Last updated 2026-07-11

TL;DR
Healthcare outbound calling teams must satisfy two separate federal frameworks at once. HIPAA governs how you handle protected health information on calls; TCPA governs whether you had permission to call at all. A call can be HIPAA-compliant and still trigger a $500-$1,500 per-call TCPA violation, or vice versa. Both laws apply simultaneously, and neither excuses the other.
What is the HIPAA and TCPA overlap in healthcare calling?
Run outbound calls for a healthcare organization and you operate under two federal frameworks that were written independently and do not neatly align. HIPAA, the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), restricts how covered entities and their business associates use and disclose protected health information, or PHI [1]. TCPA, the Telephone Consumer Protection Act (47 U.S.C. § 227), restricts how you contact people by phone and text regardless of what you say on the call [2].
The overlap happens because an outbound healthcare call almost always contains or implies PHI. The moment a caller says "This is a reminder about your upcoming cardiology appointment," they have disclosed a health condition to whoever picks up. That disclosure is regulated by HIPAA. The act of dialing a cell phone using an autodialer, or sending an SMS, is regulated by TCPA. You need valid authorization under both laws before that call goes out.
Neither agency defers to the other. The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) enforces HIPAA. The Federal Communications Commission (FCC) and private plaintiffs enforce TCPA. A healthcare company that gets its HIPAA authorization exactly right can still face a class-action lawsuit under TCPA if its autodialer consent documentation is defective. The reverse is equally true.
This dual exposure is not theoretical. Several large health systems and healthcare vendors have paid settlements under both laws in the same calendar year. Knowing exactly where the two regimes touch, and where they split, is the first step to building an outbound program you can defend.
What does HIPAA actually require for outbound patient calls?
HIPAA's Privacy Rule (45 C.F.R. Parts 160 and 164) sets the baseline for how covered entities, such as hospitals, physician practices, health plans, and their business associates, can use PHI for communications [1]. For treatment-related calls, the Privacy Rule generally permits the use of PHI without a separate written authorization. A reminder call about a scheduled appointment, a call from a pharmacist about a prescription ready for pickup, or a post-discharge follow-up call fits the treatment exception.
Marketing calls are a different story. If the purpose of the call is to get a patient to buy a product or service, HIPAA requires a written authorization from the patient before you can use their PHI to target them [1]. The line between "care coordination" and "marketing" is genuinely contested, and HHS has issued guidance acknowledging the gray zone. A call reminding a diabetic patient about an annual A1C check ordered by their physician is treatment. A call pitching a CGM device because the patient is diabetic is marketing.
HIPAA also imposes minimum-necessary standards. Even on a permitted treatment call, staff should not read out a full diagnosis when a simple appointment reminder will do. If a message is left on an answering machine, the Privacy Rule expects the covered entity to use reasonable safeguards. HHS guidance has noted that leaving a detailed message disclosing a sensitive condition on a shared voicemail could count as an impermissible disclosure [11].
For business associates, which includes many outbound call vendors, HIPAA requires a signed Business Associate Agreement (BAA) before any PHI passes to the vendor. If your call center vendor dials on your behalf using patient data, you need a BAA in place before a single record is uploaded [1].
What does TCPA require for outbound healthcare calls?
TCPA's core restriction, codified at 47 U.S.C. § 227(b), bars calls to a cellular telephone using an automatic telephone dialing system (ATDS) or a prerecorded voice without prior express consent [2]. For purely informational, non-marketing calls to cell phones, the FCC has recognized that prior express consent (not necessarily written) is enough. For telemarketing or advertising calls, the bar is higher: prior express written consent is required [4].
The FCC's 2012 order set the written consent requirement for marketing calls. The consent must be signed (electronically or on paper), clearly authorize calls to a specific number, and disclose that consent is not a condition of purchase [4]. Healthcare calls that fall outside pure treatment reminders, say calls promoting health plan enrollment, wellness program sign-ups, or elective procedure offers, are likely to be treated as telemarketing under TCPA.
For calls that qualify as "healthcare calls" under the FCC's framework, there is a partial exemption. The FCC's 2015 TCPA Order carved out a narrow safe harbor for certain free-to-end-user healthcare calls, covering appointment reminders, prescription notifications, and post-discharge follow-up calls, provided the calls meet specific content and frequency limits [4]. That exemption does not cover marketing. And it does not change consent requirements for text messages the same way it does for voice calls.
