Last updated 2026-07-09

TL;DR
The TCPA applies fully to healthcare organizations. Calls and texts to patients using an autodialer or prerecorded voice require prior express written consent for marketing, and prior express consent for most informational messages. The FCC's healthcare exemption covers a narrow list of non-marketing calls to landlines only. Violations cost $500 to $1,500 per message, and class actions are common.
Does the TCPA apply to patient communications?
Yes, completely. The Telephone Consumer Protection Act, 47 U.S.C. § 227, has no general healthcare exemption [1]. If your practice, hospital, or health system uses an autodialer or prerecorded voice to call or text patients, the TCPA governs every one of those contacts. There is no "we're a doctor's office" pass.
The confusion usually comes from a 2012 FCC rulemaking and a 2015 FCC Declaratory Ruling that created a narrow, conditional exemption for certain healthcare-related calls to landlines [2]. That exemption covers appointment reminders, wellness checkups, prescription notifications, and some pre- and post-discharge calls, but only when the calls meet a specific set of conditions. Step outside those conditions and you carry full TCPA liability.
Healthcare is one of the most litigated TCPA sectors. UnitedHealthcare paid $2.5 million to settle TCPA claims tied to alleged unauthorized patient contact [see /articles/tcpa-basics/unitedhealthcare-to-pay-2-5m-for-alleged-tcpa-violations]. Kaiser Permanente has faced similar class action pressure [see /articles/tcpa-basics/kaiser-tcpa-settlement-claim-deadline]. The risk is real, and it has hit both large health plans and small provider groups.
What is the FCC's healthcare exemption and what does it actually cover?
The FCC created what practitioners call the "healthcare exemption" in a 2012 Report and Order (FCC 12-21) and reinforced it in a 2015 Declaratory Ruling (FCC 15-72) [2][9]. The exemption lets HIPAA-covered entities and their business associates make certain informational, non-marketing calls to patients on wireless numbers using an autodialer or prerecorded voice without first getting prior express written consent, but only if every one of these conditions is met:
- The call comes from a healthcare provider or its contractor acting on behalf of a HIPAA-covered entity
- The call is purely informational (appointment reminders, medication refill reminders, pre-procedure prep, lab results, post-discharge follow-ups, wellness checks, immunization reminders)
- The message contains no marketing or solicitation of any kind
- The caller identifies itself clearly
- A prerecorded call runs no more than 60 seconds and offers a way to opt out
- No more than one call per day, and no more than three per week on the same subject
- The message includes an easy opt-out mechanism
Break any single condition and the exemption vanishes for that call. You're back to needing prior express consent for informational calls, or prior express written consent for anything with a marketing edge.
The exemption does not cover texts. The FCC never extended it to SMS. So appointment reminder texts to cell phones still need at least prior express consent, and any marketing language pushes them to prior express written consent [3].
What type of consent do patient communications require?
The TCPA has two consent tiers, and healthcare teams mix them up constantly.
Prior express consent covers informational autodialed or prerecorded calls to cell phones. A patient gives it when they hand over their cell number in the context of the healthcare relationship. The FCC's 2012 rulemaking said a person who provides a number to a healthcare provider in connection with receiving care has given prior express consent to receive calls related to that care [2]. It's consent by voluntary provision of the number, not a written signature.
Prior express written consent is required for any message with a marketing or advertising component. It's a written agreement, signed (electronic signatures count), that clearly states the patient agrees to receive autodialed or prerecorded marketing calls or texts at the number provided. The rule at 47 C.F.R. § 64.1200(a)(2) spells this out [3]. A blanket "by providing your number you agree to receive communications" buried in an intake form probably fails this standard for marketing, because the FCC requires the agreement to be clear and conspicuous.
Here's the breakdown:
| Communication type | Medium | Consent required |
|---|---|---|
| Appointment reminder (no marketing) | Autodialed call to cell | Prior express consent (number given to provider) |
| Appointment reminder | Text to cell | Prior express consent |
| Marketing (new service, promotion) | Autodialed call to cell | Prior express written consent |
| Marketing | Text to cell | Prior express written consent |
| Informational call to residential landline | Autodialed call | No consent required (FCC exemption, conditions apply) |
| Billing, collections | Autodialed call to cell | Prior express consent; check FCC rules on reassignment |
| Post-discharge follow-up (non-marketing) | Autodialed call to cell | Prior express consent (or FCC exemption if all conditions met) |
One thing that trips up health systems: consent captured years ago on a different platform or for a different purpose may not carry forward. The FCC's one-to-one consent rule, adopted January 2024 and set to take effect January 2025, tightened the standard by requiring written consent to name the specific seller or caller rather than grant generic permission [4].
