TCPA healthcare exemption: what providers actually get (and don't)

Healthcare providers have narrow TCPA exemptions for calls and texts, but not a blank check. Learn exactly which messages qualify and the consent rules that still apply.

LeadCompliant Team
23 min read
In This Article

Last updated 2026-07-10

Hospital administrator reviewing compliance documents at a medical office desk
Hospital administrator reviewing compliance documents at a medical office desk

TL;DR

The TCPA has a real exemption for certain healthcare calls and texts to cell phones, but it's narrow. It covers appointment reminders, prescription notifications, and a handful of other categories, with hard limits on frequency, content, and opt-out. Marketing messages get no exemption, even from a licensed provider. One wrong message can still trigger a $500 to $1,500 per-message lawsuit.

Are there TCPA exemptions for healthcare providers?

Yes. The word 'exemption' fools people, though. It sounds like healthcare organizations can call and text patients however they want. They can't.

The Federal Communications Commission created a specific exemption in 2015 for certain healthcare calls and texts sent to wireless numbers using an autodialer or prerecorded voice. The legal hook is 47 U.S.C. § 227(b)(2)(C), which lets the FCC exempt non-marketing calls that serve the public interest [1]. The FCC used that authority in its 2015 Omnibus TCPA Order (FCC 15-72), carving out a defined set of healthcare messages from the prior-express-consent rule that otherwise governs autodialed or prerecorded calls to cell phones [2].

The exemption doesn't erase consent. It swaps prior express written consent for a lower bar: the patient voluntarily gave the phone number to the provider as part of their relationship. Sounds easy. It comes with operational limits that trip up most healthcare teams.

Which specific healthcare messages does the TCPA exemption cover?

The FCC's 2015 order names the message types that qualify. These aren't broad themes. They're a closed list [2]:

Message categoryExempt?
Appointment and exam confirmations and remindersYes
Prescription notificationsYes
Home delivery notifications for prescriptionsYes
Lab results notifications (no results in the message itself)Yes
Post-discharge follow-up callsYes
Billing and insurance notificationsYes
Wellness checkup remindersYes
Flu shot remindersYes
Marketing of any kindNo
TelemarketingNo
Debt collection callsNo
Survey or research callsNo

The right column decides your fate more than the left one does. A message sent by a hospital, to a patient, about their health, still fails unless it fits an approved category. A call asking a patient to enroll in a premium care program is marketing. A text promoting a new clinic location is marketing. No exemption applies, and the caller needs prior express written consent, same as any other company [3].

The FCC was strict about content, too. The message has to be healthcare-related and carry no marketing or advertising. One line of promotional language dropped into an appointment reminder voids the exemption for that message.

What are the exact operational limits on exempt healthcare calls and texts?

This is where most compliance failures happen. Even for messages that fit the approved categories, the FCC set hard per-message rules in the 2015 order [2]:

  • One message per day, up to three per week, per specific healthcare matter.
  • The message has to include the name and contact information of the healthcare provider.
  • The message has to include instructions for opting out.
  • Opt-out requests have to be honored immediately.
  • The call or text has to be free to the recipient (or the provider has to disclose that charges may apply).

Three per week sounds generous until you notice it applies per matter. Say a patient has two upcoming appointments, two prescription refills, and an outstanding bill. Those are arguably separate matters, so the math balloons fast. Most compliance teams land on the same safe play: track opt-outs aggressively and cap total outreach across all matters at a level any court would call reasonable.

The FCC also demands that opt-out mechanisms actually work. For voice calls, a keypress or spoken instruction has to suffice. For texts, replying STOP has to work right away. If your platform can't process opt-outs in real time, the exemption is cold comfort, because you'll keep sending non-compliant messages to people who already said stop [4].

TCPA healthcare exemption: message categories and their consent requirements Consent level required per message type under FCC 15-72 (2015) Appointment reminders (exempt, pa… 1 Prescription notifications (exemp… 1 Lab result alerts (exempt, patien… 1 Post-discharge follow-up (exempt,… 1 Billing/insurance notifications (… 1 Marketing messages (prior express… 3 Debt collection calls (prior expr… 3 Survey or research calls (prior e… 3 Source: FCC, FCC 15-72 Omnibus TCPA Order, 2015

Does the healthcare exemption cover text messages or only calls?

Both. The FCC's 2015 exemption reaches autodialed calls and texts to wireless numbers, so an appointment reminder sent by SMS gets the same treatment as one sent by autodialed voice call, as long as the other conditions hold [2].

