Artificial intelligence (AI) is widely transforming digital health, including by automating certain patient communications. However, as health care companies consider deploying AI-driven chatbots, texting platforms, and virtual assistants, they should not forget about the highly consequential, and highly litigated, Telephone Consumer Protection Act (TCPA).
Many digital health companies mistakenly assume that they only need to consider the Health Insurance Portability and Accountability Act (HIPAA) when considering whether to text or otherwise communicate with patients via various means. HIPAA governs the privacy and security of protected health information. The TCPA, by contrast, protects consumer rights around how and why patients are contacted.
The TCPA has become a key regulatory consideration for any digital health company that uses technology to communicate with patients by telephone or text message. As AI enables more scalable and automated outreach, understanding the TCPA's boundaries is key to ensuring regulatory compliance and avoiding costly litigation.
Why the TCPA Matters in an AI-Enabled Health Environment
The TCPA restricts certain calls and texts made using an "automatic telephone dialing system" (ATDS), as well as prerecorded or artificial voice messages, without prior express consent. When such communications are made for marketing purposes, prior express written consent may be required. Even health care companies that use AI-powered systems to send appointment reminders, refill prompts, or wellness check-ins by telephone or text — as opposed to marketing, user engagement, or upselling services — may fall within the TCPA's scope, especially if those communications are automated. Note that although the TCPA includes exemptions for certain health care messages, there are numerous parameters for meeting this exception and we urge caution in relying on it.
Even though the Supreme Court's 2021 decision in Facebook v. Duguid narrowed the definition of an ATDS, TCPA compliance remains a moving target. Further, some states have their own version of the TCPA that may define ATDS or similar technology in a different way. This creates real legal risk even for digital health companies with no robocall or telemarketing intent.
AI Chatbots and Virtual Assistants: Are They "Artificial Voices"?
One of the most pressing legal questions, and a focus of plaintiffs' attorneys, is whether AI-powered voicebots or chatbots qualify as "artificial or prerecorded voice" communications under the TCPA. Although the Federal Communications Commission's (FCC) 2024 ruling clarified that AI-generated voices fall into this definition, reaffirming that these types of communications are subject to the TCPA's consent requirements, the legal landscape remains unsettled.
Courts continue to wrestle with how this interpretation applies to emerging technologies like chatbots, especially text-based systems that do not emit sound but still automate patient communication. Some plaintiffs argue that such AI technology, even if it responds dynamically to user input, meets the statutory definition of "artificial voice" because it lacks a live human on the line. If courts agree, this could impose significant restrictions on AI-driven patient engagement tools unless proper consent is obtained.
The FCC's authority, although influential, does not fully preempt judicial interpretation, and differing court decisions may shape how the TCPA applies to various forms of AI-powered communication. As a result, companies must stay alert to both regulatory guidance and case law developments.
What Digital Health Companies Should Do Now
Below are four practical steps to stay on the right side of TCPA compliance in the AI era:
1. Conduct a TCPA Risk Assessment
- Review all patient outreach channels (SMS, voice, chat, etc.) and determine which systems are AI-driven or automated. Flag any that fall within the TCPA's scope. Consider any differing requirements under state versions of the TCPA applicable to your business.
2. Audit Your Consent Flows
- Ensure that your consent language clearly distinguishes between HIPAA and TCPA compliance. For marketing communications, confirm you have prior express written consent. Consider "marketing" to be broadly defined.
3. Consent is King
- When in doubt, obtain prior express written consent for communications in your user flow.
4. Monitor Litigation Trends
- Stay current on case law developments regarding AI, chatbots, and "artificial voice" interpretations. Legal interpretations are evolving quickly.
Final Thoughts
AI is revolutionizing patient communication, but it can also amplify regulatory exposure. The TCPA remains a favorite tool for class-action lawsuits, and digital health companies should treat it with the same seriousness as they treat their HIPAA compliance.
As AI capabilities grow, the gap between innovation and regulation is widening. Thoughtful contracting, consent design, and legal review can help digital health companies lead with compliance, while still delivering smarter, scalable care.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