How does patient consent revocation work under the TCPA?
Patients can revoke TCPA consent at any time through any reasonable means. That's the FCC's stated position from its 2015 Declaratory Ruling, reinforced again in the 2024 revocation order [4][9]. "Any reasonable means" is not a small phrase. A patient who tells a nurse during a call "please stop texting me" has revoked consent, even if your system usually wants an online opt-out form.
The FCC's 2024 order set a hard clock: covered entities must honor a revocation request within 10 business days [4]. Miss that window and you face per-message liability for every message sent after the patient asked you to stop.
Build revocation handling into every channel. If a patient emails a revocation, log it and suppress the number right away. If a patient says it out loud during an appointment, your staff needs a documented workflow to flag it in the CRM or EHR. A voicemail full of ignored opt-outs is not a safe harbor.
Don't rely on "STOP" as your only revocation path. The FCC rejected the argument that patients must use a specific keyword or channel to revoke. Requiring "STOP" as the sole option while ignoring a written letter would likely be treated as a failure to honor revocation.
What counts as an autodialer in a healthcare context?
This has been unsettled for years. The Supreme Court's 2021 decision in Facebook v. Duguid narrowed the definition of an automatic telephone dialing system (ATDS), holding that a system must "use a random or sequential number generator" to produce or store numbers to qualify [5]. A system that just dials from a stored list of patient numbers, without generating numbers randomly, may fall outside that definition.
Don't read that as a green light to skip consent. Three reasons.
Prerecorded voice calls are separately regulated under 47 U.S.C. § 227(b)(1)(B) no matter what dialer you use [1]. If you play a prerecorded message, the TCPA still applies even when your dialer isn't an ATDS post-Duguid.
Several states, including Florida and Oklahoma, passed mini-TCPA laws with their own, sometimes broader, ATDS definitions [6]. Florida's Telephone Solicitation Act, amended in 2021, reaches equipment that can dial numbers sequentially, catching systems the federal definition misses.
And the FCC has not ruled on exactly which dialer architectures escape the post-Duguid ATDS definition. Betting your compliance program on Duguid without running your specific system past counsel is risky.
Practical rule: if your outreach platform dials numbers from a list automatically without a human starting each call, build your consent program as if the platform is an ATDS. The cost of guessing wrong is $500 to $1,500 per call.
What penalties does a healthcare organization face for TCPA violations?
Statutory damages run $500 per violation for negligent violations and $1,500 per violation for willful or knowing ones [1]. "Per violation" means per call or per text. A monthly appointment reminder campaign to 50,000 patients with a consent problem is 50,000 violations at once.
Healthcare defendants carry the same class action exposure as anyone else. Because these organizations send high volumes of near-identical messages, the class certification math gets ugly fast. A single poorly documented consent program covering 200,000 patients, with one text a month over 12 months, produces theoretical exposure of $200,000 x 12 x $500 = $1.2 billion before any trebling for willfulness. Real settlements land far below that, but they still hurt.
The FCC can also act. It has issued warning letters and forfeiture orders against healthcare organizations, though most high-dollar pain comes from private class actions, not agency enforcement.
Private TCPA claims carry a four-year statute of limitations under 28 U.S.C. § 1658 [12]. A patient database with consent problems from 2021 or later can still generate liability today.
For a sense of scale, the UnitedHealthcare settlement at $2.5 million [see /articles/tcpa-basics/unitedhealthcare-to-pay-2-5m-for-alleged-tcpa-violations] and the Kaiser matter [see /articles/tcpa-basics/kaiser-tcpa-settlement-claim-deadline] show that health plan operations face the same dollar risk as financial services firms. Banks like Truist and Credit One have settled for similar and larger amounts [see /articles/tcpa-basics/truist-bank-tcpa-class-action-settlement] [see /articles/tcpa-basics/credit-one-tcpa-settlement].
How do HIPAA and the TCPA interact for patient communications?
They're separate laws with different jobs, and they don't line up neatly. HIPAA governs the privacy and security of protected health information [10]. The TCPA governs consent for electronic communications. A disclosure that satisfies HIPAA can still violate the TCPA, and vice versa.
The FCC's healthcare exemption requires that covered communications come from HIPAA-covered entities or their business associates [2]. So HIPAA status matters for getting into the exemption. But the exemption's other conditions (call duration, frequency, opt-out mechanism) are pure TCPA requirements that HIPAA never touches.