The practical snag is that text platforms often run on short codes or long codes that look like autodialers under any fair reading of the statute. The Supreme Court's 2021 ruling in Facebook v. Duguid narrowed the definition of an automatic telephone dialing system (ATDS) to systems that use a random or sequential number generator to store or dial numbers [5]. After Duguid, some healthcare senders argue that dialing from a fixed patient list, rather than generating numbers randomly, means their system isn't an ATDS and the exemption question never comes up. That argument has legs in some circuits and almost none in others. Building your whole compliance program around Duguid is a real gamble given how much the circuits still disagree.

For text programs specifically, see our overview of text message marketing to see where the standard TCPA rules start and the healthcare carve-out ends.

The 2015 FCC order lets a provider send exempt messages to a wireless number the patient gave the provider as part of the healthcare relationship [2]. No signed consent form. No checked opt-in box for those categories.

But 'provided' does a lot of work in that sentence. A patient who wrote their cell number on an intake form gave it in the context of the relationship. A number bought on a list and matched to patient records was not provided by the patient, so there's no consent basis. A number a family member handed over without the patient knowing? Same problem.

The consent is also pinned to the purpose. A hospital can't take a number given for emergency-contact purposes and start sending prescription reminders to it. The FCC's reasoning is that the number was offered for one thing and can't be repurposed without more consent. In practice, your intake forms and EHR need to capture more than the digits. They need the reason the patient handed the number over.

One more wrinkle. If a patient revokes consent in any clear way, including telling a nurse to stop the texts, that revocation binds you even without a formal opt-out button. The FCC and most courts treat oral revocation as legally effective [6].

What happens when a healthcare organization gets it wrong?

The TCPA's standard damages are $500 per violation, trebled to $1,500 per violation if the court finds willfulness [1]. No de minimis floor exists. A single autodialed text to a wrong number, or to a number that already sent you an opt-out, is a $500 claim sitting there.

Healthcare organizations haven't been spared. UnitedHealthcare paid $2.5 million to settle TCPA claims, a case worth reading for any compliance team, and you'll find the full breakdown in our article on the UnitedHealthcare alleged TCPA violations settlement. The company argued the calls were permissible. Plaintiffs called them autodialed without proper consent. That's almost exactly the scenario the healthcare exemption is built to handle, and the company still ended up in a settlement conversation.

The Kaiser TCPA settlement is another case from inside healthcare worth studying. Neither company is small or unsophisticated. The lesson isn't that compliance is impossible. It's that sloppy execution of even a legitimate exemption is enough to generate class action exposure.

Does the exemption apply to debt collection calls from healthcare providers?

No. This is one of the most common misreads in healthcare compliance.

The FCC's 2015 order specifically left debt collection off the exempt list [2]. A hospital calling a former patient about an unpaid bill gets no healthcare exemption. That call needs prior express consent, same as a bank or a retailer making a collection call. The fact that the debt is for medical services means nothing to the TCPA analysis.

The FCC did exempt certain debt-collection calls tied to federally backed financial products in a separate 2016 rule, but that reached student loans and mortgages, not medical debt [7]. No parallel healthcare debt exemption exists.

If your revenue cycle team makes outbound calls or sends texts about unpaid medical bills, those need their own consent program, fully separate from the clinical messaging consent you captured at intake. Plenty of healthcare organizations never built that wall. A jury won't treat the gap as an honest mistake.

How does HIPAA interact with the TCPA for healthcare messaging?

HIPAA and the TCPA are separate statutes run by separate agencies: the Department of Health and Human Services for HIPAA, the FCC (plus private plaintiffs) for the TCPA [11]. Clearing one doesn't clear the other.

A provider can send a text that's fully HIPAA-compliant (patient authorized, minimum necessary information, proper safeguards) and still break the TCPA if the consent basis for autodialing is missing or the message carries marketing. The reverse holds too: a call can be TCPA-clean on consent and still break HIPAA by disclosing protected health information to the wrong person.

The two meet on consent forms. A well-built intake form can capture the consent HIPAA wants for authorized communications and document that the patient gave their wireless number as part of the healthcare relationship for TCPA purposes, all at once. That dual-purpose paperwork is worth building. Neither statute requires you to combine them, but doing so cuts administrative load and leaves a cleaner audit trail.

LeadCompliant's one-time compliance kit includes template consent language built for exactly this dual-documentation need. Getting the language right once saves a lot of exposure later.

