has the information it needs to be more valuable to the consumer which is likely to increase adoption. If not, another intelligent text should do the trick. Example Text: Joanna, don’t forget to take your blood pressure and post it link to app so we can keep your doctor up to date.

Seeing the level of innovation in mobile healthcare is completely thrilling. It really feels like the dawn of a new era. Making sure consumers do their part and experience this innovation through apps requires an extra step to keep them engaged. By leveraging push notifications, ongoing marketing, and text message workflows, organizations are likely to see much stronger app use numbers and generate better outcomes across the board.

mPulse Mobile is the industry leader in a variety of healthcare solutions to support over 200 use cases. Driving traffic to apps is one of them. mPulse also creates intelligent workflows for two-way interactive text messaging that engages patients and consumers to get the information and care they need.

In Light of Increased Litigation, Best Practices for Consumer-Focused Mobile Engagement

Posted on by mPulse Team

With mobile phone ownership skyrocketing to 94% of adults and text-message read rates at 98%, engaging healthcare consumers via mobile is no longer an option – it’s a business imperative. Yet changing regulations and increased litigation related to text messages may be giving health plans and hospitals pause to adopt mobile as a customer engagement channel. Because the latest developments with the Telephone Consumer Protection Act (TCPA) have caused confusion around the industry, we’ve summarized key facts as well as our (legally sound) recommendation for how to best kick off your organization’s next mobile engagement initiative. The bottom line is that healthcare related messages face considerably less restrictions under the TCPA compared to other types of messages, and the Federal Communications Commission (FCC) recently created an additional exemption for healthcare messages that may be worth pursuing for your organization.

Legally Speaking

Advances in technology over the past several decades have dramatically increased how companies reach and engage with target audiences, particularly in the mobile space. As a result of technological innovations and evolution, attributes of the TPCA have continually been challenged – mainly in class-action lawsuits – leading to a series of clarifications of the TCPA’s terms at the federal level.

Most recently, the FCC issued an order to resolve more than 20 previously contested elements of the TCPA. The order’s legality is currently under scrutiny in a case overseen by the U.S. Court of Appeals that’s expected to play out well into 2016. While the public awaits the court’s ruling, members of the healthcare community who use mobile as a consumer engagement platform should pay special attention to the TCPA’s existing allowances and restrictions on healthcare-specific information communicated via phone – through voice calls and text messages.  That is, it is important to understand the rules applicable to healthcare messages which are not being appealed and which remain effective today.

First, in 2012, the FCC mandated that companies using autodialers or prerecorded voice messages for telemarketing purposes must obtain explicit written consent from the called party before placing any such call.  The FCC, however, carved out healthcare related messages from this enhanced consent requirement.  As a result, to the extent that an individual releases his or her telephone number to a healthcare provider without limitations, autodialed and prerecorded calls and texts can be sent to the individual’s mobile number on the healthcare providers behalf in compliance with the TCPA, so long as the content of the message would be covered under the Department of Health and Human Services’ (HHS) definition of healthcare.

In its most recent ruling last July, the FCC clarified terms surrounding consent, reiterating what’s previously been stated by the FCC: those who provide their phone number to a healthcare provider, insurance company, or other such party, in turn consent to receiving information from that party to that number.  The FCC also created an additional exemption that allows healthcare entities to send autodialed or prerecorded calls or texts to individuals regardless of whether or not the individual being contacted has released his or her telephone to the caller, so long as the communications are free of cost to the recipient, are related to an exigent medical situation and certain other conditions are met.  Accordingly, although nothing has changed with respect to the 2012 TCPA carve-out for healthcare calls, this exemption may be an option worth pursuing in situations where an entity is initiating a healthcare message on its own behalf and the patient did not release his or her telephone number to that entity.

mPulse Mobile’s Take

So what does this mean for you and your ability to actively (and legally!) engage with your organization’s audience?

As a healthcare institution, an assumed opt-in approach – one that provides consumers who have released their telephone number the choice to opt out upon initial contact – will ensure you’re TCPA-compliant and reaching the intended users in an effective manner. Say, for example, you’re part of a health plan requiring members provide their phone number upon sign up. It’s a best practice to conduct prompt outreach to the member, welcoming them and expressing the desire to regularly contact them on their cell. In that same communication, the individual should be asked to reply ‘STOP’ (at any time) if they wish not to receive additional texts.

Remember: it’s not the number of individuals that elect to remain in your database, but the level of engagement achieved.

If you’d like to learn more about how the most recent announcements surrounding the TCPA affect your mobile engagement efforts – as well as some best practices that our clients are using – we encourage you to join FierceHealthcare’s upcoming webinar, featuring mPulse Mobile and the legal experts at Arent Fox on February 17th. Register for the webinar here.

You can also check out some of our latest resources, including eBooks on mobile best practices for both healthcare providers and health plans.

eMarketer: Industry Perspectives on Connected Health

Posted on by mPulse Team

mPulse CEO Chris Nicholson was one of the industry thought leaders invited by eMarketer to share their perspectives on how connected health is taking shape, how it is impacting their businesses and how they expect marketing to change as a result.

The full report, which was released by eMarketer in January 2015, includes perspectives from providers payers, consumers, entrepreneurs, manufacturers and other players critical in the connected health industry. To give you a sense of the information in the report, here is one of Chris’s quotes:

eMarketer: How is marketing changing as a result of the connected health movement?

Chris Nicholson: “In the past it was more general, broad-brush communications to create awareness around programs— print communications or outbound calls, trying to reach people at a household level. In the last 10 years there’s been deeper analytics for targeting people into programs. Now you’ve got the ability and the analytics to get so much more sophisticated, to talk to somebody at a personal level, very specifically. Health plans have been a little slower to leverage mobile and social and are just now investing very heavily in this space.”

See the rest of Chris’s answers, plus more from other respected industry thought leaders in the full report available on eMarketer.com.

eMarketer: What Marketers Need to Know About Digitally Enabled Care

Posted on by mPulse Team

As the mobile communication solutions provider for many of the nation’s largest health plans and healthcare providers, mPulse Mobile is one of the foremost authorities on the topic of connected health. Recently, mPulse CEO Chris Nicholson served as an interviewee for the eMarketer report, Connected Health: More Than Just Wearables, What Marketers Need to Know About Digitally Enabled Care.

Published in January 2015, the report includes in-depth interviews and industry statistics to answer:

  • What is connected health, and what is driving it?
  • What are the major components of connected health, and how are they changing the dynamics of US healthcare?
  • What are the implications for marketing as the industry moves toward a more connected model of care delivery?

Some of the high-level findings from this report include:

  • One-third of US healthcare practitioners currently provide or plan to provide telemedicine services. Another 29% plan to in the next few years.
  • Consulting firm Deloitte estimated that there would be 100 million “eVisits” (seeing a doctor via phone, video or text-based interactions) in 2014, resulting in $5 billion in savings over the cost of in-person visits.
  • Privacy and security is a major consideration in the healthcare sector, and it is crucial for marketers to understand HIPAA-compliance. mPulse Mobile’s proprietary secure mail solution, AppMail, is mentioned in the report as a HIPAA-compliant option.

The full report is available on eMarketer.com.