Acceptable Messaging Policy
CareMessage Acceptable Messaging Policy
Last Updated: August 24, 2024
1. Introduction
Our Acceptable Messaging Policy is meant to outline regulations tied to the use of SMS and Voice messaging via the CareMessage platform. It is not meant to cover all possible uses of CareMessage products or services to be covered under a broader Acceptable Usage Policy. This policy applies to all CareMessage customers, who may provide their authorized users the ability to send messages, and are responsible for the messaging activity of these users. All SMS and Voice Messaging via CareMessage are subject to this policy, which includes:
- Consent to Message
- Contact Phone Number Maintenance
- Content Moderation
CareMessage’s policy is informed by multiple factors such as federal laws, policies, and regulations across the Messaging Ecosystem, including, but not limited to, the Telephone Consumer Protection Act (47 U.S.C. § 227) (“TCPA”), the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (“CAN-SPAM”), the Health Insurance Portability and Accountability Act of 1996, as amended (“HIPAA”), as well as Application-to-Person through 10-digit longcodes ("10DLC"). However, it does not replace adherence with any of these federal laws, policies, and/or regulations.
All of the entities that are a part of the messaging ecosystem, including but limited to those referenced above, provide us the freedom to implement our own policies. Our policy outlines what is and is not permitted in the use of our product, but is not meant to constitute legal advice. Individual customers may have a different interpretation and/or may be willing to take a compliance risk that exceeds that which CareMessage allows. Customers are encouraged to review all this with their legal counsel to determine how they may want to enforce their own approach to messaging.
2. Guiding Principles
With very few exceptions, CareMessage works exclusively with non-profits primarily in the healthcare space. We interpret the intersection of policies, and base decisions on our ability to defend this interpretation if a challenge were to come up.
We do so by centering the needs of the low-income, historically marginalized communities we serve and their feedback, combined with mitigating the risks to the non-profit organizations who serve them.
As such, our priorities are to:
- Protect Consumer Autonomy - Given our company’s approach to serving low-income, historically marginalized communities, and our interpretation of current regulations, their preferences override any customer requests.
- Limit Liability for our Customers - Regulations continue to change, where fines and penalties may vary. We respond to audits first centering the intent of the organizations we serve, and in turn revisit our own policies to protect them from unknown risks. For example, 10DLC fines are not covered by general liability insurance or cybersecurity insurance.
- Collaborate with the Ecosystem to Address Changes & Advocate for Policies with Unintended Consequences - When necessary, we engage key players in the messaging ecosystem to push back against policies that can negatively impact low-income, historically marginalized communities, and the organizations we serve.
3. Acceptable Messaging Policy Elements
Acceptable Messaging Policy Elements
- Consumers - The owner of a phone number (###-###-####). For most CareMessage customers, a consumer is believed to be the same as a patient who provided their phone number for the purposes of being contacted by their healthcare provider, or a community member or beneficiary of a non-profit organization.
- Patient - Person with an established relationship with a healthcare organization per HIPAA's covered entity designation or a business associate acting on behalf of a covered entity. This person has provided the organization with a phone number, and is believed to be the owner or an authorized representative of the consumer phone number they provided.
- Community Member or Beneficiary - A person with an established relationship with a 501(C)3 non-profit organization, where this person provided the organization with their phone number of the purposes of being contacted about the services provided by the organization.
- Customers - Organizations with an established, contractual, relationship with CareMessage where such contract provides them with direct access to CareMessage's Products and Services.
4. Definitions
4a. Consent to Message
Customer Responsibility
All phone numbers customers upload and message via CareMessage are numbers customers have acquired through a previously-established relationship with the owner of the phone number.
Prior Express Consent
We assume you have received the phone number, verbally or electronically, directly from a patient (for HIPAA Covered Entities or Business Associates) or community member or beneficiary you serve (for 501c3 non-profits). Through a business associate relationship, you may also be receiving a phone number for an attributed patient or health plan member who needs to establish care. We assume that through providing their phone number, a patient or member is providing their consent to be contacted by your organization in relation to your organization’s core services.