Here's how the tension shows up. Your HIPAA notice of privacy practices describes how you use patient contact information. Handing a patient that notice does not create TCPA consent. A patient who signed your HIPAA acknowledgment has not necessarily agreed to receive autodialed texts from your patient engagement platform.
The clean approach is to layer consent. Capture TCPA consent at intake alongside, but separate from, the HIPAA acknowledgment. The TCPA consent should name the type of communication and identify the entity sending it. Keep that record in the patient's file with a timestamp and the collection method, separate from the HIPAA documentation.
Are appointment reminder texts and calls treated differently than marketing messages?
Yes, and the line between them matters more than most healthcare marketing teams realize.
A pure appointment reminder, something like "You have an appointment with Dr. Jones on Thursday at 2pm, call to reschedule," is an informational, non-marketing message. It needs prior express consent, which can come from the patient voluntarily providing the number. It does not need prior express written consent.
Add anything that promotes services, nudges the patient toward extra treatment, mentions a new program or product, or tries to shape a purchasing decision, and the message tips into marketing. That shifts the requirement to prior express written consent, a much higher bar.
Watch where things break: a lab result notification that ends with "ask your doctor about our new wellness panel"; an appointment reminder that adds "while you're in, consider scheduling your annual physical, now with new telehealth options"; a discharge follow-up that invites the patient to rate the visit and plugs a referral program. Each carries a marketing overlay. The FCC's definition of "telephone solicitation" under 47 C.F.R. § 64.1200 reaches calls "for the purpose of encouraging the purchase or rental of, or investment in, property, goods, or services" [3]. Healthcare services are services.
The working rule: draft your patient message templates, then have a compliance person read each one with a single question in mind. Does this message do anything other than inform the patient about their own care? If yes, treat it as marketing and get written consent.
What should a healthcare consent and documentation program look like?
The program needs four parts: collection, documentation, revocation handling, and audit.
Collection. Capture TCPA consent at patient intake and again at every enrollment in a new communication program. The language for informational messages should identify who will contact them and why. For marketing, the consent must be a separate, standalone authorization, not buried in a general intake form. Electronic signatures are valid under the E-Sign Act.
Documentation. Store a timestamped consent record alongside the patient record. It must include the phone number consented to, the date and method of collection, the exact language of the consent, and the staff member or system that captured it. When you defend a TCPA claim, "we always get consent at intake" will not hold up. You need the actual record for the specific number.
Revocation handling. Map every inbound channel where a patient might revoke: inbound STOP text, verbal revocation on a call, written revocation by email or mail, opt-out through a patient portal. Build a workflow that suppresses the number in your outreach system within 10 business days, ideally same-day. Log every revocation with a timestamp.
Audit. At least annually (quarterly is better for high-volume senders), audit a random sample of outgoing messages against consent records. Check whether any messages went to numbers where consent was revoked. Check whether any marketing-adjacent messages relied on informational consent. This is where LeadCompliant's compliance kit helps smaller healthcare teams without a dedicated compliance department build a structured process from something other than a blank page.
For teams running any kind of text-based patient outreach, the general principles of text message marketing consent apply directly, and the TCPA requirements match every other industry.
Does the national Do Not Call registry apply to patient calls?
The national DNC registry, run by the FTC, applies to telephone solicitations. Purely informational calls like appointment reminders are not solicitations and don't fall under the DNC registry the same way [7]. But calls with a marketing component, upsells, or any commercial purpose can count as solicitations and need DNC scrubbing.
The more relevant restriction for healthcare is the TCPA's own do-not-call framework. Under 47 U.S.C. § 227(c) and 47 C.F.R. § 64.1200(d), entities making telephone solicitations must keep an internal DNC list and honor requests to be added [1]. A patient who says "take me off your call list" must go on your internal suppression list within 30 days, and you can't call them for solicitation purposes for at least five years [11].
TCPA consent revocation and a DNC request are related but not identical. A TCPA revocation stops all autodialed or prerecorded contact. An internal DNC request under the solicitation rules stops solicitation calls, while non-marketing care calls may continue depending on the patient's relationship with the practice. Keep the two lists distinct and apply the more restrictive one when you're unsure.
What are the biggest TCPA compliance mistakes healthcare organizations make?
Looking at the pattern of settlements and enforcement actions, a handful of mistakes repeat.
Assuming old consent covers new channels. Consent collected on a 2015 intake form never contemplated SMS reminders or AI-voiced appointment calls. Courts and the FCC have been skeptical of organizations stretching old consent across new communication modalities.
Treating the healthcare exemption as general permission. The exemption is narrow, conditional, and silent on texts. Plenty of organizations act as if being a HIPAA-covered entity loosens the TCPA rules. It does not.
