How to get consent for healthcare outbound calls compliantly

Healthcare outbound calls face TCPA fines up to $1,500 per call. Learn exactly how to get valid consent, what records to keep, and where the HIPAA overlap bites.

LeadCompliant Team
26 min read
In This Article

Last updated 2026-07-11

Healthcare administrator reviewing patient intake consent forms at a desk
Healthcare administrator reviewing patient intake consent forms at a desk

TL;DR

Healthcare organizations making outbound calls to cell phones need prior express written consent under the TCPA before using an autodialer or prerecorded message for marketing, and prior express consent for purely informational calls. HIPAA adds a parallel layer: calls must stay within the scope of the patient's authorization. A missing or defective consent record can cost up to $1,500 per call in TCPA statutory damages.

The TCPA sets two different consent bars, and which one you hit depends on why you're calling. The statute is codified at 47 U.S.C. § 227 [1]. For marketing calls made with an autodialer or prerecorded voice to a cell phone, you need "prior express written consent." For informational or transactional calls, you need only "prior express consent," which is a lower bar and does not have to be written.

The FCC defines prior express written consent as an agreement that is "clearly and conspicuously" disclosed, is not a condition of purchase, and includes the consumer's signature (which can be electronic) [2]. The key phrase from the FCC's 2012 order is that the consumer must "authorize the seller to deliver or cause to be delivered to the consumer calls ... using an automatic telephone dialing system or an artificial or prerecorded voice." That language has to appear somewhere in your consent form before you call.

Healthcare got a narrow break in 2015. The FCC ruled that "healthcare calls" covered by HIPAA and made by or on behalf of healthcare providers are exempt from the written-consent requirement, but only if they are free to the called party, fall under HIPAA, carry no marketing or advertising, and comply with strict time and frequency limits [3]. That exemption sounds generous. It's narrower than most teams assume. The moment a call touches an appointment reminder tied to upsell messaging, or a wellness program that's also selling a product, the exemption vanishes.

Here's the split that matters. If your outbound call is purely informational (appointment reminders, prescription refill notifications, lab results, care-coordination follow-ups with existing patients), the HIPAA healthcare exemption may apply and you need prior express consent, not written consent. If your call is marketing, you need prior express written consent, period.

Most industries only have to satisfy the TCPA. Healthcare has to satisfy the TCPA and HIPAA at the same time, and those two frameworks don't line up neatly [4].

HIPAA's Privacy Rule, at 45 C.F.R. Part 164, governs what you can say once the call connects. The TCPA governs whether you had the right to make the call at all. You can hold a valid HIPAA authorization to send a patient health communications and still break the TCPA if you used an autodialer on their cell phone without the right consent format. Flip it around: you can have a textbook TCPA written consent form and still break HIPAA if the call spills protected health information into a voicemail on a shared line.

HIPAA consent is purpose-limited. A patient who authorizes calls about prescription refills has not authorized calls about a new diabetes management app you sell. Blur that line and you're exposed under both statutes at once.

State laws stack another layer on top. Several states, including California (CCPA/CPRA), Florida (FTSA), and Washington, impose consent or opt-out requirements on health-related communications that run past the federal floor [5]. Florida's FTSA, for example, requires prior express written consent for any automated call to a Florida cell phone, with no meaningful carve-out for healthcare, and it hands consumers a private right of action worth up to $500 per call.

If you have patients or prospects in more than one state, you comply to the strictest applicable standard. In practice that usually means prior express written consent for everyone on cell phones, no matter the call purpose.

A valid prior express written consent record for a healthcare marketing call has to carry five elements under the FCC's rules [2]:

1. The consumer's signature (wet or electronic). 2. A clear and conspicuous disclosure that by signing, the person authorizes calls using an autodialer or prerecorded voice. 3. The specific phone number(s) they are authorizing calls to. 4. The name of the seller or entity making the calls. 5. A statement that consent is not a condition of receiving care or purchasing any product or service.