CareMessage does not currently allow the use of the product for use cases which require prior written express consent. (Ex. Telemarketing, debt collection, etc. See Content Moderation section for further details)
CareMessage Enforcement
CareMessage requires use of the Welcome Message as a first attempt to validate the accuracy of a consumer phone number. This introduces an organization to a consumer (a consumer being the owner of a phone number) and is the first validation that the consumer is the intended recipient of communication. We require the following:
- Organization name
- Phone number for consumers to call with questions
- Explicit opt-out instructions
4b. Contact Phone Number Maintenance
Customer Responsibility
Customers are responsible for maintaining contact lists for anyone who receives their services. This may be patients (for Healthcare Covered Entities and Business Associates) as well as community members or beneficiaries (for 501(c)3 non-profit organizations). Customers maintain their own processes and controls to apply any phone number or opt-out request they receive from consumers, patients, or community members.
CareMessage Enforcement
Opt-Out Requests
Opt-out requests are respected immediately and at any time. Consumers can send in a variety of words (STOP, OPT-OUT, QUIT) as well as phrases (wrong patient). An opt-out request must be applied globally to end all communication to the consumer via both SMS and voice messaging. An opt-out request from a consumer is placed into an organization’s “Blocklist” which prevents any additional profiles from sending messages to that consumer phone number.
Opt-Out Confirmation
We are allowed one last message to consumers confirming their opt-out request. This message confirms their opt-out and provides an opportunity to opt-back in. This message cannot currently be edited by customers to ensure adherence with standard content.
Opt-In Requests
Opt-in requests are respected immediately and apply globally. The amount of time a consumer has to opt back in varies depending on the feature they opted-out from. The variation exists because of our system's use of various long codes to deliver messages, where a long code used to message a patient or community member or beneficiary may no longer be in use by the organization. This means if more than 3 days have passed, you may need to contact our support team to explore options to opt them back in. In most scenarios we find long codes are still in use and the number to text can be provided to the consumer.
4c. Content Moderation
Customer Responsibility
Customers are responsible and accountable for all content sent through their use of the CareMessage product by their users. They have the freedom to set their own processes or limitations, as well as train their own staff on their approved use cases. For example, they could set stricter standards for internal purposes that go beyond what CareMessage allows via its own Acceptable Messaging Policy. Customer should immediately notify CareMessage of any unauthorized use of or suspected unauthorized use of the Service upon becoming aware of such unauthorized use or suspected unauthorized use. CareMessage may monitor Customer’s and Authorized Users’ use of the Service, but shall have no obligation to do so.
CareMessage Enforcement
We do not allow the use of shared CareMessage logins as this may make it difficult to detect or identify the original creator of content if it violates our moderation standards.
ALLOWED
Healthcare
- Appointment and exam confirmations and reminders
- Wellness checkups
- Hospital pre-registration instructions
- Pre-operative instructions
- Lab results
- Post-discharge follow-up intended to prevent Readmission
- Prescription notifications
- Home healthcare instructions
501(c)3 Non-Profits
- Messages relates to services provided by the organization
NOT ALLOWED
- Telemarketing, solicitation, advertising
- Accounting, billing, debt-collection, or other financial content
- Content which does not comply with HIPAA
- Unlawful, harmful, abusive, malicious, misleading, harassing, threatening, excessively violent, obscene/illicit, or defamatory
- Deceives or intends to deceive (e.g., phishing fraudulent, false, misleading, deceptive, likely to mislead)
- Messages intended to access private or confidential information
- Causes annoyance, inconvenience or unnecessary alarm, distress or panic to any person
- Invades privacy
- Causes safety concerns or promotes or incites harm, discrimination, or violence
- Is intended to intimidate
- Includes or directs to malware
- Indecent, obscene or menacing
- Warning or notification about a serious and imminent risk to the safety of persons or property (e.g., emergency services)
5. Enforcement Process
Trigger
An audit can be triggered by an external entity (messaging services, law enforcement), internal entity (content review), customer self-reporting or reporting staff misuse, standard business review, etc. CareMessage remains committed to responding in a timely manner to audits triggered by any third party such as messaging service provider, law enforcement, etc and operating under a good-faith effort to provide the requested information.