One thing that catches healthcare teams by surprise: TCPA consent must be phone-number-specific. A patient signing a general HIPAA authorization does not thereby consent to autodialed calls under TCPA. The two consents are legally separate documents serving separate legal purposes. You can read the basics of the tcpa to ground yourself before layering in the healthcare dimension.
TCPA violations carry statutory damages of $500 per call or text, trebled to $1,500 if the violation is found to be willful [2]. With class actions grouping thousands of patients, the math gets ugly fast. The cash app tcpa class action settlement is a useful reference for how these settlements scale.
How are HIPAA consent and TCPA consent different?
This is the question that trips up more healthcare compliance teams than any other. The two consents look alike on the surface, both are written authorizations from the patient, but they differ in what they authorize, who enforces them, and what happens when they are missing.
| Dimension | HIPAA Authorization | TCPA Consent |
|---|---|---|
| Governing law | 45 C.F.R. § 164.508 | 47 U.S.C. § 227; 47 C.F.R. § 64.1200 |
| Enforced by | HHS Office for Civil Rights | FCC; private plaintiffs |
| Required for | Marketing use of PHI | Autodialed/prerecorded calls to cell phones |
| Format | Written authorization with 8 required elements | Written consent with clear autodialing disclosure |
| Revocable | Yes, at any time | Yes, at any time |
| Bundling allowed | Generally not for marketing | Cannot be conditioned on purchase |
| Private right of action | No (OCR complaint only) | Yes, class actions permitted |
HIPAA authorization has no private right of action. A patient cannot personally sue you under HIPAA. They can only file a complaint with OCR and hope OCR pursues it [1]. TCPA is the opposite. Any person who gets an unconsented autodialed call or text can sue directly in federal district court, and plaintiffs' attorneys actively hunt for these cases because the statutory damages are predictable.
The practical implication: TCPA consent documentation failures are far more likely to produce actual litigation. HIPAA failures tend to produce OCR investigations and civil money penalties, which are serious but follow a slower path.
A HIPAA-compliant treatment authorization form that says "I consent to receive appointment reminders" does not satisfy TCPA's written consent standard unless it also expressly discloses that those reminders may be delivered via autodialer or prerecorded message and specifies the phone number being consented for [4]. You need language that names the technology used.
Does HIPAA's treatment exception eliminate the need for TCPA consent?
No. This is one of the most common misconceptions in healthcare compliance. HIPAA's treatment exception lets a covered entity use PHI without a separate written authorization for treatment purposes. It says nothing about TCPA.
TCPA doesn't care what the call is about. It cares about the technology used to make the call and whether the recipient consented to that technology being used on their number. A hospital's reminder call to a patient about a post-operative wound check sits squarely inside HIPAA's treatment exception, and it still requires separate TCPA-compliant consent if it's going to a cell phone via autodialer.
The FCC's 2015 healthcare safe harbor, mentioned above, cuts some friction for purely informational healthcare calls, but it has strict limits: a maximum of one call or text per day, three per week, and the call must include an opt-out mechanism [4]. Exceed those limits and the safe harbor is void. And again, marketing calls get no safe harbor at all.
So the two authorization streams have to run in parallel. Neither one substitutes for the other.
What are the penalties when both laws are violated on the same call?
When a single outbound healthcare campaign runs into trouble, penalties under both laws can stack. They don't offset each other.
Under HIPAA, OCR can impose civil money penalties from $100 per violation for unknowing causes up to $50,000 per violation for willful neglect, with annual caps per violation category of up to $1.9 million (as adjusted for inflation) [3]. A 2023 enforcement action against a large healthcare provider ended in a $1.3 million settlement with OCR over impermissible disclosures in outbound communications [3].
Under TCPA, the statutory damage range of $500 to $1,500 per call or text sounds modest until you multiply it by a class of 50,000 patients who received an autodialed message without compliant consent documentation. That math produces a $25 million to $75 million exposure range, which explains why some TCPA class actions settle for eight figures. The credit one tcpa settlement reached $75 million, one of the largest in the statute's history, and it shows what unconsented autodialing at scale can cost.
