March 7, 2017
Chairman, Federal Commissions Commission
445 12th Street, SW
Washington, DC 20554
Filed electronically at http://fjallfoss.fcc.gov/ecfs2/
Re: CONSUMER AND GOVERNMENTAL AFFAIRS BUREAU SEEKS COMMENT ON PETITION FOR RULEMAKING AND DECLARATORY RULING REGARDING PRIOR EXPRESS CONSENT UNDER THE TELEPHONE CONSUMER PROTECTION ACT OF 1991
CG Docket No. 02-278
CG Docket No. 05-338
Dear Chairman Pai:
The Medical Group Management Association (MGMA) appreciates the opportunity to share its views on the issue of prior express consent and its impact on medical group practices in response to your solicitation of comments regarding a petition for rulemaking and declaratory ruling filed by Craig Moskowitz and Craig Cunningham (Petitioners).
MGMA and its 50 state affiliates comprise more than 33,000 administrators and executives in 18,000 healthcare organizations in which 385,000 physicians practice. MGMA represents physician groups of all sizes, types, structures and specialties, and has members in every major healthcare system in the nation. As the leading association for practice administrators and executives for nearly 90 years, MGMA produces the most credible medical practice economic data in the industry and provides the education, advocacy, data and resources that healthcare organizations need to deliver the highest-quality patient care.
The Telephone Consumer Protection Act of 1991 (“TCPA”) specifically requires persons who wish to make a call with automated telephone equipment or an artificial or prerecorded voice to a cellular or residential telephone line to obtain the “prior express consent” of the called party. 47 U.S.C. §§ 227(b)(1)(A)(iii), 227(b)(1)(B). The Federal Communications Commission has issued two declaratory orders, one in 1992 (“1992 Order”) and the other in 2008 (“2008 Order”), ruling that persons are permitted to make calls requiring such prior express consent based only on the prior implied consent of the called party in situations where the called party has released their number to the caller. Specifically, (a) the 1992 Order provides that “persons who knowingly release their phone numbers have in effect given their invitation or permission to be called at the number which they have given, absent instructions to the contrary,” and (b) the 2008 Order provides that “the provision of a cell phone number to a creditor, e.g., as part of a credit 2 2 application, reasonably evidences prior express consent by the cell phone subscriber to be contacted at that number regarding the debt.”
Petitioners request, pursuant to 47 C.F.R. § 1.401(a), that the Commission initiate a rulemaking to (a) overturn the Commission’s improper interpretation that “prior express consent” includes implied consent resulting from a party’s providing a telephone number to the caller; and (b) uniformly require that for all calls made to cellular and residential lines subject to the TCPA’s prohibitions in 47 U.S.C. § 227(b)(1)(A)(iii) and 47 U.S.C. § 227(b)(1)(B), “prior express consent” to such telephone calls must actually be (i) express consent (ii) specifically to receive autodialed and/or artificial voice/prerecorded telephone calls, (iii) at a specified telephone number, and (iv) be in writing. In addition, pursuant to 47 C.F.R. § 1.2, Petitioners request that the Commission issue a declaratory ruling to remove uncertainty regarding the meaning of “prior express consent” resulting from the 1992 and 2008 Orders, and from 2012, 2014 and 2015 Commission orders to the extent they reiterate the positions in the 1992 and 2008 Orders.
We understand the intent of the Petitioners to limit the ability of telemarking services to be conducted based on a telephone number supplied by an individual. MGMA, however, is concerned that the unintended consequences of reversing the Commission’s interpretation of “prior express consent” could be that medical group practices are significantly impeded in their ability to effectively communicate important healthcare-related information to their patients and to conduct business in a manner that is permitted under the current HIPAA Privacy regulations.
In today’s healthcare environment, the telephone is the most common method of patient communication and thus practices, as a matter of course, request one or more telephone numbers when the patient registers either before a visit or at the time of service. These telephone numbers are then used to conduct functions from administrative actions such as appointment reminders to communications that could be critical to the health of the patient. Further, practices routinely see and treat patients prior to receiving full payment for these services. Practices must then seek to recoup outstanding balances directly from the patient or by employing debt collection services. Patient telephone numbers are used for these purposes as well.
The HIPAA Privacy rules have been in effect for more than a decade and have well established the patient communications regulatory landscape for provider organizations. The HIPAA Privacy rule was unambiguous in terms of when a “covered entity” such as a physician practice would be required to receive express consent for disclosure of “protected health information” (PHI). A covered entity would not, for example, be required to obtain patient consent when the PHI was disclosed for purposes of “treatment, payment, or healthcare operations” (TPO). Note that, under the HIPAA Privacy Final Rule, telephone numbers are considered part of the “designated record set” and fall within the definition of PHI:
[Page 53235] “As with the de-identification safe harbor provisions, the direct identifiers listed apply to protected health information about the individual or about relatives, employers, or household members of the individual. The direct identifiers include all of the facial identifiers proposed in the preamble to the NPRM: (1) Name; (2) street address (renamed postal address information, other than city, State and zip code); (3) telephone and fax numbers; (4) email address; (5) social security number; (6) certificate/license numbers; (7) vehicle identifiers and serial numbers; (8) URLs and IP addresses; and (9) full face photos and any other comparable images.