For healthcare informational calls that lean on the HIPAA exemption (no written consent required), you still need prior express consent. That can come from the patient giving their cell number at intake and being told you may call it for health-related communications. The 2015 FCC healthcare order requires the provider's call to meet all of the following: one call per day, a maximum of three calls per week, a maximum of one call per month per subject (for example, one appointment reminder call per month), a length no longer than 60 seconds if prerecorded, and an opt-out mechanism [3].

Electronic signatures on intake forms are valid under the E-SIGN Act (15 U.S.C. § 7001) as long as the consumer affirmatively checks a box or types into a consent field. Pre-checked boxes fail. The FCC has been blunt on this: passive consent is not consent.

One thing trips up healthcare teams constantly. Buying or porting a patient list from a third party does not transfer consent. If a hospital acquires a physician practice and wants to call those patients, the consent those patients gave the original practice does not carry over to the new entity. You need fresh consent tied to the acquiring organization by name.

TCPA and HIPAA: key compliance numbers for healthcare outbound calls Thresholds, penalties, and limits healthcare teams must know 1,500 TCPA penalty per willful violation (max) 50k HIPAA civil penalty per violation (max) 6 HIPAA record retention requ… (years) 3 FCC HIPAA exemption: max calls per week Source: 47 U.S.C. § 227; HHS HIPAA Privacy Rule 45 C.F.R. Part 164; FCC Declaratory Ruling FCC 15-72

TCPA litigation almost always turns on one question: can you prove consent at the time of the call? Plaintiffs have won large settlements not because consent was never obtained, but because the defendant couldn't produce the record [6].

At minimum, your consent records should capture the exact text of the disclosure shown to the consumer, the date and time of consent, the IP address or device identifier, the specific phone number consented to, and the name of the entity in the consent. Store these in a system that generates an immutable audit trail. A spreadsheet your team can edit after the fact won't hold up.

Retention matters. The FCC has not set a specific retention window for TCPA consent records, but the statute of limitations for TCPA claims is four years under 28 U.S.C. § 1658, the federal catch-all, and some courts have applied a different analysis [12]. Keeping consent records for at least five years is conservative and reasonable.

HIPAA is stricter. The Privacy Rule requires covered entities to retain authorization documentation for six years from the date of creation or from when it was last in effect, whichever is later [4]. Since healthcare outbound consent so often overlaps with HIPAA authorization, design your record system to hit the six-year window and you cover both frameworks at once.

At high call volume, manual record-keeping falls apart. A compliant calling platform should log the consent artifact right alongside the call record. If you're using a CRM, the consent record belongs in a non-editable field or as an attached document, not a free-text note anyone can rewrite. The TCPA class actions that produce the biggest settlements almost always involve defendants whose consent records were missing, inconsistent, or plainly post-dated [6].

Does the existing patient relationship give you implicit consent to call?

No. This is probably the most common misconception in healthcare outbound compliance.

The FCC rejected "implied consent" for cell phone calls made with an autodialer or prerecorded voice back in its 2012 rules [2]. Handing a phone number to a healthcare provider at intake does count as prior express consent for informational calls under the HIPAA exemption, but only when the call is genuinely informational and covered by HIPAA, you disclosed at intake that the number would be used for such calls, and the call meets the time, frequency, and opt-out requirements from the 2015 FCC order [3].

An existing patient relationship does not let you use an autodialer to call that patient's cell for marketing, even if what you're marketing is a health service. The FCC and multiple circuit courts have rejected "established business relationship" as a defense for cell phone calls, though it survives as a partial defense for calls to residential landlines under the Telemarketing Sales Rule the FTC administers.

If a patient gave you their cell number for appointment reminders, you can call with appointment reminders. You cannot pivot that consent into calls about a new weight-loss program. The scope of the original consent defines the scope of permissible calls. Change the purpose and you need fresh consent.

The safest practice: every time you add a new outbound call program, ask whether each patient in that program consented specifically for this type of call. If the answer is "sort of" or "they gave us their number," you don't have consent.

Consent requirements split hard by line type [1].

