AI patient outreach and compliance: what clinics need to know.

This guide is not legal advice. It’s an orientation to the regulatory landscape, written for clinic operators evaluating automated outreach. The rules summarized here change, carve-outs are fact-specific, and penalties are real — review your outreach program with qualified counsel.

The TCPA, in plain language

The Telephone Consumer Protection Act (TCPA) is the federal law, enforced through FCC rules, that governs automated calls and texts. Three of its ideas matter most for patient outreach:

• Consent. Calls and texts made with automated technology or an artificial or prerecorded voice generally require the called party’s prior express consent. The FCC has addressed the healthcare context specifically: a patient who provides their phone number to a healthcare provider has generally given prior express consent for healthcare-related calls covered by HIPAA — but only within the scope of why the number was given. Treatment-related outreach (appointment reminders, screening due, lab follow-up) sits on much firmer ground than anything resembling marketing, which faces stricter requirements.
• Revocation. Consent isn’t permanent. Under FCC rules that took effect in April 2025, patients can revoke consent by any reasonable means — not just a magic keyword — and revocations must be honored quickly, with the rules setting an outer bound of ten business days. Don’t design to the outer bound; the standard worth holding a system to is that STOP means stop, instantly, and that “please don’t call me anymore” spoken mid-call counts just as much as a STOP text.
• Private enforcement. The TCPA carries statutory damages per violation and is enforced both by regulators and by private lawsuits, often class actions. Compliance failures in automated systems scale exactly the way the automation does.

What changes when the voice is AI

In February 2024, the FCC ruled that AI-generated voices count as “artificial” voices under the TCPA. The practical effect: an outbound call made with an AI voice is regulated like a prerecorded-voice call — prior express consent, identification of the caller, and opt-out mechanisms are required. AI voice outreach is legal with the right consent in place; what the ruling removed is any argument that AI calling is a gray area outside the rules.

For a clinic, the takeaway is simple: treat every AI voice call as a regulated robocall, because it is one. That means consent on file, clear caller identification at the start of the call, and an in-call path to opt out that actually works.

Practices that keep outreach respectful — and defensible

• Quiet hours. FCC rules restrict telephone solicitations to 8 a.m.–9 p.m. in the called party’s local time zone. Treatment-related outreach may not be a “solicitation,” but adopting calling windows anyway — and tightening them further — is both good compliance hygiene and good manners. Nobody builds trust with a 8:55 p.m. screening reminder.
• Attempt caps. Set a maximum number of attempts per patient per campaign and stop when you hit it. Unlimited redialing of a number that never answers is how patients end up filing complaints — and how stale numbers burn staff goodwill when the new owner of that number answers.
• Voicemail etiquette. Use answering-machine detection so the system knows it reached voicemail, and keep voicemails minimal: the clinic’s name and a callback number. The voicemail box may be shared; the person who plays the message may not be the patient (see HIPAA, below).
• One channel’s opt-out is every channel’s warning. If a patient opts out of texts, don’t treat that as an invitation to call instead. Honor the spirit: route the preference into the patient record, not just the campaign.

HIPAA: it’s about what the message says

Where the TCPA governs how you contact patients, HIPAA governs what the communication reveals. The principle to operationalize is minimum necessary: an outreach message should disclose the least protected information needed to do its job.

• “You’re due for a visit — tap to schedule” works without naming a diagnosis. SMS is not an encrypted channel, and a text can be read by anyone holding the phone. Keep conditions, test names that imply conditions, and results out of message bodies.
• Verify who you’re talking to before a conversation goes anywhere clinical — and design the AI to do the same on voice calls.
• If a vendor’s systems touch patient data — and any outreach vendor’s do — a business associate agreement (BAA) is the baseline, not a bonus feature. Ask how PHI is stored, who can access it, and how long it’s retained.

Transcripts are accountability

A human caller’s conversation evaporates unless someone documents it. An AI system has no excuse: every call and text thread should produce a transcript, written back to the patient record, with the outcome logged per care gap. Transcripts are how you audit what the AI actually said, how you investigate a complaint, how you prove an opt-out was honored the moment it happened — and how clinical staff get context instead of a mystery. If an outreach system can’t show you the transcript, it’s asking you to take its behavior on faith.

Humans in the loop, by design

Automation should have edges, and the edges should lead to people. A patient who is confused, distressed, reporting symptoms, or asking something beyond the campaign’s scope should be handed to staff — with the transcript attached, so the patient doesn’t start over. Escalation design is a compliance control as much as a service one: the costliest automated conversation is the one that should have stopped being automated three turns earlier.

Questions to ask any AI outreach vendor

1. Opt-out latency. When a patient says stop — by text, or out loud mid-call — how fast does every channel actually stop? Ask for the mechanism, not the policy.
2. Consent model. Where does consent live, how is it captured and scoped, and how are revocations recorded and propagated to every campaign?
3. Escalation design. What triggers a handoff to humans, what does the handoff include, and what happens after hours?
4. Transcripts. Is every interaction recorded as a transcript, where is it stored, who can access it, and does it write back to the patient record?
5. Message content controls. Who reviews what the AI is allowed to say? Can you cap clinical detail in SMS? Can you see and approve the conversation flows before they run?
6. Calling-window and attempt-cap enforcement. Are quiet hours and attempt limits enforced by the system itself, or by configuration someone has to remember?
7. The paperwork. Will they sign a BAA? How is PHI encrypted, retained, and deleted?

A vendor with good answers will have them immediately — these are design decisions, not edge cases. (For the record, this list is also a fair way to interrogate our AI outreach: instant opt-out, capped attempts, scheduling windows, full transcripts written to the record, and human escalation are how the product works, and we operate under BAAs.)

Compliance isn’t the obstacle to automated outreach. It’s the spec for outreach patients won’t resent — and the clinics that treat it that way get both the protection and the results.

This article is general information, not legal advice. Consult qualified counsel about your outreach program. Sources: FCC declaratory ruling on AI-generated voices (Feb. 2024); FCC TCPA consent-revocation rules (effective Apr. 2025); HHS HIPAA guidance.