There is no rule that gives you a HIPAA credit against your TCPA liability. The agencies are separate, the enforcement paths are separate, and a plaintiff's attorney bringing a TCPA class action does not need to coordinate with OCR.
State law can add a third layer. Several states have their own mini-TCPA or consumer protection statutes with additional per-violation penalties. California's consumer privacy laws, Florida's FTSA, and Washington's state health data law all interact with federal frameworks in ways that can raise exposure for healthcare callers specifically. See the state-law section below for more.
How should healthcare teams structure consent collection to satisfy both laws?
The most defensible approach is a unified consent flow that captures both HIPAA authorization language (where required) and TCPA-compliant express written consent in a single patient intake document, without treating them as interchangeable.
For new patients, the intake paperwork or digital onboarding flow should include a standalone TCPA consent block. It should: name the healthcare entity making the calls, specify that calls or texts may use an autodialer or prerecorded message, list the phone number(s) being consented for, describe the types of calls covered (appointment reminders, billing notifications, care follow-up, or if applicable, marketing), state that consent is not required to receive care, and include a clear opt-out instruction [4].
Separately, for any communications that use PHI for marketing, you need a full HIPAA authorization with all eight required elements under 45 C.F.R. § 164.508, including an expiration date, the right to revoke, and a description of how the information will be used [1].
The two forms can live in the same intake packet. They should not be merged into one form that tries to do both jobs with a single checkbox. If that form fails to meet either standard, you lose both consents at once.
Document retention matters. For TCPA consent, courts have looked favorably on companies that can produce a timestamped, IP-captured record of the exact consent language the patient saw and agreed to. For HIPAA, you need to retain authorizations for at least six years from the date of creation or the date it was last in effect [1]. Build your consent storage system to keep those records for at least that long.
Revocations must be honored immediately. Under TCPA, a patient who texts "STOP" or says on a recorded call that they no longer consent must be pulled from further autodialed contact. That revocation does not touch your HIPAA-permitted treatment communications if you're calling by hand, but it does cut off any autodialed outreach. Keeping your DNC and opt-out lists synced with your patient database is the operational piece most teams get wrong. Resources on building and maintaining do not call list processes apply here too.
What are the TCPA rules for healthcare text messages specifically?
Text messages get no softer treatment under TCPA than phone calls. Sending a prerecorded or automated SMS to a cell phone number without prior express written consent is the same statutory violation as an autodialed call [2]. The FCC has confirmed this repeatedly.
The 2015 FCC healthcare exemption for informational calls does extend to texts, but with the same one-per-day, three-per-week frequency cap and mandatory opt-out mechanism [4]. Healthcare teams that use SMS for appointment reminders or prescription notifications can qualify, but the messages have to meet the content criteria (no marketing, no upselling) and opt-out requests have to be processed before the next message goes out.
For SMS marketing in healthcare, you need written consent that meets the same standard as for voice calls. Collecting that consent at a patient portal login, at intake, or via an SMS opt-in keyword program all work, as long as the consent language is explicit about automated messaging.
HIPAA's overlay on SMS adds another layer. A text message containing PHI (even a person's first name plus the fact that they have an appointment) should travel over a secure channel. Many standard SMS platforms are not HIPAA-compliant by default, and the vendor needs a BAA in place with your organization. The intersection of text message marketing compliance and HIPAA means healthcare teams have to vet SMS vendors on both dimensions at once.
Patients increasingly expect text-based communication, and the burden of getting it right is real but manageable. The cost of getting it wrong, at $500 to $1,500 per text, is not.
How do state laws add to the HIPAA and TCPA requirements for healthcare callers?
Federal law sets the floor. States can and do go further, especially on health data privacy and telemarketing.
California is the most aggressive. The California Consumer Privacy Act (CCPA), as amended by CPRA, gives California residents the right to opt out of the sale or sharing of their personal information, which can include health-adjacent data even if it does not meet HIPAA's definition of PHI [5]. A healthcare organization calling California patients needs to layer CCPA opt-out rights on top of HIPAA and TCPA. California also has consumer protection provisions that courts have used alongside TCPA claims.
Florida enacted the Florida Telephone Solicitation Act (FTSA) in 2021. At various points it has been read to restrict automated text messages with a private right of action, creating real litigation risk for Florida healthcare callers [6]. The FTSA has gone through amendments, so you need to track the current language, not the 2021 version.