Number reassignment blind spots. Patient phone numbers get reassigned. A number that belonged to a consenting patient two years ago may now belong to a stranger who never consented. The FCC built the Reassigned Numbers Database (RND) for exactly this problem [8]. Skip the RND scrub before a campaign and you risk contacting non-patients with a clean TCPA claim.
Vendor contracts that shift liability without absorbing it. Hire a patient engagement platform, outbound calling vendor, or CRM to send messages for you, and the TCPA treats you as the initiator. The vendor's error is your liability. Contracts should require the vendor to meet TCPA standards, but that protection only helps in a vendor indemnification fight, not in the patient's underlying lawsuit.
Ignoring state mini-TCPA laws. Florida, Oklahoma, Washington, and others passed laws with different (sometimes broader) definitions and lower standing requirements. Florida's 2021 law created a private right of action and does not require an ATDS, which means a standard predictive dialer can trigger liability even outside the post-Duguid federal definition [6].
For ongoing developments, the TCPA news tracker follows new cases and FCC rulemakings as they land.
How did the FCC's 2024 consent rules change things for healthcare?
The FCC's Report and Order adopted in January 2024 made two changes that hit healthcare hard [4].
First, the one-to-one consent requirement. Starting January 27, 2025, prior express written consent for marketing calls and texts must name the specific seller or caller. Generic lead-form consent like "I agree to receive calls from partners" no longer works. For healthcare, this reaches any organization that shares patient data with affiliated entities, such as a hospital system trying to route one intake form's consent across a dozen subsidiary practices.
Second, the revocation standardization rule. The FCC required covered entities to honor opt-out requests sent by any reasonable means within 10 business days. It also barred forcing consumers through a complicated opt-out process, like calling a specific number during specific hours, as the only way to revoke. Patient portals that make opt-out technically hard face real exposure here.
The 2024 rules also clarified that consent gathered through comparison-shopping websites or lead generators, then sold to healthcare organizations, does not meet the one-to-one standard. Health plans buying leads for outreach (Medicare Advantage enrollment, for example) need to verify that the consent on those leads names their plan specifically, not a generic insurance marketplace.
Frequently asked questions
Do appointment reminder calls require written consent under the TCPA?
No. Pure appointment reminders with no marketing content require prior express consent, which is satisfied when the patient voluntarily gives their cell number to the provider. Prior express written consent (a signed agreement) is only required when the message carries marketing or promotional content. Because the line between informational and marketing is narrow, review every reminder template carefully.
Can a hospital text patients about their test results without TCPA written consent?
Texting test results to a cell number the patient gave you at intake likely qualifies as prior express consent under the FCC's framework. You don't need a separate signed written consent for purely informational messages. But the text must carry no marketing language. If the result notification pushes a follow-up package or plugs a new service, it needs prior express written consent.
Is the healthcare TCPA exemption the same as a HIPAA exemption?
No, they're completely separate. HIPAA governs patient data privacy. The TCPA governs outbound call and text consent. The FCC's healthcare exemption from the 2012 and 2015 rulings is a narrow TCPA carve-out for specific non-marketing calls from HIPAA-covered entities. Complying with HIPAA does not satisfy the TCPA, and TCPA consent records don't substitute for HIPAA documentation.
What happens if a healthcare organization calls a reassigned phone number?
If the number was reassigned to someone who never consented, every call or text to it is a potential TCPA violation. The FCC's Reassigned Numbers Database (RND) lets callers check whether a number was reassigned before a specific date. Scrubbing against the RND before campaigns is the practical protection. Without it, you can be liable even though you had valid consent from the number's prior owner.
Do state laws create additional TCPA-like requirements for patient communications?
Yes. Florida, Oklahoma, Washington, and other states have telephone solicitation laws with definitions and standing rules that reach beyond the federal TCPA. Florida's 2021 amendment is especially aggressive, covering calls made with equipment that dials sequentially, which can catch dialers that would not qualify as an ATDS under the post-Duguid federal definition. Multi-state healthcare organizations need a state-by-state review.
How long does a healthcare organization have to honor a patient's opt-out request?
Under the FCC's 2024 revocation rules, covered entities must honor opt-out requests within 10 business days. For internal do-not-call requests under the FTC's telemarketing rules, the deadline is 30 days. Best practice is to process every revocation as close to same-day as your system allows, both to cut liability and because most patient engagement platforms can suppress numbers instantly.
Can a healthcare provider call a patient about unpaid bills using an autodialer?