What about the FCC's 2024 rule changes: do they affect the healthcare exemption?

The FCC issued major new TCPA rules in 2024, including changes to the one-to-one consent requirement and lead generation practices [8]. The healthcare exemption itself, as codified, wasn't repealed or rewritten by those rules. The consent framework around it tightened anyway.

The 2024 rules made clear that a consumer's consent has to attach to a specific company, not spread across a network of unrelated callers through one consent checkbox. For healthcare organizations that use third-party patient engagement vendors or outsourced call centers, that matters. Consent to hear from Hospital X doesn't automatically flow to the hospital's messaging vendor acting on its own behalf, or to affiliated entities, without separate disclosure.

There's also live FCC and court activity over the ATDS definition after Duguid. The Eleventh Circuit and the Ninth Circuit landed on different answers about what qualifies, and the FCC has signaled it may clarify the definition in a future rulemaking [9]. Don't assume the ATDS landscape in your circuit stays favorable forever. Check TCPA news regularly. The rules genuinely move here.

What should a healthcare organization's TCPA compliance program actually look like?

A working program has five parts, and most organizations are missing at least two.

First, map every outbound communication. Voice calls, texts, and automated reminders from every platform, including EHR-integrated messaging, third-party appointment reminder tools, and revenue cycle software. You can't comply with rules you don't know you're triggering.

Second, classify each message type. Is it purely clinical and non-marketing? Does it fit one of the FCC's exempt categories? Does it carry any promotional language? That classification decides whether you need prior express written consent or just documented patient-provided consent.

Third, audit your consent capture. Is the cell number documented as patient-provided in the healthcare relationship? Is there a separate consent mechanism for marketing? Is debt-collection outreach running on its own consent track?

Fourth, build opt-out processing that works. STOP texts get honored immediately. Voice opt-outs from live calls or IVR systems get logged and suppressed. The opt-out list syncs across every platform. A patient who opts out of text reminders in your EHR should never get a text from your prescription notification vendor the next day.

Fifth, run suppression checks before every campaign. Scrub outbound lists against your internal opt-out records, the National Do Not Call Registry for voice calls, and any state lists [12]. Free DNC checking tools live at LeadCompliant, alongside number verification that flags wireless versus landline status before you dial.

For any cold outreach outside the patient relationship, the cold-calling rules framework applies in full, with no healthcare softening.

There's a separate TCPA exemption for emergency calls, codified at 47 U.S.C. § 227(b)(1)(A)(i), which excludes calls 'made for emergency purposes' from the autodialed-call prohibition [1]. The FCC hasn't defined 'emergency' narrowly here, but courts generally want a genuine, time-sensitive safety situation.

A mass text to all patients about a disease outbreak or a public health emergency would likely qualify. A text reminding a patient that their annual physical is overdue would not. The emergency carve-out is real but narrow, and using it as a general-purpose consent substitute for routine health outreach is the kind of creative reading plaintiffs' attorneys love to find.

Some states add their own emergency communication provisions that interact with state-level TCPA analogs. If you operate in California, Florida, or Washington, check the state rules before you lean on the federal emergency exemption alone. Those states carry restrictions that sometimes reach further than federal law.

What have courts actually decided about the healthcare TCPA exemption?

Case law on the 2015 FCC healthcare exemption is still forming, but a few patterns are clear [10].

Courts have generally upheld the exemption when the messages stay inside the approved categories, the opt-out mechanism works, and the patient actually provided the number. Challenges win most often when a message carries any marketing language, when the consent documentation is thin or missing, or when the organization kept sending after a clear revocation.

One recurring fight is the dual-purpose message. A text that reads 'Your appointment is confirmed. While you're here, ask us about our new weight loss program' mixes clinical and promotional content. Courts have been willing to hold that the marketing element kills the exemption for the entire message, more than the marketing sentence. This isn't theoretical. Plaintiffs' lawyers hunt specifically for mixed-purpose messages, because they're easy to find and easy to litigate.

The class exposure in healthcare TCPA cases gets enormous, because providers push the same automated system to thousands or millions of patients. One non-compliant template sent to 200,000 patients at $500 a message is $100 million in exposure before you even reach the trebling question. That math is why settlements like Credit One and Truist Bank, though outside healthcare, follow the same structural logic as healthcare TCPA class actions.

Frequently asked questions

Are there TCPA exemptions for healthcare providers?