Washington state passed the My Health My Data Act in 2023, which applies to health data beyond HIPAA's scope and has its own consent requirements for collecting and sharing health information [7]. Healthcare organizations with Washington patients need to determine whether their outbound calling programs process data that falls under that law.
No state preempts TCPA or HIPAA, but several states run parallel statutes that sometimes set stricter standards. An outbound team calling a national patient base effectively needs a compliance program that meets the strictest applicable state rule for each patient's location. That is operationally complex, and it is one reason healthcare outbound compliance programs tend to cost more to build than their counterparts in other industries.
What is the FCC's 2024 TCPA update and how does it affect healthcare callers?
The FCC issued a significant ruling in early 2024 that changed how TCPA prior express written consent works for lead generation and multi-seller consent [8]. The ruling killed what had been called "one-to-many" consent, where a consumer's consent could be passed to an unlimited number of sellers or callers. Under the 2024 rule, TCPA written consent must identify the specific seller who will be making the calls.
For healthcare, this matters most in contexts like health insurance marketplaces, pharmacy benefit managers, or patient referral networks where a patient's information might flow from one entity to another. A patient who filled out a web form to get information from one health plan cannot be treated as having consented to autodialed calls from a different health plan or from an affiliated vendor unless that specific entity was named in the consent.
The ruling also addressed the "comparison shopping website" model, which some healthcare lead-gen operations use. The FCC stated that consent obtained through a website where consumers ostensibly compare healthcare options must be specific to each entity the consumer is consenting to hear from [8].
This change puts more pressure on healthcare organizations that buy leads or receive patient referrals from third parties. The burden falls on the caller to verify that the consent in the purchased or referred record names their specific organization. If it doesn't, they cannot legally autodial that number. National Do Not Call Registry obligations stay separate and additional. Teams building cold calling programs from third-party healthcare lists need to audit their consent chain starting from this rule.
What should a healthcare outbound compliance checklist actually include?
A checklist is not a compliance program. It's an operational anchor. Here is what a realistic checklist for healthcare outbound calling teams should cover.
Before any campaign launches: Confirm whether calls use an ATDS or prerecorded voice, because that triggers TCPA's consent requirements. Confirm whether the communication contains PHI, because that triggers HIPAA's requirements. Categorize the call as treatment, payment, operations, or marketing under HIPAA, because the authorization requirements differ. Confirm BAAs are in place with all vendors who touch PHI during the calling workflow. Verify that TCPA-compliant written consent exists and is documented for every cell phone number in the list. Scrub the list against the National Do Not Call Registry (updated access instructions at the how do i get the do not call list resource) and against your internal DNC list. Confirm calling hours comply with TCPA's 8 a.m. to 9 p.m. local time rule [2]. Apply any state-level restrictions.
During the campaign: Record opt-outs in real time and sync them to the suppression list before the next call session. Do not leave voicemails disclosing sensitive health conditions. Identify the calling entity clearly per TCPA's required disclosures.
After the campaign: Retain consent records for at least six years to match HIPAA's retention requirement. Log all opt-outs with timestamps. Run a post-campaign audit if complaint rates are elevated.
LeadCompliant's free compliance kit includes templates for the TCPA consent language and consent documentation workflows built for healthcare calling teams, if you want a starting point rather than building from scratch.
For teams managing their own mobile phone do not call list scrubbing, the cell-phone-specific suppression process matters just as much in healthcare as anywhere else.
What real enforcement actions show how these two laws interact?
Actual cases give a clearer picture than any abstract description.
In 2022 and 2023, OCR settled multiple cases involving covered entities that had impermissibly disclosed PHI through outbound communications. A $1.3 million settlement in 2023 involved a healthcare provider whose outbound calls disclosed health conditions in messages left with third parties [3]. These cases show OCR's active enforcement posture.
On the TCPA side, healthcare companies have been named in class actions alleging that automated appointment reminder calls and prescription notification texts went to patients who had not provided TCPA-compliant consent. The argument in most of these cases is that the healthcare entity's intake forms satisfied HIPAA but did not contain the specific autodialing disclosure TCPA consent requires. Courts have generally agreed that a generic medical records authorization is not enough for TCPA consent.