Billing and collections calls to cell phones fall under the TCPA. If the patient gave you the number at intake for healthcare purposes, you may have prior express consent for informational billing contact. But once the call becomes collections work by a third-party debt collector, the FDCPA may also apply, and the original intake consent may not extend that far. Get specific legal advice before running collections campaigns.
What does 'prior express consent' actually mean for a patient who gave their cell number on a form?
The FCC's 2012 rulemaking said a person who gives a cell number to a healthcare provider in connection with receiving care has given prior express consent to receive calls related to that care. No separate signature is required for informational messages. But the call must relate to the same healthcare context in which the number was given. Calling that number about an unrelated new service requires written consent.
Are telehealth platforms and patient engagement apps subject to the TCPA?
Yes. Any platform that sends automated texts or places autodialed calls on behalf of a healthcare provider falls under the TCPA. The provider is treated as the initiator even when a vendor pushes the send button. Vendor agreements should require TCPA compliance, but contractual indemnification does not shield you from the patient's lawsuit. The consent obligation belongs to the provider.
How do Medicare Advantage plans and health insurers handle TCPA consent for outreach?
Health insurers making outbound marketing calls to enroll or upsell members need prior express written consent, because those calls are solicitations. The 2024 FCC one-to-one consent rule means consent must name the plan specifically, more than "insurance providers." Buying leads from lead generators whose consent form names a marketplace rather than the specific plan does not satisfy the current FCC standard.
What is the statute of limitations for a TCPA claim against a healthcare organization?
Four years under 28 U.S.C. § 1658, the general federal catch-all statute of limitations. A patient who received an improperly consented automated message in 2022 can still file today. That's why retroactive consent audits matter. Organizations should review consent records going back at least four years when sizing their exposure, especially if they changed communication platforms or vendors during that stretch.
Can patients sue healthcare organizations directly under the TCPA, or only through the FCC?
Patients can sue directly. The TCPA has a private right of action in federal court, and plaintiffs don't have to file an FCC complaint first. Most healthcare TCPA cases are private class actions, not FCC enforcement. The FCC can act separately, but the main risk is civil suits from patients or their attorneys. Class certification is common because the same template goes to thousands of patients.
Does the TCPA apply to calls made by a live agent with no autodialer?
Generally no, for the ATDS restrictions. The core TCPA prohibitions require either an ATDS or a prerecorded or artificial voice. A human agent manually dialing individual patient numbers is not covered by the ATDS or prerecorded voice rules. But the TCPA's do-not-call provisions and the FTC's telemarketing rules still apply to human-agent solicitation calls, so this isn't a full pass.
What records should a healthcare organization keep to defend a TCPA claim?
Keep the exact consent language the patient saw, the date and method of collection, the specific phone number consented, who collected it, and the platform used. Keep revocation records too, with timestamps and suppression confirmations. If you use a vendor, get their message delivery logs. In litigation the burden of proving valid consent usually falls on the defendant, and vague notes about general intake procedures will not defeat a well-documented class complaint.
Sources
- Cornell Law / LII, 47 U.S.C. § 227 (Telephone Consumer Protection Act): Statutory text of the TCPA, including $500/$1,500 per-violation damages and prohibition on autodialed calls to cell phones without consent
- FCC, 47 C.F.R. § 64.1200 (FCC TCPA implementing regulations): Regulatory text defining prior express written consent requirements for marketing calls and the definition of telephone solicitation
- Supreme Court of the United States, Facebook Inc. v. Duguid, 592 U.S. 395 (2021): Supreme Court held that an ATDS must use a random or sequential number generator to produce or store numbers, narrowing the federal ATDS definition
- Florida Legislature, Florida Telephone Solicitation Act § 501.059 (2021 amendments): Florida's 2021 amendments cover calls made with equipment that can dial sequentially, broader than the post-Duguid federal ATDS definition
- FTC, National Do Not Call Registry: DNC registry applies to telephone solicitations; purely informational calls are not solicitations and are not covered in the same way
- FCC, Reassigned Numbers Database: FCC-established database allowing callers to check whether a number was reassigned before a specific date to avoid contacting non-consenting new subscribers
- HHS, HIPAA for Professionals: HIPAA governs PHI privacy and security; TCPA consent is a separate legal requirement not satisfied by HIPAA acknowledgment
- FTC, Telemarketing Sales Rule, 16 C.F.R. Part 310: TSR internal DNC list requirements: must honor requests within 30 days and maintain suppression for at least five years
- Cornell Law / LII, 28 U.S.C. § 1658 (4-year federal statute of limitations): General four-year federal statute of limitations applicable to TCPA private right of action claims