Automated Reminder Messaging - A Legal Primer For Agency Directors

Summary

If you are considering the use of an automated reminder messaging (“ARM”) in your agency, this paper can help by providing legal background regarding ARM which you can use with your counsel to conduct a legally compliant campaign.

Article

Introduction
You are interested in the possibility of using automated reminder messaging (“ARM”) in your agency.  This white paper will provide legal background regarding ARM which you can use with your counsel to conduct a legally compliant campaign.  This white paper does not express my legal opinion regarding your calling campaign - you must review with your counsel application of the laws to your calling to determine their legality.

Telemarketing Law Issues
Both federal and state law can apply to these calls, and you must comply with the more restrictive of the two when making a campaign. You should review both the law of the state where the calls are received, and, if different, from where the calls are sent.

Federal Telemarketing Law
There are two federal laws generally applicable to telemarketing: the FTC’s Telemarketing Sales Rule (TSR) and the FCC’s Telephone Consumer Protection Act (TCPA).  Neither of these restrictions includes automatic reminder messaging for appointment setting purposes in their definition of telemarketing or telephone solicitation.  Neither the TSR nor the TCPA restricts these calls so long as they are legitimate non-marketing calls to your clients with one exception, the TCPA’s ban on prerecorded calls placed to cell phone numbers or other numbers for which the called party is charged without the prior express consent of the recipient.

This restriction is found in the Telephone Consumer Protection Act which prohibits any person from making any call using an automatic telephone dialing system or prerecorded message to any telephone number assigned to a cellular telephone service or other service for which the called party is charged for the call.  47 U.S.C. § 227(b)(1).  The term “automatic telephone dialing system” (“ATDS”) is defined as “equipment which has the capacity to store or produce telephone numbers to be called, using a random or sequential number generator; and to dial such numbers.”  47 U.S.C. § 227(a)(1).

Calls with the prior express consent of the recipient are exempt. Id. at § 227(b)(1)(A).

The FCC has ruled that “persons who knowingly release their phone numbers have, in effect, given their invitation or permission to be called at the number which they have given, absent instructions to the contrary.”  7 FCC Record, p. 8752 ¶ 31 (1992). Note that the FCC currently is considering a request to change this rule. www.gpo.gov/fdsys/pkg/FR-2010-03-22/html/2010-6095.htm

Therefore, if the consumer has provided his or her telephone number to you and not made instructions to the contrary, the above cell phone restriction does not apply, i.e. you can place ARM calls to cell phones. Capturing a telephone number using caller ID or similar technology, alone, or obtaining it from a third party does not constitute “express consent.” 7 FCC Record p. 8752 ¶ 31.

I recommend that you affirmatively disclose to the consumer that he or she may be contacted by ARM calls at the time the consumer gives you the number. This disclosure exceeds the legal requirement set forth above, but eliminates any ambiguity regarding “express consent.”

State Telemarketing Law
Similar to federal law discussed above, these calls are not “telemarketing” for purposes of any state’s law1. Some antiquated state laws regarding prerecorded messages, however, ban all prerecorded messages including informational ones sent with the express consent of the recipient. Arizona, Florida and North Carolina, for example, have laws that are particularly restrictive.

Statutory Citations for State Law Regarding Prerecorded Telephone Calls
StateStatute
Federal47 U.S.C. § 227(b)(1)(A); 47 C.F.R. § 64.1200(a)(2); 16 C.F.R. § 310.4(b)(1)(v)
AlabamaAla. Code § 8-19A-3(3)(a)
AlaskaAlaska Stat. § 45.50.475(a)(2)
ArizonaAriz. Stat. §§ 13-2919, 44-1278
ArkansasArk. Code § 5-63-204
CaliforniaCal. Civ. Code § 1770(a)(22)(A); Cal. Bus. & Prof. Code § 17363.5;Cal. Pub. Util. Code § 2871
ColoradoCol. Stat. §§ 18-9-311, 6-1-302(2)(a)
ConnecticutConn. Stat. §§ 16-256e, 52-570c
DelawareN/A
D.C.D.C. Code § 34-1701
FloridaFla. Stat. § 501.059(1)(e)
GeorgiaGa. Code § 46-5-23
HawaiiN/A
IdahoN/A
Illinois815 ILCS § 305/1
IndianaInd. Code § 24-5-14-1
IowaIa. Code § 476.57
KansasKan. Stat. § 50-670
KentuckyKy. Stat. § 367.461
LouisianaLa. Stat. § 45:810
Maine10 MRS § 1498
MarylandMd. Pub. Util. Code §  8-204
MassachusettsMass. Gen. Laws Ch. 159C, § 3; Ch. 159, § 19B
MichiganMich. Stat. §§ 445.111a, 484.125
MinnesotaMinn. Stat. §§ 325E.26, 332.37(13)
MississippiMiss. Code §§ 77-3-451, 77-3-723
MissouriMo. Stat. § 407.1073(1)(5)
MontanaMont. Code § 45-8-216
NebraskaNeb. Stat. § 86-236
NevadaNev. Stat. § 597.812
New HampshireN.H. Stat. § 359-E:1
New JerseyN.J. Stat. § 48:17-28
New MexicoN.M. Stat. § 57-12-22
New YorkN.Y. Gen. Bus. Stat. § 399-p
North CarolinaN.C. Stat. § 75-104
North DakotaN.D. Stat. § 51-18-01
OhioN/A
Oklahoma15 Okla. Stat. § 755.1, 21 Okla. Stat. § 1847a
OregonOreg. Stat. § 646A.370
Pennsylvania73 Pa. Stat. § 2245.2(j),  52 Pa. Admin. Code § 63.60
Rhode IslandR.I. Stat. §§ 5-61-3.4, 11-35-26
South CarolinaS.C. Stat. § 16-17-446
South DakotaS.D. Stat. § 37-30-23
TennesseeTenn. Code § 47-18-1502, Tenn. Reg. Auth. Rule 1220-4-11
TexasTex. Bus. & Com. Code § 305.001; Tex. Util. Code § 55.121; Tex. Pub. Util. Rule § 26.125
UtahUtah Code § 13-25a-101
VermontN/A
VirginiaVa. Code § 59.1-518.2
WashingtonWash. Code § 80.36.400
West VirginiaN/A
WisconsinWis. Stat. § 100.52(4)
WyomingWyo. Stat. § 6-6-104
Other state or federal laws can apply to prerecorded calls.