Line TypeCall TypeConsent Required
Cell phoneMarketing, autodialer or prerecordedPrior express written consent
Cell phoneInformational, autodialer or prerecorded, HIPAA-compliantPrior express consent (not required to be written)
Cell phoneLive agent, manual dialNo TCPA consent required (but DNC rules apply)
Residential landlinePrerecorded marketingPrior express written consent
Residential landlinePrerecorded informationalPrior express consent
Residential landlineLive agent telemarketingNo written consent, but EBR or opt-in can be a defense

The problem: you often don't know whether a number is a cell or a landline when you dial. Number portability means a line that started as a landline may now be wireless. Reassigned numbers are another trap. The person who gave consent may not own the number anymore.

The FCC's 2015 Declaratory Ruling set up a one-call safe harbor for reassigned numbers, giving you a single call after reassignment before liability attaches, provided you had no knowledge of the reassignment [3]. That safe harbor is thin and got modified by later rulemaking. The practical answer is to run your list through a real-time number verification service that flags wireless versus landline and flags known reassigned numbers before you dial.

For any number you cannot positively confirm as a landline, treat it as a cell phone and apply cell phone consent standards. That's the defensible position.

Check against the National Do Not Call Registry before any call that could read as telemarketing. The do not call list applies regardless of consent if the consumer registered their number and you lack an established business relationship or prior written agreement.

A compliant consent form for healthcare outbound calls using an autodialer needs specific language. Here's what the disclosure section should carry, based on FCC requirements [2]:

"By providing my telephone number and signing below, I authorize [Entity Name] to contact me at the number provided using an automatic telephone dialing system or prerecorded or artificial voice messages. I understand that I do not have to provide this authorization as a condition of receiving medical care or any other goods or services."

That text needs to sit apart from other disclosures, in readable font, not buried in a slab of legal boilerplate. The FCC's "clear and conspicuous" standard means a reasonable consumer reading normal documents would see and understand it.

For informational-only programs relying on the HIPAA exemption (no written consent required), the intake form or patient portal enrollment should still say something like: "By providing your cell phone number, you agree that [Entity Name] may contact you at this number with appointment reminders, prescription notifications, and other healthcare-related messages. You may opt out at any time by calling [number]."

What does not satisfy the requirement: pre-checked checkboxes, consent language tucked into a terms-of-service footnote a patient clicks through without reading, verbal consent for an autodialed call (verbal is fine for a manually dialed call to a cell phone, but not for an autodialer), and consent forms that name one entity when a different entity actually makes the calls. That last one matters for healthcare systems where a management company dials on behalf of a provider.

For teams building or auditing their consent capture process, the LeadCompliant consent compliance kit includes template disclosure language reviewed against current FCC guidance plus a consent audit checklist.

The TCPA allows $500 per violation and up to $1,500 per violation if the court finds the violation was knowing and willful [1]. Each call to a non-consenting cell phone is a separate violation. Healthcare organizations running large outbound campaigns can face class action exposure in the millions before discovery even starts.

Some real outcomes: Capital One settled a TCPA class action for $75.5 million in 2012, one of the earliest large settlements in this space. More recently, a Cash App TCPA class action settlement showed how fast consumer-facing businesses pile up per-call exposure. In healthcare specifically, a 2021 case against a major pharmacy benefits manager ended in an eight-figure settlement after plaintiffs argued that prerecorded prescription refill calls to patients who hadn't given cell-phone-specific consent violated the TCPA.

HIPAA penalties layer on top. If a call discloses protected health information to the wrong person (a voicemail on a shared line, say), you face HHS Office for Civil Rights enforcement with civil penalties from $100 to $50,000 per violation, capped at $1.9 million per violation category per year [4].

State attorneys general and private plaintiffs in FTSA states add a third exposure track. Florida's FTSA has driven a wave of litigation against healthcare companies since its 2021 effective date.

A solid consent capture and verification system costs a rounding error next to any of these outcomes. Most TCPA class actions settle for several million dollars after two to three years of litigation, even when the defendant had a plausible consent defense, because the litigation economics push toward settlement.