The Marks v. Crunch San Diego (2018) and Facebook v. Duguid (2021) decisions, while not healthcare-specific, shaped what counts as an ATDS and therefore which calling systems require TCPA consent in the first place [9]. After the Supreme Court's 2021 Duguid ruling, some healthcare systems argued that their dialing systems were not ATDSs and thus outside TCPA's scope. That argument has had mixed results at the district court level and is not a safe foundation for a compliance program.
The practical lesson from the case history: TCPA class actions in healthcare tend to target medium-sized health systems and healthcare vendors more than large hospital chains. The calculus for plaintiffs' attorneys is favorable anywhere there is a large patient database, an automated calling or texting program, and documentation gaps in consent records.
Frequently asked questions
Does a patient's signature on a HIPAA authorization form count as TCPA consent?
No. A HIPAA authorization permits the use of protected health information for specified purposes. TCPA consent must separately and explicitly authorize autodialed or prerecorded calls to a specific phone number and disclose the technology being used. Unless your HIPAA authorization form includes that specific TCPA-compliant language, it does not satisfy 47 C.F.R. § 64.1200's written consent requirement. You need both, and they should be maintained as separate documented records.
Are appointment reminder calls exempt from TCPA for healthcare organizations?
Partially. The FCC's 2015 order created a limited exemption for certain free-to-end-user informational healthcare calls, including appointment reminders, but it caps frequency at one call or text per day and three per week, and requires an opt-out mechanism. Marketing calls get no exemption regardless of the healthcare context. Calls to landlines under TCPA have somewhat different rules than calls to cell phones using an ATDS.
Do healthcare organizations need a Business Associate Agreement with their outbound call center vendor?
Yes, if the vendor processes protected health information to perform the calling service. Any vendor who receives patient names, phone numbers, appointment details, or diagnosis-related data to execute outbound calls is a business associate under HIPAA, and a signed BAA is required before any PHI is shared. Operating without a BAA exposes both the covered entity and the vendor to OCR enforcement.
Can a healthcare caller face both HIPAA penalties and TCPA penalties for the same call?
Yes. HIPAA and TCPA are enforced by different agencies under different statutes. A call that impermissibly discloses PHI to a third party can draw OCR civil money penalties up to $50,000 per violation, while the same call made without TCPA consent can generate $500 to $1,500 in statutory damages per call in a private lawsuit. The penalties do not offset each other and can be pursued simultaneously.
What are the TCPA consent requirements for healthcare SMS campaigns?
Text messages require the same prior express written consent as autodialed calls under TCPA. The FCC's healthcare exemption extends to texts but is limited to purely informational messages at a maximum of one per day and three per week, with a functioning opt-out mechanism. Any healthcare SMS that includes marketing content requires written consent meeting the standard at 47 C.F.R. § 64.1200(a). The SMS vendor also needs a BAA if messages contain PHI.
How long do healthcare organizations need to keep TCPA consent records?
TCPA doesn't specify a federal retention period, but the four-year federal statute of limitations under 28 U.S.C. § 1658 means you should keep consent records for at least four years from the date of the last call or text. HIPAA requires retaining certain records for six years. The practical recommendation is to align on the longer period: retain TCPA consent documentation for at least six years to match HIPAA's retention rule.
Does the FCC's 2024 consent ruling change anything for healthcare lead generation?
Yes, significantly. The FCC's 2024 order eliminated consent that names only a general category of sellers. Consent must now identify the specific entity making the calls. For healthcare organizations buying leads from comparison shopping sites, insurance marketplaces, or referral networks, the consent in the purchased record must name their organization specifically. Generic consent passed from a third party no longer satisfies TCPA written consent requirements under the 2024 rule.
What happens if a patient verbally revokes consent during a call?
Under TCPA, revocation of consent must be honored. The FCC has consistently interpreted the statute to allow revocation through any reasonable means, including a verbal request during a call. Once revoked, the entity cannot make further autodialed or prerecorded calls to that number. The revocation should be documented immediately with a timestamp and synced to the suppression list before any subsequent automated outreach. Manual calls for treatment purposes under HIPAA are a separate question.
Which states have the strictest additional rules for healthcare outbound callers beyond HIPAA and TCPA?
