In my last post, we discussed how HIPAA impacts rules and regulations related to capturing reviews for posting online. We limited the discussion to working with vendors to help you capture and post online reviews. Such vendors must be HIPAA Business Associates. And if Protected Health Information is posted online, you need a formal HIPAA authorization to do so.
Onward to the final topic.
Telephone Consumer Protection Act (TCPA):
Everyone has a smartphone. Why not just send links to smartphone and have the patient post their online reviews directly?
Welcome to the Telephone Consumer Protection Act of 1991.
When passed, that law’s goal was minimize telemarketing nuisances and junk faxes. The law has been updated to deal with smart phones.
Any business (or vendor that works with a business) that sends automated text messages must comply with TCPA. Get it wrong and the penalty is $500 per text or actual damages, whichever is greater.
Example: $500 x 1,000 texts = $0.5 million.
There is no statutory cap on damages. For lawyers, TCPA is manna from heaven.
TCPA gives a roadmap for compliance. Is the text message informational? Is the text message marketing material? If both, or ambiguous, one should assume it will be treated as marketing.
An informational text is one that is solely of benefit to the consumer (patient). An example would be a scheduling appointment reminder.
A marketing text includes any “material advertising of commercial availability or quality of any property, good, or services.” Does this include a link to post a review on an online review site? Who knows? But, given that penalties can be in the multi-millions, and that many insurance policies exclude such coverage, a reasonable approach is to treat such text messages as marketing messages, and comply.
To comply with TCPA for sending automated informational text messages, you need “prior express consent” from the patient. This is typically easy. If the patient voluntarily gives you their mobile number, you’ve complied.
To comply with TCPA for sending automated marketing (or combination informational/marketing) text messages, you need “prior express written consent” from the patient. This is a bigger deal. Such documentation and disclosure start to look like HIPAA authorization releases.
To recap, if you work with a vendor to collect reviews, and they use automated technology to send text messages, don’t cut corners. Understand your obligations with prior express written consent. What a difference one word makes.
Our Series Comes to a Close
Our series on Capturing Patient Reviews and Pesky Regulatory Details comes to a close. I’d love to say there are no other constraints. Unfortunately, there are. This includes state medical licensing bodies that regulate advertising in the medical fields.
Still, I don’t intend to throw the baby out with the bathwater. I’m a fan of online reviews. They're here to stay. Healthcare is no exception. Just asking patients to post reviews is hard work. Vendors have popped up offering technology to solve the problem. Before you ink a multi-year agreement, get comfortable YOUR vendor understands and follows FTC, HIPAA, and TCPA.
Jeff Segal, MD, JD, is a member of MCSMN, founder of Medical Justice Systems, and CEO of eMerit.