Once a consumer revokes consent, you stop calling. Full stop. The TCPA doesn't specify how revocation has to be communicated, which has spawned litigation over whether a verbal opt-out during a call takes effect immediately or after a "reasonable time" to process it [7].

The FCC's 2015 order clarified that consumers can revoke consent by any reasonable means, and that callers must honor revocation within a "reasonable time," which the FCC suggested is no more than 10 business days for robocall programs [3]. For live agent calls, revocation should stop calls immediately.

Healthcare runs HIPAA's opt-out rules in parallel. If a patient opts out of marketing communications under HIPAA (an absolute right for most health-related marketing), that opt-out should cascade into your TCPA consent records. Keeping separate opt-out lists for HIPAA and TCPA and never cross-referencing them is how you end up calling someone who opted out under one framework because you only caught them in the other.

Best practice: maintain a single suppression list that captures any opt-out signal from any channel (phone call, email, in-person request, web form) and apply it across every outbound call program before a campaign runs. Wire that suppression list into the mobile phone do not call list lookups you should already be running.

For healthcare programs that use a third-party vendor or call center, your contract has to require them to honor opt-outs and report them back to you in real time or inside the FCC's 10-business-day window. Liability for the vendor's failure to honor an opt-out flows back to the healthcare organization.

What does HIPAA require beyond what the TCPA covers?

HIPAA's Privacy Rule creates requirements the TCPA simply doesn't address [4]. The ones that bite hardest on outbound calls:

Minimum necessary standard: when you leave a voicemail, don't reveal more protected health information than the call's purpose requires. "Please call us back about your recent test results" beats naming the specific condition or test, because voicemails get heard by household members.

Patient authorization for marketing: if a call counts as "marketing" under HIPAA (generally, any communication that encourages use of a product or service where the covered entity receives remuneration), you need a separate HIPAA authorization for it, distinct from the TCPA consent form [11].

Business associate agreements: if a call center or dialing platform handles protected health information for you, it's a business associate under HIPAA and must sign a BAA before you share any patient data. Plenty of generic dialing platforms have never executed one. Using a non-BAA platform for healthcare outbound calls is a HIPAA violation on its own, independent of anything TCPA-related.

Because HIPAA and TCPA overlap, your legal and compliance review can't stop at one statute. Ideally, a healthcare organization's consent form and outbound call workflow get reviewed by counsel who knows both frameworks before the campaign launches, not after the first complaint lands.

For teams building out their compliance process, the LeadCompliant consent and calling compliance kit walks through the HIPAA-TCPA intersection as a practical checklist, so you can verify your intake forms, suppression lists, and vendor contracts cover both requirements.

Consent capture is not a one-time project. Patient databases turn over, phone numbers change, call programs shift, and regulations update. An audit that runs only at campaign launch will miss the reassigned number that surfaced six months later or the opt-out that never propagated to the new call vendor.

A practical audit cadence for a small-to-mid-size healthcare outbound team looks like this. Before each campaign: scrub the call list against the National DNC Registry (required under the FTC Telemarketing Sales Rule for telemarketing calls), check for reassigned or ported numbers, confirm each record has a consent artifact attached, and verify the consent covers the specific call type you're making [8]. Monthly: review complaints, opt-out requests, and attorney demand letters, and trace each back to a specific consent record. Quarterly: check your consent form language against any new FCC guidance or state law changes.

Document every step. If a lawsuit comes, you want to show a court a systematic process, more than good intentions. Courts and the FCC give real credit to defendants who had reasonable compliance procedures in place even when an isolated error slipped through.

The FCC's 2024 one-to-one consent rule, which took effect in January 2025 for most callers, requires that written consent name a specific seller rather than granting blanket consent to a category of companies [9]. If your healthcare organization uses a third-party lead generator or a patient acquisition partner who passes consent, verify that the consent form names your organization specifically, not "healthcare providers" in general. Generic category consent no longer satisfies the TCPA for those calls.

For anyone new to standing up a compliant cold calling operation in healthcare, the FCC's consumer guides and the FTC's Telemarketing Sales Rule pages are the right starting point before you spend a dollar on a dialing system.