Yes. The FCC created an exemption in 2015 for autodialed or prerecorded calls and texts to wireless numbers covering appointment reminders, prescription notifications, lab result alerts, and similar non-marketing clinical messages. The exemption requires that the patient provided the phone number voluntarily as part of the healthcare relationship and that every message includes opt-out instructions. Marketing messages, debt collection calls, and survey calls are explicitly excluded.

Does the TCPA healthcare exemption cover marketing texts from a hospital?

No. The FCC's 2015 exemption expressly excludes marketing and telemarketing. A hospital promoting a new service, a health plan advertising a wellness program, or a clinic texting about a promotional screening needs prior express written consent, the same standard that applies to any commercial marketer. The fact that the sender is a healthcare organization doesn't change the consent requirement for promotional content.

How many texts per week can a healthcare provider send under the exemption?

The FCC capped exempt healthcare texts at one per day and three per week, per specific healthcare matter, under the 2015 order. If a provider has multiple ongoing matters with the same patient, such as two appointments and a prescription refill, each matter carries its own three-per-week limit, but the total volume adds up fast. Opt-outs must be honored no matter how many messages remain under the weekly cap.

Not for exempt messages. The 2015 FCC order requires only that the patient voluntarily provided the wireless number as part of the healthcare relationship, such as writing it on an intake form. A signed consent form isn't mandated, but documenting when and how the number was provided is critical if you ever defend a lawsuit. For marketing messages, prior express written consent with a clear disclosure is still required.

Can a healthcare provider call a patient's cell phone about an unpaid bill under the healthcare exemption?

No. Debt collection is explicitly excluded from the FCC's 2015 healthcare exemption. Calls or texts about unpaid medical bills need independent prior express consent, the same standard that applies to any debt collector. Many healthcare organizations run separate patient communication systems for revenue cycle outreach; those systems need their own consent program, entirely separate from the clinical messaging consent captured at intake.

What is the penalty for violating the TCPA as a healthcare provider?

The standard TCPA penalty is $500 per violation, which courts can treble to $1,500 per violation for willful or knowing violations. There's no reduced penalty for healthcare senders. A single non-compliant automated message sent to a large patient list can generate class action exposure in the millions or tens of millions. UnitedHealthcare paid $2.5 million in a TCPA settlement, and Kaiser has faced similar litigation.

Does the healthcare TCPA exemption apply to prescription reminder texts?

Yes, as long as the message is purely informational, carries no marketing language, includes opt-out instructions, and goes to a number the patient provided. Both pharmacy pickup notifications and home delivery notifications for prescriptions appear in the FCC's 2015 order as exempt categories. If a pharmacy adds a promotional offer or mentions a reward program in the same message, the exemption likely doesn't apply to that message.

How does the Facebook v. Duguid ruling affect healthcare TCPA compliance?

The 2021 Supreme Court ruling in Facebook v. Duguid narrowed the definition of an automatic telephone dialing system to devices that use a random or sequential number generator to store or produce phone numbers. Some healthcare senders argue their systems dial from fixed patient lists and therefore aren't ATDSs, making TCPA consent rules less relevant. That argument works in some courts and not others. Relying on it as your primary strategy is risky.

Can a healthcare provider use a third-party vendor to send exempt messages?

Yes, but the consent follows the provider, not the vendor. The patient must have provided their number to the healthcare provider as part of that relationship. The FCC's 2024 rules tightened one-to-one consent, meaning a vendor can't rely on generic consent language to send messages on its own account. Contracts with patient engagement vendors should spell out who holds the consent relationship and which message categories are authorized.

Do state laws add extra restrictions beyond the TCPA healthcare exemption?

Often yes. California, Florida, and Washington all carry state-level calling and texting restrictions that in some cases reach further than the federal TCPA. California's Invasion of Privacy Act and the CCPA both touch healthcare communications in ways the federal TCPA doesn't address. Healthcare providers operating across multiple states need to check each state's rules independently; the FCC exemption doesn't preempt stricter state laws.

What should a healthcare organization do if a patient orally revokes consent during a call?

Honor it immediately and document it. The FCC and most courts treat oral revocation as legally effective, even if the patient never says the word 'stop' or follows a formal opt-out procedure. A nurse taking a message that a patient said 'stop calling me' creates a binding obligation. That number should be suppressed across all outbound systems, more than the one channel the revocation came through.

Does the TCPA healthcare exemption cover calls to landlines?

