Skip to main content
Menu

Resources

Rules for Communicating via Telephone, Cellphone and Email

November 19, 2019 3339

It is no longer a simple matter to communicate with patients or to market a dental practice via telephone, cellphone, text message or email. This is a guide to the rules for communicating via these technologies with patients and other individuals. Also included in this resource is sample language to use for those instances when patient authorization or consent is necessary for communicating via these technologies.

New Patient — Cellphone Consent

Obtain authorization to initiate contact with a patient regarding treatment, insurance, and account via the patient’s cellphone. The Federal Communications Commission, using the authority of the Telephone Consumer Protection Act of 1991 (TCPA), issued the order below that requires a business to obtain an individual’s consent prior to calling or sending a text message to an individual’s cellphone number. A health care exemption to the order applies if the communication:

  • Is sent only to the cellphone number provided by the patient to the health care provider.
  • States the name and contact information of the health care provider (information must be at the beginning of a voice call).
  • Does not include telemarketing, solicitation, advertising, billing or financial content (including insurance information requests).
  • Complies with the HIPAA Privacy Rule.
  • Is short (one minute or less for voice calls and 160 characters or less for text messages).

A health care provider must:

  • Limit communication to one per day and three per week for each individual.
  • Provide individuals with a simple method to opt out of receiving communications.
  • Immediately honor the opt-out requests.

The TCPA order does not limit a return call to an individual’s cellphone number if the individual initiates the contact.

In order to initiate contact with a patient via the patient’s cellphone regarding any topic other than treatment and appointment reminders, a dental practice must obtain the patient’s consent to do so.

The following provides sample language a dental practice can add to a patient information collection form. Note that if a dental practice intends to contact the patient on his or her cellphone for marketing purposes, the practice should add that to the consent language.

I consent to the dental practice using my cellphone number to (choose one or both): ______ call or ______ text regarding appointments and to call regarding treatment, insurance and my account. I understand that I can withdraw my consent at any time. My cellphone number is (include area code) _______________. _________ (initial)

New Patient — Consent To Receive Unsecured Email

Electronic communication of patient information must be done securely. The only exception to the requirement is when a patient, after being advised of the risks, consents to receive the information in unencrypted email. Patient consent to receive unencrypted email is not consent to transmit protected health information (PHI) in unsecured communications with other entities such as specialists and payers. If the use of unencrypted email is unacceptable to a patient who requests confidential communications, other means of providing an electronic copy by more secure methods should be offered and accommodated. Following is sample language a dental practice can add to a new patient information collection form:

Except for appointment reminders, we use secure methods to electronically communicate with our patients. Unencrypted email is not a secure form of communication. There is some risk that any individually identifiable health information and other sensitive or confidential information that may be contained in unencrypted email may be misdirected, disclosed to or intercepted by unauthorized third parties. However, you may consent to receive unsecured email from us regarding your treatment. We will use the minimum amount of protected health information necessary in any communication. Our first email to you will verify the email address you provide. Please initial the statement indicating your preference.

  • _______ I prefer to receive information via the practice’s secure communication methods. My email address is _____________.
  • _______ I consent and accept the risk in receiving information via unencrypted email. I understand I can withdraw my consent at any time. My email address is _____________.
  • _______ I consent to receiving appointment reminders via unencrypted email. I understand the minimum necessary information is used in these reminders. I understand I can withdraw my consent at any time. My email address is _____________.
  • _______ I do not consent to receiving any information via email. I understand that I can change my mind and provide consent later.

New Patient — Voice Messages Left at Home

Obtain patient acknowledgment that the practice will leave messages on the answering machine or with anyone who answers the telephone at the telephone number provided by the patient. Sample language:

I understand brief messages from the dental practice may be left on my home answering machine or with anyone who answers the telephone at my home unless I have provided the practice with alternative instructions for communication. ________ (initial)

Appointment Reminders — Voice and Text Messages

Only use the minimum patient information necessary for the appointment reminder. Postcards, voice messages, unencrypted email messages and text messages should not include diagnosis or treatment information.

Sample language for an appointment reminder:

This is Main Street Dental with a reminder that Jack has an appointment on Wednesday, March 3, at 2 p.m. Please call us at 222-2222 if you have any questions.

When using a vendor to make the appointment reminders, the dental practice should:

  • Sign a HIPAA Business Associate Agreement with the vendor.
  • Provide the vendor with only the minimum information necessary to complete the job.
  • Ensure patient information is transmitted securely to the vendor.

Patient Request for Email Communication

When a dental practice does not normally engage in email communication with patients and a patient requests email communication, the practice must ensure the email is sent securely either through encryption or a secure web service. The only exception to the requirement is when a patient, after being advised of the risks, consents to receive the information in unencrypted email. Patient consent to receive unencrypted email is not consent to transmit PHI in unsecured communications with other entities such as specialists and payers. If the use of unencrypted email is unacceptable to a patient who requests confidential communications, other means of providing an electronic copy by more secure methods should be offered and accommodated.

Following is sample language that can be used to obtain patient consent to communicate via unencrypted email. Be sure to retain documentation with the patient record.

Reply to a patient’s emailed request for information:

We are happy to respond to your query. We normally use a secure electronic communication method (encryption), however, you have the right to request to receive your information via unencrypted email. In order for us to send your information to you via unencrypted email, you must provide your consent, recognizing that unencrypted email is not a secure form of communication. There is some risk that any individually identifiable health information and other sensitive or confidential information that may be contained in such email may be misdirected, disclosed to or intercepted by unauthorized third parties. We will use the minimum amount of protected health information necessary to respond to your query. If you wish to conduct this discussion via unencrypted email, please indicate your acceptance of this risk with your email reply. You may withdraw your consent at any time. Alternatively, please contact our office to arrange a telephone conversation or office visit if you decide against corresponding via email.