Are there any safe harbors or exemptions that actually help healthcare organizations?

A few real ones exist. Each has conditions that are easy to blow.

The HIPAA healthcare exemption (FCC 2015 Declaratory Ruling) is the big one [3]. It exempts autodialed or prerecorded calls to cell phones from the written-consent requirement if the call is from a healthcare provider (or its business associate) to a current patient, is covered by HIPAA, is not marketing, is free to the called party, lasts no more than 60 seconds, occurs between 8 a.m. and 9 p.m. in the recipient's time zone, holds frequency to no more than one call per day and three per week, and includes an automated opt-out mechanism. Meet all of those and you need only prior express consent, not written consent, for that specific call type.

The emergency purposes exemption in 47 U.S.C. § 227(b)(1)(A)(i) covers calls made with an autodialer or prerecorded voice "made for emergency purposes." A genuine public health emergency notification can qualify. Routine appointment reminders do not.

The "manually dialed, live agent" exemption is the simplest one. If a live human dials the number by hand with no autodialer involved, TCPA cell phone consent requirements don't apply to that call. You still respect DNC registration and state law, but the consent bar drops away. For small teams with a genuinely manual cold call process, this is a legitimate path many healthcare teams overlook while over-investing in consent infrastructure for automated calls they shouldn't be making in the first place.

None of these exemptions shields you from state law that runs past the federal floor. Florida, Washington, and Oklahoma, among others, have state-level rules the federal HIPAA exemption does not preempt.

Frequently asked questions

Yes, if you use an autodialer or prerecorded voice to call a cell phone, even for appointment reminders. The FCC's 2015 HIPAA healthcare exemption removes the written-consent requirement for qualifying informational calls, but you still need prior express consent, meaning the patient provided their cell number for that purpose. A live-agent manual dial requires no TCPA consent, though DNC rules still apply.

Can a healthcare company buy a patient list and call those numbers?

No. Consent does not transfer with a purchased list. Each person on a purchased or acquired list must give fresh consent to the specific entity making the call. Calling a purchased list with an autodialer or prerecorded message without new consent first exposes you to $500 to $1,500 per call in TCPA statutory damages, with each call counting as a separate violation.

What is the FCC's HIPAA healthcare exemption for outbound calls?

It is an exemption from the prior express written consent requirement for certain healthcare informational calls. It applies when calls are made by or on behalf of a HIPAA-covered entity to a current patient, are not marketing, are free to the recipient, last under 60 seconds, occur between 8 a.m. and 9 p.m. local time, are limited to one per day and three per week, and include an opt-out mechanism. All conditions must be met.

Yes. The FCC confirmed in 2015 that consumers can revoke consent by any reasonable means, including verbally during a live call. Once revoked, you must honor it within a reasonable time, which the FCC suggested is no more than 10 business days for automated call programs. For live agent calls, the stop should be immediate. Failure to honor a verbal opt-out is a TCPA violation.

What HIPAA requirements apply when leaving healthcare voicemails?

Under HIPAA's minimum necessary standard, voicemails should not reveal more protected health information than needed to accomplish the call's purpose. Avoid mentioning specific diagnoses, test names, or medications in a message that could be heard by household members. Say enough for the patient to call back, not enough to constitute a disclosure. If the number is shared or unknown to you, HIPAA limits what you can safely leave.

Yes. The rule, effective January 2025, requires that prior express written consent for marketing calls name the specific seller making the calls, not a generic category. If a healthcare organization uses lead generation partners or patient acquisition services, the consent form must name the healthcare organization specifically. Blanket consent to 'healthcare providers' no longer satisfies the TCPA for autodialed marketing calls.

What are the maximum TCPA penalties for healthcare organizations?

The TCPA allows $500 per unlawful call and up to $1,500 per call if the violation was knowing and willful. There is no cap per defendant, and each call to each person counts separately. A campaign of 10,000 calls to consumers who did not consent could generate up to $15 million in statutory damages before any class action multiplier. Healthcare organizations also face parallel HIPAA civil penalties of up to $1.9 million per violation category per year.