As the HIPAA Privacy rule states, however, disclosures of PHI (including telephone numbers) made for purposes of marketing would require patient authorization:
[Page 53184] “Generally, if a communication was marketing, the Privacy Rule required the covered entity to obtain the individual's authorization to use or disclose protected health information to make the communication.”
In addition, the HIPAA Privacy Rule is clear that the practice must include a discussion of how TPO could be appropriately disclosed without patient consent. As the HIPAA Privacy rule states, however, even though a practice is permitted to disclosure financial information as part of TPO, these disclosures must still be consistent with the practice’s Privacy Notice:
[Page 53211] “Although covered entities will not be required to obtain an individual's consent, any uses or disclosures of protected health information for treatment, payment, or health care operations must still be consistent with the covered entity's notice of privacy practices.
As an example of how the Privacy rules are being communicated to the provider community by the federal government, the Office for Civil Rights (OCR), the federal agency charged with enforcing HIPAA Privacy, developed a model Privacy Notice to assist physician practices and others to provide clear guidance to their patients on their rights regarding use by a covered entity of PHI. Privacy Notices are required to be given to all patients and posted in a public area of the practice and on the practice website. The OCR model notice outlines that patients can request of the covered entity the following:
- “You can ask us to contact you in a specific way (for example, home or office phone) or to send mail to a different address
- We will say “yes” to all reasonable requests. Ask us to limit what we use or share
- You can ask us not to use or share certain health information for treatment, payment, or our operations”
The Privacy Notice provided to patients permits them to designate how their phone numbers will be used by the practice. For example, the patient may stipulate that their cell number, not their home number, is to be used to communicate appointment reminders, test results, outstanding account balances, and other healthcare-related information. The patient is also permitted to ask the practice not to contact them by telephone. These disclosure options, included in the Privacy Notice, are provided to patients at the same time as the patient is asked for their phone number.
As specified in the Commission’s July 10, 2015 Declaratory Ruling and Order FCC 15-72, there are a number “true healthcare” situations where express consent (written) should not be required prior to a provider organization engaging with the patient via phone or text. The 2015 ruling (143) identified the following as true healthcare situations: “appointment and exam confirmations and reminders, wellness checkups, hospital pre-registration instructions, preoperative instructions, lab results, post-discharge follow-up intended to prevent readmission, prescription notifications, and home healthcare instructions.”
However, that same 2015 ruling (147.3) prohibited calls made for the purposes of “accounting, billing, debt-collection, or other financial content” yet required that calls “must comply with HIPAA Privacy rules.” We assert that compliance with the HIPAA Privacy Rule and prohibition of disclosure of PHI for accounting, billing, debt-collection, or other financial content is counter intuitive. The HIPAA Privacy Rule is explicit in its definition of “payment” and that “payment for healthcare services” “use of a collection service” and “use of debt collectors” are part of TPO and thus are actions that do not require patient authorization:
[Page 53198] “Further, the Department notes that a covered entity is permitted to disclose information to any person or entity as necessary to obtain payment for health care services. The minimum necessary provisions apply to such disclosures but permit the covered entity to disclose the amount and types of information that are necessary to obtain payment.”
[Page 53219] “the Department clarifies that the Privacy Rule permits covered entities to use and disclose protected health information as required by other law, or as permitted by other law provided that such use or disclosure does not conflict with the Privacy Rule. For example, the Privacy Rule permits a collection agency, as a business associate of a covered health care provider, to use and disclose protected health information as necessary to obtain reimbursement for health care services, which could include disclosures of certain protected health information to a credit reporting agency, or as part of collection litigation.”
[Page 53203] “Generally, the Privacy Rule permits covered entities to use the services of debt collectors as the use of such services to obtain payment for the provision of health care comes within the definition of ``payment.'' The Privacy Rule generally does not identify to whom information can be disclosed when a covered entity is engaged in its own payment activities.”
In conclusion, we strongly support the listing of healthcare situations included in the 2015 FCC Ruling, but also contend that the Commission should reverse its 2015 ruling and establish that practice use of a patient-supplied phone number is allowable for purposes of patient account resolution and the employment of debt-collection services without patient authorization, as permitted by the HIPAA Privacy rule.
We appreciate the opportunity to provide comments on this important topic. Should you have any questions, please contact Robert Tennant at 202-293-3450 or firstname.lastname@example.org
Anders M. Gilberg
Senior Vice President, Government Affairs