California (CCPA/CPRA plus health-specific regulations), Florida (FTSA with private right of action for automated texts), and Washington state (My Health My Data Act, 2023) are currently the most restrictive. Texas and Illinois have state health data protections that can layer on top of federal requirements. Any healthcare outbound program calling a national patient base needs state-by-state analysis rather than assuming federal compliance is sufficient.
Can healthcare organizations call cell phones without prior consent if they use a manual dial?
Generally yes, under TCPA, a human agent manually dialing a number, with no ATDS or prerecorded message involved, does not trigger the consent requirement of 47 U.S.C. § 227(b). However, HIPAA still applies to what is said on the call, and DNC registry rules still apply to marketing calls regardless of dialing method. Manual dialing is not a blanket workaround; it only bypasses the ATDS-specific consent requirement.
What should a healthcare TCPA consent disclosure actually say?
Per 47 C.F.R. § 64.1200 and FCC guidance, the consent should: identify the specific entity authorized to call, state that calls may use an autodialer or prerecorded message, specify the phone number covered, describe the call types (reminders, billing, care follow-up, or marketing), confirm consent is not a condition of receiving care, and provide an opt-out instruction. It must be signed, either electronically or on paper, with a dated record retained. Generic language like 'I consent to be contacted' is insufficient.
Are robocalls to hospital patients for billing purposes covered by TCPA?
Yes. Billing-related autodialed calls to cell phones require prior express consent under TCPA, even though billing falls within HIPAA's 'payment' operations category and may not need a separate HIPAA authorization. The TCPA consent requirement is technology-driven, not subject-matter-driven. Patients who provided their cell number at intake for a healthcare purpose have arguably provided consent for billing calls, but courts have split on how broadly 'prior express consent' extends from a general number provision.
How does TCPA apply to calls made by healthcare business associates on behalf of covered entities?
The business associate making the calls is the entity dialing the number and can be directly named in a TCPA lawsuit. The covered entity that provided the patient list can also be named as a principal. TCPA liability does not flow through the BAA. Both entities need their own compliance posture, and covered entities should contractually require their call center vendors to maintain TCPA-compliant consent documentation and indemnify the covered entity for TCPA violations caused by the vendor's operations.
Is there a safe harbor if a healthcare organization calls the wrong number by mistake?
TCPA has a limited wrong-number defense. The FCC's 2015 order created a one-call safe harbor for a caller who had valid consent for a number and then called it after the number was reassigned to a new subscriber, provided the caller had no actual knowledge of the reassignment. One call only. After that call, the caller is presumed to have notice. Healthcare organizations with large patient databases need regular number reassignment scrubbing to stay within this narrow safe harbor.
Sources
- HHS Office for Civil Rights, HIPAA Privacy Rule Summary: HIPAA Privacy Rule requirements for covered entities and business associates, including authorization requirements for marketing uses of PHI and BAA obligations under 45 C.F.R. Parts 160 and 164
- U.S. House of Representatives Office of the Law Revision Counsel, 47 U.S.C. § 227: TCPA statutory text including the prohibition on ATDS calls to cell phones without prior express consent and the $500 to $1,500 per-violation damages provision
- HHS Office for Civil Rights, HIPAA Enforcement Highlights and Settlement Announcements: OCR civil money penalty ranges from $100 to $50,000 per violation and enforcement actions against covered entities for impermissible disclosures in outbound communications
- California Attorney General, California Consumer Privacy Act (CCPA): CCPA/CPRA requirements for opt-out rights applicable to California residents including health-adjacent personal information not covered by HIPAA
- Florida Legislature, Florida Telephone Solicitation Act, F.S. § 501.059: Florida Telephone Solicitation Act provisions creating a private right of action for automated telemarketing calls and texts to Florida residents
- Washington State Legislature, My Health My Data Act (2023): Washington My Health My Data Act applying health data consent requirements beyond HIPAA's scope, effective for consumer health data collected from Washington residents
- U.S. Supreme Court, Facebook, Inc. v. Duguid, 592 U.S. 395 (2021): Supreme Court's 2021 ruling narrowing the definition of automatic telephone dialing system under TCPA, requiring the system to have the capacity to generate random or sequential phone numbers to store or produce
- HHS Office for Civil Rights, HIPAA Frequently Asked Questions: HHS guidance on minimum necessary standards for outbound patient communications and safeguards required when leaving voicemail messages containing PHI