Act on a verbal request from the patient:

Please email your request to our office. (Then the office can respond as described above, or the dentist or HIPAA privacy officer can discuss with the patient the risk of unsecured email and document the conversation and consent in the patient record.)

Patient Recall

Contacting patients about uncompleted recommended treatment or for not being seen in the past year is common in dental practices. However, telephone calls to recall patients may be viewed as solicitation and, therefore, subject to the federal Do-Not-Call Registry rules. Telephone solicitation is limited to 18 months from the time an individual completes a transaction with the business or until the individual requests that he or she not be contacted again, whichever period is shorter. If an

individual makes an inquiry, a business may call that individual for three months or until the individual requests that he or she not be contacted again, whichever period is shorter.

Telemarketing

Become familiar with the federal Telemarketing Sales Rule if using telemarketing. Even if a dental practice does not use telemarketing and instead uses direct mail or general media advertisements (radio, print or internet), how a dental practice responds to the calls resulting from those ads can be subject to the rule. Any “upselling” done in the course of a call will make that call subject to the rule. Refer to the FTC website for more information.

Email Marketing

The federal CAN-SPAM Act and California law apply to all email messages, including business-to-business communications, that are advertisements or promotions of a commercial product or service or that promote content on commercial websites. Unsolicited commercial email may not be sent to or from California email addresses. An example of a marketing email is a promotion for teeth whitening sent to a dental practice’s patients of record. Appointment reminders are not commercial communications.

It is a good idea to obtain an individual’s consent prior to sending him or her an email, even if the email is not a commercial message. Verbal consent to receive emails is allowed, but the consent should be documented.

Following is a summary of the main requirements:

  1. Header information — “From,” “To,” “Reply-To” and the originating domain name and email address — is accurate and clearly identifies the person or business who initiated the message. The domain name used must be publicly registered to the person or business who initiated the message or to the company contracted to do the marketing.
  2. Subject line accurately reflects content of the message.
  3. The message is clearly and conspicuously identified as an ad.
  4. Includes a valid physical postal address of the person or business who initiated the message. This can be a current street address, a post office box with the U.S. Postal Service or a private mailbox registered with a commercial mail-receiving agency established under U.S. Postal Service regulations.
  5. Provides a clear and conspicuous explanation of how the recipient can opt out of receiving future emails. Opt-out method should be internet-based. A menu to allow a recipient to opt out of certain types of messages can be offered, but the option to stop all commercial messages must be included in the menu.
  6. Promptly honor opt-out requests; 10 business days is the maximum period to comply. The recipient cannot be required to pay a fee or provide additional information in order to have an opt-out request honored.
  7. Once a recipient has opted out, the email address may not be sold or transferred, even in the form of a mailing list, except if it is being used by a third party to assist with CAN-SPAM compliance.

When sending a group email, a dental practice should ensure email addresses are entered only in the “Bcc” field so as not to impermissibly disclose PHI. If a dental practice hires a third party to send marketing communications and the recipient list includes patient email addresses, the practice should sign a HIPAA business associate agreement with the party.

Collection Calls

In an ideal world, collection calls would not be necessary (see the “Patient Financial Protocols” article for options to eliminate collection calls). In the real world, collection calls are made by dental practices before the debt is turned over to collection agencies.

At the federal level, the key law for dental practices is the Fair Debt Collection Practices Act, enacted to prevent and prohibit abuse by debt collectors. Below is an excerpt from the FTC website detailing what debt collectors are prohibited from doing:

Debt collectors may not harass, oppress or abuse any parties they contact. For example, they may not:

  • Use threats of violence or harm.
  • Publish a list of consumers who refuse to pay their debts (except to a credit bureau).
  • Use obscene or profane language.
  • Repeatedly use the telephone to annoy someone.

Debt collectors may not use false or misleading statements when collecting a debt. For example, they may not:

  • Falsely imply that they are attorneys or government representatives.
  • Falsely imply that someone has committed a crime.
  • Falsely represent that they operate or work for a credit bureau.
  • Misrepresent the amount of debt a person owes.
  • Indicate that papers being sent are legal forms when they are not.
  • Indicate that papers being sent are not legal forms when they are.

Debt collectors may not state that:

  • A person will be arrested if they do not pay their debt.
  • They will seize, garnish, attach or sell a person’s property or wages, unless the collection agency or creditor intends to do so and it is legal to do so.
  • They will take actions against a person, such as a lawsuit, when such action may not legally be taken or when they do not intend to take such action.

Debt collectors may not:

  • Give false credit information to anyone, including a credit bureau.
  • Send anything that looks like an official document from a court or government agency when it is not.
  • Use a false name.

Debt collectors may not engage in unfair practices when they try to collect a debt. For example, they may not:

  • Collect any amount greater than a person’s debt, unless state law permits such a charge.
  • Deposit a post-dated check prematurely.
  • Use deception to make someone accept collect calls or pay for telegrams.
  • Take or threaten to take property unless this can be done legally.
  • Make contact by postcard.

While the federal law was written to cover debt collection agencies and not original creditors, as of Jan. 1, 2000, all creditors (e.g., dental practices) and debt collection agencies that are subject to California law are also subject to most of the standards of the federal law. That means that businesses covered by the California law (both original creditors and debt collection agencies) must comply with the standards expressed in both state law and, with some exceptions, federal law. The state attorney general’s office website provides a guide to state laws on fair debt collection practices.