Do Florida's FTSA rules apply to healthcare outbound calls?

Yes. Florida's Telephone Solicitation Act requires prior express written consent for any automated call to a Florida cell phone, and it does not include a meaningful healthcare exemption equivalent to the FCC's HIPAA carve-out. It allows a private right of action with up to $500 per call. Any healthcare organization calling Florida cell phone numbers with an autodialer should treat Florida numbers as requiring prior express written consent regardless of call purpose.

Does a business associate agreement (BAA) matter for TCPA compliance in healthcare?

Directly, no. A BAA is a HIPAA contract requirement, not a TCPA one. But it matters for the overall compliance picture: if your call center or dialing platform handles patient data without a BAA, you have an independent HIPAA violation. And many TCPA lawsuits also include state-law privacy and consumer protection claims. Running patient data through a non-BAA vendor adds HIPAA exposure on top of any TCPA risk.

The TCPA does not set an expiration date on consent. But consent is tied to the specific entity named in the form and the specific purpose disclosed. If your organization changes name, merges, or adds new call programs that fall outside the original consent scope, you need fresh consent for those changes. Periodic re-consent campaigns every two to three years are common in healthcare as a practical buffer against stale records.

TCPA consent governs whether you may dial the number at all, specifically for autodialed or prerecorded calls. HIPAA authorization governs what you may say on the call, particularly for marketing communications. You can have one without the other. For healthcare marketing calls, you need both: a TCPA prior express written consent form and a HIPAA marketing authorization if the covered entity receives remuneration for the call.

Can healthcare organizations use text messages instead of calls to avoid TCPA issues?

No. SMS to cell phones is treated the same as calls under the TCPA, requiring prior express written consent for marketing texts sent via autodialer and prior express consent for informational texts. The FCC's HIPAA healthcare exemption covers certain calls but its application to texts is less settled. Texts also trigger state laws. Switching to SMS does not reduce TCPA exposure; it replicates the same framework with some additional unsettled questions.

Do manual calls from a live agent to healthcare patients require any consent?

Under the TCPA, no consent is required for a genuinely manual live-agent call to a cell phone, because the autodialer provision does not apply without an autodialer. But you must still comply with the National Do Not Call Registry for any call that constitutes telemarketing, and state laws may impose additional requirements. 'Manual' means a human dials each number individually with no automated system involved in the dialing.

Sources

  1. U.S. Code, 47 U.S.C. § 227, Telephone Consumer Protection Act: TCPA creates $500 per violation and up to $1,500 per willful violation; prohibits autodialed or prerecorded calls to cell phones without prior express consent
  2. HHS, HIPAA Privacy Rule, 45 C.F.R. Part 164: HIPAA requires six-year retention of authorization records; civil penalties range from $100 to $50,000 per violation capped at $1.9 million per category per year; minimum necessary standard applies to disclosures
  3. Florida Legislature, Florida Telephone Solicitation Act (FTSA), Fla. Stat. § 501.059: Florida FTSA requires prior express written consent for automated calls to Florida cell phones and allows private right of action up to $500 per call
  4. FTC, Telemarketing Sales Rule, 16 C.F.R. Part 310: Telemarketing Sales Rule governs established business relationship defense for residential landline telemarketing and National DNC Registry requirements
  5. FTC, National Do Not Call Registry, donotcall.gov: Telemarketers must scrub call lists against the National DNC Registry before telemarketing calls
  6. U.S. Code, 15 U.S.C. § 7001, Electronic Signatures in Global and National Commerce Act (E-SIGN): Electronic signatures satisfy consent signature requirements under federal law
  7. HHS Office for Civil Rights, HIPAA Marketing Rule Guidance: HIPAA requires separate patient authorization for marketing communications where covered entity receives remuneration
  8. U.S. Code, 28 U.S.C. § 1658, Federal Statute of Limitations: Four-year federal catch-all statute of limitations applies to TCPA claims in federal court

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit