The Compliance Issue
In This Issue
The FCC has made some rule changes which go into effect October 2013 which add new restrictions on the use of outbound IVR (aka "robocalling"). Some of these changes will affect outbound IVR surveys, so if you use this technique you should be aware of what's going on.
I'm not a lawyer, but I've been researching these changes. My summary of how this impacts outbound IVR surveys may be helpful to get the lay of the land, but if you think this may affect your business you should get legal advice from an actual lawyer.
The background is simply that consumers hate robocalls, and they have been complaining to the FCC. A lot. And when you annoy enough voters, politicians and bureaucrats tend to notice.
The old rules had some significant loopholes (aka "safe harbors") which made it fairly easy for companies to legally robocall consumers. The biggest loophole was the "established business relationship" exemption, which basically said that the rules didn't apply if there was an established business relationship. That is now gone. There is also a new, and very strict, definition of the kind of consent you need for "telemarketing" calls made using an autodialer or outbound IVR.
Under the new rules, you need:
- Express written consent from the recipient before a telemarketing call using a robocall or autodialer. Express Written Consent has a specific definition, and is a real hurdle: basically the consumer has to sign something in writing specifically authorizing robocalls, in a way which makes it clear that's what the consumer meant to do.
- Express consent from the recipient before making any robocall or autodialed call to an mobile phone. Express Consent isn't specifically defined in the rules, but the implication (both in the rules and in the discussion in the FCC's report) seems to be that it's supposed to be just as unambiguous to the consumer as Express Written Consent, but you can be a little more flexible about how you get it--for example, by asking over the phone. But, as I interpret the rules, you can't bury something on page 19 of your Terms of Service which would give consent for the customer to be robocalled (both because it's not prominent enough, and also because you can't make Express Consent a requirement for selling the customer any product or service).
In addition, all robocalls must identify the company placing the call right at the beginning of the call (using the company's legal name) and provide a phone number during the call.
The implications for outbound IVR surveys, as I read the rules, are as follows:
- An outbound IVR survey to a business or landline doesn't need prior consent from the person you're calling.
- An outbound IVR survey to a mobile phone requires express consent, even if there's an established business relationship.
You can be flexible about how you get consent for an IVR survey, as long as it's clear to the consumer that they're agreeing to be robocalled and you keep a record. For example, any of these would be OK:
- A recording of the customer service rep asking the customer, "Can we have your permission to call you for an automated survey after this call?"
- A recording of your (inbound) IVR asking the customer, "We would like to call you after this call for an automated survey. Please press one if we have your permission," followed by the DTMF digit "one" from the customer.
- A web form where the customer checked the box next to the statement, "You may call me with an automated customer survey."
- A written contract where the customer initialed a box next to the statement, "You may call me with an automated customer survey," as long as the customer's consent was optional.
- Any outbound IVR survey must begin with a statement like, "We would like you to take this automated survey from XYZ Incorporated," and at some point have a statement like, "You can reach XYZ Incorporated at 800-555-5555."
- You need to be very careful that your survey doesn't include a marketing message and therefore become "telemarketing." What's a marketing message? I don't know. If you give the customer a coupon code for taking the survey, to you that might just be a way of boosting response. But to the FCC, distributing coupons might be "marketing." I won't be the one to litigate this question.
On the whole, these rule changes will not make outbound IVR surveys impossible for companies trying to do post-call customer surveys. But they do impose some significant headaches. No longer can you hide behind the "established business relationship" loophole. You need to get specific permission from the customer to robocall him or her. Just as importantly, you need to have a record of that permission, because if there's a dispute the burden of proof is on the company to show there was express consent.
The easiest thing to do is have the CSR ask for permission for the survey. Since many companies already record calls, that takes care of the record keeping problem. But this is bad survey practice, since it gives the agent a chance to manipulate the process.
Better is to have the (inbound) IVR offer the survey. But since almost no companies currently record IVR interactions or keep their log files for an extended period of time, it may be a significant burden to maintain the proof that the customer really did consent to the survey.
Another option is to ask customers for blanket permission to do outbound IVR surveys. To make this work, there will have to be a database entry (probably in the CRM system) showing which customers consented, and IVR calls can only be placed to customers who agreed. Depending on your infrastructure, this could be simple, or it could be very complex to make it work in real-time.
The one thing which is clear (and again, please get legal advice!) is that the days of "anything goes" outbound IVR surveys are gone for good.
Vocalabs has several healthcare-related clients, so we are used to dealing with the privacy and security requirements of HIPAA. Some recent changes to the regulations will mean significant new requirements for what a company like us needs to do to remain HIPAA compliant after September 2013.
Since Vocalabs itself is not a healthcare company, we are not what's called a "covered entity" under the regulations. Rather, we are a "business associate," which is basically any company which a covered entity hires to perform some work which may require sharing protected health information.
Many non-healthcare companies hired by a covered entity would also be considered business associates--for example: accountants, IT services, lawyers, business process consultants, etc.
Under the old rules, a business associate had to sign a contract with the covered entity that basically promised to keep protected health information private and secure. Business associates had to maintain the same level of privacy and security as the covered entity, but did not have to go through the formal documentation and review process.
After September, though, business associates have to follow all the security rules as a covered entity (at least insofar as they can reasonably be applied) and produce the same formal documentation and policies. What's more, to the extent that a business associate subcontracts to a third party which may also receive protected health information, that subcontractor also has to comply with all the policy and documentation requirements.
These new requirements can potentially be a big problem for some survey companies. At Vocalabs, our existing policies and processes are already consistent with HIPAA requirements, so for us it will be mostly a matter of documenting and formalizing what we already do. But at companies which aren't as security-minded, the HIPAA changes could require large investments in infrastructure, training, and compliance.
So how does all this apply to Customer Feedback?
Keep in mind that the HIPAA rules only apply to "protected health information," which has a very specific legal definition. It's basically health- and care-related information created by a healthcare company (doctor, hospital, insurance company, etc.) which can be tied to a specific, identifiable patient. Customer feedback is not, by itself, protected health information.
But sometimes we need to have protected health information in order to gather useful feedback. For example, we need to know the patient's phone number to call him or her, and that phone number combined with the fact that there had been a hospital visit could arguably qualify as "protected health information." So to be on the safe side, we will treat it as PHI. For analysis purposes, we may also want to know the doctor's name, hospital, or other details which can really help understand how to improve the patient's experience but which clearly need to be protected.
So between now and September we will be updating our security and privacy policies, revising contracts, and doing everything we need to do to remain fully HIPAA compliant under the new rules. And anyone else collecting customer feedback around healthcare will need to do the same. And get legal advice.