The 2015 FCC exemption specifically covers autodialed or prerecorded calls to wireless numbers. Calls to landlines using prerecorded voices were already subject to different TCPA rules, and healthcare callers using prerecorded messages on landlines need to meet those separate requirements. In practice, most modern patient outreach goes to cell phones, so the wireless rules dominate the compliance conversation.

Is HIPAA compliance enough to satisfy the TCPA for patient messaging?

No. HIPAA and the TCPA are separate statutes enforced by different agencies. Meeting HIPAA's authorization requirements doesn't satisfy the TCPA's consent and operational requirements, and the reverse holds too. A HIPAA-authorized text can still break the TCPA if the provider used an autodialer without a proper consent basis, and a TCPA-compliant call can still break HIPAA if it discloses protected health information to the wrong party.

Can a telehealth company use the TCPA healthcare exemption?

Telehealth companies are healthcare providers for purposes of this exemption if they deliver healthcare services and have a direct patient relationship. The same rules apply: appointment confirmations, prescription notifications, and other non-marketing clinical messages sent to numbers voluntarily provided by patients qualify. Pure digital health companies without a licensed clinical relationship, like wellness apps, likely can't claim the exemption and need standard TCPA consent for any autodialed outreach.

Sources

  1. U.S. Government, 47 U.S.C. § 227, Telephone Consumer Protection Act (via Cornell Legal Information Institute): TCPA base statute: $500 per violation, trebled to $1,500 for willful violations; FCC authority to exempt non-marketing calls that serve the public interest under 47 U.S.C. § 227(b)(2)(C); emergency-purpose exception at 47 U.S.C. § 227(b)(1)(A)(i)
  2. FCC, In the Matter of Rules and Regulations Implementing the Telephone Consumer Protection Act of 1991, FCC 15-72 (2015 Omnibus TCPA Order): FCC 2015 exemption for healthcare calls/texts including appointment reminders, prescription notifications, lab results, post-discharge follow-up, billing notifications; operational limits of one per day, three per week; opt-out requirements; marketing and debt collection excluded
  3. FCC, Telephone Consumer Protection Act rules (47 CFR 64.1200, via Electronic Code of Federal Regulations): Marketing calls and texts to wireless numbers require prior express written consent regardless of the identity of the caller
  4. FTC, National Do Not Call Registry and telemarketing rules: Opt-out requests must be honored immediately; a STOP reply must work for text messages
  5. U.S. Supreme Court, Facebook, Inc. v. Duguid, 592 U.S. 395 (2021): ATDS definition narrowed to systems that use a random or sequential number generator to store or produce telephone numbers to be called
  6. FCC, In the Matter of Rules and Regulations Implementing the Telephone Consumer Protection Act of 1991, FCC 15-72: Consumers may revoke consent through any reasonable means, including orally during a call; revocation must be honored
  7. FCC, Rules to Implement the Bipartisan Budget Act Government-Debt Collection Provision, FCC 16-99 (2016): The federal debt collection TCPA exemption covers student loans and mortgages owed to or guaranteed by the U.S. government; it does not cover medical debt
  8. FCC, Report and Order on One-to-One Consent and Lead Generation, FCC 24-17 (2024): 2024 FCC rules require that consumer consent be tied to a specific company; consent cannot be passed to unrelated third parties through a single checkbox
  9. U.S. Courts, federal appellate decisions on the ATDS definition following Duguid: Federal circuits have split on the ATDS definition after Duguid, and the FCC has signaled interest in clarifying the definition through future rulemaking
  10. National Law Review, coverage of TCPA healthcare exemption case law: Courts have generally upheld the 2015 FCC healthcare exemption when messages are limited to approved categories, opt-out mechanisms work, and consent documentation is present
  11. HHS, HIPAA (Health Information Privacy): HIPAA and the TCPA are independent statutes; HIPAA compliance does not satisfy TCPA consent requirements
  12. FTC, National Do Not Call Registry: Healthcare organizations making voice calls must still scrub against the National Do Not Call Registry for calls that are not exempt

Disclaimer: LeadCompliant is a compliance review tool, not a law firm. We do not provide legal advice. Consult with a TCPA attorney for legal guidance on specific compliance questions. Compliance scores, audits, and risk assessments are informational only.

LeadCompliant Team

LeadCompliant provides expert guidance and tools to help you succeed. Our content is reviewed for accuracy and kept up to date.

Related Articles

Related Glossary Terms

LeadCompliant
Build My Kit