Any known violations of this policy should be immediately reported to compliance@caremessage.org.
Investigation
CareMessage will evaluate the scenario and aim to complete a fair, comprehensive, and timely evaluation. CareMessage will conduct a root-cause-analysis to evaluate adherence with our policies along with any applicable local, federal, or state laws, policies and regulations.
For example, this could include reviewing content for adherence with CareMessage Acceptable Messaging Policy as well as federal law, regulations, and policies. It could also include reviewing the origin of a phone number which was messaged and if the prior express consent policy applies.
Notification
CareMessage will make a customer aware of a violation when a scenario requires customer review or action. This will be considered the first notice. Customers will be provided with 3 business days to respond and discuss a plan to remedy any violations. This may include discussing either discontinued use of a use case, or redirecting to alternative uses of the CareMessage service.
Resolution
We expect a good-faith effort from our customers in resolving any issues. If a violation is not discussed within 15 business days of the initial notice OR customer is unwilling to resolve the issue, CareMessage will temporarily shut off all messaging services. Customers who are unwilling to cooperate with the CareMessage team will have up to 15 business days to respond and remedy any violation. If a customer or their representatives are unresponsive or unwilling to remedy a known violation within 30 business days of the initial notice, CareMessage may suspend access to the entire CareMessage application and suspend their service. Suspension of the Service will not relieve Customer from its obligation to pay all amounts due under this Agreement or otherwise limit CareMessage’s rights or remedies.
Reporting
CareMessage will maintain a log of any messaging compliance audits along with a summarized resolution. Upon the completion of an investigation, we will adhere with any requirements including reporting to external parties as necessary.
6. Recommended Best Practices
Although CareMessage's Acceptable Messaging Policy determines the allowed use of our own products and services, organizations may evaluate and create stricter guideline when evaluating their unique scenarios and risk as it applies to TCPA, HIPAA, 10DCL, CAN-SPAM, etc. The below is does not constitute legal advice and is simply provided as a consideration beyond CareMessage's Acceptable Messaging Policy.
Include Your Organization's Name
CareMessage offers a tag (@OrganizationName) that can be leveraged to make it clear to users who you are. We recommend including this as often as possible.
Message Length
Although most of our features allow messages up to 320 characters, we recommend staying at or below 160 characters. This may require iterating on messaging content to be concise, keep messages to a single idea, and have a short call to action.
Opt-Out Reminders
Although not always possible due to character length, we do recommend frequent use of “Text STOP to opt-out” or a similar phrase.
Message Frequency
We recommend customers develop an annual messaging strategy to both prioritize and plan mass-messaging campaigns. This can help organizations navigate other requirements and control for messaging frequency.
- One message per day, up to three per week (Healthcare Covered Entities and Business Associates)
- One message per day, up to three per month (501(c)3s)
Do-Not-Contact Lists
We encourage the porting of data across all messaging platforms to ensure maximum coverage and risk mitigation. On the CareMessage side, you can download patient lists including opt-out data from the Patients section. You can also import “Opt-out” lists via the file center. Integrations can also be configured to reflect opt-out data that may exist in external systems such as the EHR.
7. Policy Change History
Version one of this document: July 30, 2024
Future changes to this policy will be posted publicly on the CareMessage website and available to all customers via the Help Center portal. Annual update notices may be sent to the primary contact on file.
Contact
For any questions, contact compliance@caremessage.org or your CareMessage representative.