Other state or federal laws can apply to prerecorded calls.

The above table is a starting point regarding state law regulating prerecorded messages and is not intended to be a list of the only state laws which could apply to a given call.

Again, you should have your counsel review state law in any state where the calls are received prior to making these calls.

Medical Privacy Law Issues
The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and its accompanying regulations set the federal standard for medical privacy. The HIPAA Privacy Rule provides federal protections for personal health information and gives patients privacy rights limiting how you use their information.

Agencies are rightly concerned with medical privacy issues, especially concerning sharing call list data with a third party contractor making calls on behalf of the agency. 

The U.S. Department of Health and Human Services (HHS), which administers and enforces HIPAA, permits healthcare providers to communicate with patients regarding their healthcare. [ www.hhs.gov/hipaafaq/providers/smaller/198.html, website reviewed on December 28, 2011.]

HHS counsels, however, that covered entities should limit the amount of information disclosed on the answering machine to that necessary to confirm the appointment and a number that the individual can call back with additional questions.  Covered entities may share protected health information with their contractors who meet the definition of “business associates” under the HIPAA rule, the definition of “business associate” is limited to contractors that obtain protected health information to form or assist in the performance of health care operations, such as reminder calls.  [www.hhs.gov/hipaafaq/use/276.html, website reviewed on December 28, 2011.]

The covered provider’s contract with those providers must obtain satisfactory assurances (i.e. contract language and consistent behavior after contracting) that the business associate will use the information only for the purpose for which it is engaged, will safeguard the information from misuse, and will help the covered entity to comply with the covered entity’s duties under the privacy rule.  Information obtained, such as the telephone numbers, may not be used for the business associate’s independent use or purposes.  [www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/businessassociates.html, website reviewed on December 28, 2011.]

State law can vary, but likely will be consistent with the above federal standards.  You should have your counsel review contracts regarding compliance with federal law and state law prior to retaining a contractor for these services.

Data Security Law Issues
Currently, nine states and Puerto Rico require businesses to meet certain data storage policy and procedure safeguard standards. These rules, however, are not specific, requiring “reasonable” policies which you should adopt even in other states.

For example, Arkansas law provides that:

Any business which owns or acquires personal information about an Arkansas resident shall implement and maintain reasonable security procedures appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.


Ark. Code § 4-110-104(b).

Massachusetts’ law is the most specific requiring that every person who owns or licenses personal information about a resident of Massachusetts and electronically stores or transmits such information shall implement a security system covering its computers that at a minimum:

(1) Secure user authentication protocols including:
 (a) control of user IDs and other identifiers;
 (b) a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices;
 (c) control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect;
 (d) restricting access to active users and active user accounts only; and
 (e) blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system;

(2) Secure access control measures that:
 (a) restrict access to records and files containing personal information to those who need such information to perform their job duties; and
 (b) assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls;

(3) Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly.

(4) Reasonable monitoring of systems, for unauthorized use of or access to personal information;

(5) Encryption of all personal information stored on laptops or other portable devices;

(6) For files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information.

(7) Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis.

(8) Education and training of employees on the proper use of the computer security system and the importance of personal information security.

201 CMR § 17.04.


You should review these standards for each state which you maintain data from a resident of that state.

Further, every state, effectively, requires notification of breach of data to affected consumers, and often regulators in the affect states, as well.

The authorized disclosure of telephone numbers to your “business associate” for notification calls is not an unauthorized breach, but your contract with those business associates must also include language requiring prompt notification to you (and likely expenses and/or damages), should the business associate’s security be breached so you can comply with these disclosure laws.

Conclusion
ARM should therefore be a useful and cost-effective tool to aid your clients, because with a little legal research, you should be able to get approval to use this tool from your counsel in nearly every state.