The Complete Guide to TCPA Compliance for Healthcare Providers

What Is the TCPA?

The Telephone Consumer Protection Act (TCPA) is a federal law enacted in 1991 that regulates telemarketing calls, auto-dialed calls, pre-recorded calls, text messages, and unsolicited faxes. While originally focused on robocalls, the TCPA has evolved to cover virtually all commercial text messaging — including messages sent by healthcare providers.

Many clinic owners assume the TCPA only applies to telemarketers or spam operations. This is incorrect. If your clinic sends text messages to patients — even appointment reminders — the TCPA applies to you.

Who Does the TCPA Apply To?

The TCPA applies to any entity that sends text messages or makes calls using an automatic telephone dialing system (ATDS) or pre-recorded voice. In practical terms for healthcare providers, this means:

• Appointment reminder texts
• Billing notifications
• Marketing messages about new services
• Patient satisfaction surveys
• Re-engagement messages to inactive patients
• Any bulk messaging sent through a platform

The only general exception is for emergency purposes. Standard appointment reminders and practice communications do not qualify as emergencies.

The Healthcare Exception — And Its Limits

In 2015, the FCC issued a ruling that created a limited healthcare exemption from certain TCPA requirements. Under this exemption, healthcare providers may contact patients without prior express consent for:

• Appointment reminders
• Wellness checkups
• Hospital pre-registration instructions
• Pre-operative instructions
• Lab results
• Post-discharge follow-up
• Prescription notifications
• Home healthcare instructions

However, this exemption has strict limits:

• Messages must be sent to the number provided by the patient
• Each call or message must be limited to one minute (voice) or 160 characters (text)
• No more than one message per day and three messages per week
• The content must be strictly healthcare-related
• The patient must be able to opt out of future messages
• No marketing content whatsoever

If your messages include any marketing language — even a mention of a new service you offer — the healthcare exemption does not apply and full TCPA consent requirements kick in.

Consent Requirements

Express Consent vs. Express Written Consent

The TCPA distinguishes between two levels of consent:

Express Consent (required for informational healthcare messages):

The patient provides their phone number to the practice, either verbally or in writing. This is generally satisfied when a patient fills out intake forms with their cell number.

Express Written Consent (required for marketing messages):

A signed written agreement (physical or electronic) that clearly discloses:

• That the patient agrees to receive marketing communications
• The specific types of messages they will receive
• That consent is not a condition of receiving treatment
• How to revoke consent

Documenting Consent

For TCPA compliance, documentation is everything. You need to be able to prove, for each patient, that they provided the appropriate level of consent before you sent them any message. This means:

• Retaining signed consent forms (digital signatures count)
• Recording the date consent was obtained
• Noting the specific phone number consent applies to
• Logging any changes to consent status
• Documenting opt-out requests and their effective dates

A platform like TheraComm tracks consent status per patient and per phone number, creating an auditable record that protects your clinic if a complaint arises.

Penalties for TCPA Violations

The TCPA allows for statutory damages of:

• $500 per violation (per text message) for negligent violations
• $1,500 per violation (per text message) for willful or knowing violations

These amounts apply per message, not per patient. If you send 1,000 appointment reminder texts without proper consent, your exposure could be $500,000 to $1,500,000.

TCPA lawsuits have become a cottage industry. Plaintiff attorneys actively seek out businesses that text without consent, and class action lawsuits can compound exposure dramatically. In 2023 alone, over 4,000 TCPA lawsuits were filed in federal courts.

How to Stay Compliant

1. Obtain and Document Consent

Include clear TCPA consent language in your patient intake forms. Make it a separate, clearly identifiable section — not buried in a larger consent document.

2. Honor Opt-Outs Immediately

When a patient texts "STOP" or requests to be removed from messaging, you must honor that request immediately. Your system should automatically process opt-outs and prevent further messages.

3. Keep Messages Within Scope

If a patient consented to appointment reminders, do not send them marketing messages about your new massage therapy service. Each type of message requires its own consent.

4. Maintain Records

Keep consent records for at least four years (the TCPA statute of limitations). Ideally, your messaging platform handles this automatically.

5. Train Your Staff

Everyone who sends messages to patients must understand the basics of TCPA consent. A single staff member sending unauthorized messages can expose your entire practice.

6. Use a Compliant Platform

A purpose-built healthcare messaging platform manages consent tracking, opt-out processing, and message logging automatically. Trying to manage TCPA compliance with personal phones and spreadsheets is a recipe for violations.

Common TCPA Mistakes Healthcare Providers Make

• Assuming that having a patient phone number equals consent to text
• Sending marketing messages under the healthcare exemption
• Not processing opt-outs promptly (or at all)
• Texting patients who have changed their phone number (the new owner did not consent)
• Sending messages that exceed the 160-character limit under the healthcare exemption
• Failing to retain consent documentation

The Bottom Line

TCPA compliance is not optional, and the penalties for violations are severe enough to threaten a small practice. The good news is that compliance is straightforward with the right processes and tools in place. Document consent, respect opt-outs, stay within scope, and use a platform that manages the compliance details for you.