The U.S. Court of Appeals for the D.C. Circuit, on March 16, 2018, struck a blow to healthcare industry efforts to exclude certain communications subject to the Health Insurance Portability and Accountability Act (HIPAA) from liability under the Telephone Consumer Protection Act of 1991 (TCPA). In its unanimous decision in ACA International v. Federal Communications Commission,1 the D.C. Circuit affirmed the Federal Communications Commission’s (FCC) holding in its 2015 Declaratory Ruling and Order (2015 Order)2 exempting certain exigent healthcare-related calls from the TCPA’s consent requirement, but leaving callers subject to TCPA liability for “billing- and account-related” healthcare calls made to wireless numbers.3
The FCC’s 2015 Order left healthcare-related “billing- and account-related” calls subject to the TCPA prior consent requirement
The TCPA generally prohibits the use of an “automatic telephone dialing system” to call wireless numbers without prior express consent. 47 U.S.C. § 227(b)(1)(A). The FCC may exempt from this statutory consent requirement calls that are “not charged to the called party,” subject to whatever conditions the FCC prescribes as “necessary” in the interest of consumer privacy rights. § 227(b)(2)(C). Parties aggrieved by a TCPA violation can recover US$500 in damages for each violation (i.e., each call), and treble damages for willful or knowing violations. § 227(b)(3).
Under HIPAA, covered entities and their business associates generally may not use or disclose protected health information (PHI) except for “treatment, payment, or health care operations.” 45 C.F.R. § 164.502(a)(1)(ii).
In its 2015 Order, the FCC exempted from the prior express consent requirement “certain non-telemarketing, healthcare calls” made to wireless numbers that are not charged to the called party.4 The FCC accepted that these types of calls—for instance, appointment and exam confirmations and reminders—are the kind of communications that consumers “desire, expect, and benefit from.”5 The FCC declined, however, to exempt from the consent requirement other healthcare-related calls including telemarketing, soliciting, advertising, billing, debt collection, or “other financial content.” The FCC reasoned that for these calls, “[t]imely delivery” is not “critical to a called party’s healthcare, and they therefore do not justify setting aside a consumer’s privacy interests in favor of an exemption.”6
The D.C. Circuit affirmed the FCC’s healthcare exemption
Petitioner Rite Aid challenged the 2015 Order, arguing that the FCC’s exemption for select healthcare-related calls conflicts with HIPAA and is arbitrary and capricious. Specifically, Rite Aid argued that the exemption should cover all healthcare-related calls, including calls with telemarketing, solicitation, advertising, accounting, billing, debt-collection, and other financial content. Rite Aid argued that HIPAA, together with applicable regulations and guidance from the U.S. Department of Health and Human Services (HHS), is “the exclusive source of federal law” with regard to the disclosure of PHI. As the D.C. Circuit noted, Rite Aid essentially argued that any partial exemption of healthcare-related calls from the TCPA consent requirement is unlawful because HIPAA supersedes the TCPA when it comes to the communication of healthcare information.7 The D.C. Circuit rejected this argument, finding that there is “no obstacle to complying with both the TCPA and HIPAA[,]” as “the two statutes provide separate protections.”8
The D.C. Circuit also rejected Rite Aid’s argument that the 2015 Order was arbitrary and capricious because it afforded a narrower exemption for healthcare-related calls made to wireless numbers than a 2012 FCC exemption for all prerecorded healthcare-related calls made to residential lines that are subject to HIPAA.9 While the D.C. Circuit agreed that the 2012 exemption “swept more broadly” than the 2015 exemption,10 the court nevertheless concluded that disparate treatment between calls to wireless and residential numbers was justified, noting that the TCPA itself “presupposes . . . that calls to residential and wireless numbers warrant differential treatment,”11 and that “calls to wireless numbers ‘tread [more] heavily upon . . . consumer privacy interests.’”12 As the D.C. Circuit noted, consumer privacy concerns “directly informed the 2015 [healthcare] exemption’s scope,” evidenced by the FCC’s finding that the timely delivery of account- and billing-related calls is “not critical” to a called party’s healthcare, and therefore does “not justify setting aside a consumer’s privacy interests.” Thus, there was “nothing inherently contradictory about easing restrictions on certain kinds of calls to landlines, but not to cellular phones.”13
Implications for Healthcare Companies
Perhaps most significantly, ACA International leaves unaddressed certain practical concerns raised by Rite Aid, including that the FCC’s exemption is based on terms that have not been defined by the FCC and are not used in HIPAA or TCPA regulations, and that healthcare companies now must comply with “a confusing patchwork of regulations on healthcare communications.”14 The D.C. Circuit gave only a cursory dismissal of Rite Aid’s emphatic warning that HIPAA covered entities face a “Hobson’s choice of complying with HIPAA or coming within the cross-hairs of TCPA litigation bounty hunters.”15
Of particular interest to healthcare providers and other HIPAA covered entities (e.g., employer health plans) may be the D.C. Circuit’s implicit finding that HIPAA is not the “exclusive source of federal law on the disclosure of protected health information.” The D.C. Circuit essentially permitted the FCC to impose limitations on the use and disclosure of PHI that go further than HIPAA. This is a significant precedent because federal agencies have historically been reluctant to enter into the realm of HHS as it relates to the oversight of HIPAA and the use and disclosure of PHI. This ruling may embolden the FCC, and other agencies, to regulate PHI. Going forward, HIPAA covered entities that previously needed to look only to HIPAA with respect to their compliance obligations regarding the use and disclosure of PHI, may need to consider other agency regulations as well.