Solutionreach Solutionreach
(866) 605.6867
Slide background

HIPAA & TCPA Compliant
Protecting patient information is always our priority

Free Starbucks $20 giftcard when you take a live demo Free $20 Starbucks giftcard when you take a live demo
Legal Compliance

Legal Compliance

Solutionreach is committed to helping you remain compliant with the objectives of HIPAA, the TCPA and CASL. We have taken precautions to ensure the highest standards of integrity when it comes to the Solutionreach Platform and maintaining complete confidentiality regarding the patient data entrusted to us by you.


The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that seeks to improve the efficiency of the health care industry while ensuring the security and confidentiality of patient health information. HIPAA generally applies to “covered entities” (including any health care provider) and "business associates" (any third party engaged by a covered entity to help carry out its health care activities and functions.) Thus, under HIPAA, you are a covered entity and Solutionreach is your business associate.

General Compliance

HIPAA privacy regulations require that you and your business associates develop and follow procedures that ensure the confidentiality and security of your patients’ protected health information (PHI) whenever it is transferred, received, handled, or shared. This requirement applies to all forms of PHI, whether on paper, in oral communications, or in electronic format. Furthermore, only the minimum health information necessary to conduct business is to be used or shared.

As your business associate, Solutionreach follows detailed policies governing the protection of your patients’ PHI, including employing administrative, physical, and technical safeguards as required by HIPAA rules and regulations. You can be confident that we will protect your patient data to help you stay compliant.

Cloud-Based Security

Providers may be concerned that cloud-based platforms are more vulnerable to internet-based attacks, but—with the proper security measures in place—cloud-based solutions carry no more threat of data breach than on-site data storage. In fact, a quality cloud-based software can be more secure because it is more closely monitored; small businesses like healthcare practices can’t typically afford to staff team members responsible for managing the security of their server. The encrypted data stored within the Solutionreach platform is constantly monitored by experts who are committed to keeping your data safe. With the peace of mind that comes with choosing Solutionreach, some of the complexity involved in staying compliant with HIPAA regulations is alleviated.

HIPAA Compliant Marketing

There are some instances where HIPAA requires that you obtain prior authorization from the patient when using their PHI for marketing purposes. HIPAA defines “marketing” as “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.”

However, HIPAA offers an exemption that allows covered entities to communicate about their own products and services. So, messages you send to patients about products and services are not considered “marketing” under the HIPAA definition so long as they are products and services provided by you.


The Telephone Consumer Protection Act (TCPA) is a federal law that regulates the way consumers are contacted by telephone, fax and text message. These regulations apply to the text and automated landline messages you are able to send through the Solutionreach Platform to communicate with your patients. We have built our platform to support your compliance with the TCPA.

Prior Consent

The TCPA requires that companies obtain consent from consumers prior to sending any sort of text or automated telephone messages. As a HIPAA covered entity, requirements for how that consent is obtained are different depending on whether your messaging only contains health-related information or if it includes marketing-focused content. We have broken the TCPA regulations apart below to help you understand what the restrictions are and how Solutionreach helps you stay compliant with them.

Consent for Informational Health Care Messages:

For HIPAA covered entities sending informational only health-related messages, the patient’s consent can be written, electronic or verbal. With these guidelines, you are able to send your patients informational messages about their health care. Appointment reminders, follow-up care outreach/recall/recare reminders, eyewear notifications (where applicable), and other similar health care messages without marketing content fall within the informational health-related information category.

We strongly recommend that your “Notice of Privacy Practices” or “Privacy Policy” specifically state that you may use your patients’ landline or cell phone numbers to contact them with informational messages. We also suggest that you obtain written acknowledgement from each patient stating that they have received and reviewed your privacy policy. While these steps are a best practice, consent can also be obtained from patients in other manners (verbal consent is acceptable.)

The Solutionreach Platform includes default templates that meet the requirements for information-only content. However, Solutionreach messages can be personalized by you and your staff, so we encourage you to educate yourself on TCPA guidelines by visiting the U.S. Federal Communications Commission website prior to making any modifications to the default templates.

Consent for Marketing-Focused Messages:

The Solutionreach Platform can also be used to send or automate marketing-focused messages, which fall under tighter TCPA regulations. Messages with any sort of marketing content require that your patient provide your practice with “express written consent”, which may be obtained in an electronic format.

To help you remain TCPA compliant, the platform includes features that permit you to obtain that consent for any text message marketing you conduct so that marketing-focused messages are only delivered to patients who have given appropriate consent.


The TCPA requires that you honor patient requests to opt-out of future telephone, fax, or text messages. The Solutionreach Platform allows you to honor these requests on an individual basis. A patient may also opt-out of text messages at any time by replying with the word STOP to any text message sent through the Solutionreach platform.

Identify Disclosure

You are obligated to identify your practice by name and telephone number in all text messages that are sent to patients. The Solutionreach Platform enforces this rule by requiring you to include identifying tokens in all text message templates. You will not be able to send any text messages that do not contain complete and proper identification.

For more information about your responsibilities under the TCPA, please visit the U.S. Federal Communications Commission website.


Canada’s Anti-Spam Legislation (CASL) is a Canadian federal law that regulates commercial electronic messages ("CEMs"). The legislation applies to any electronic message that encourages participation in a commercial activity and may include messages to email addresses, social media accounts, and text messages to cell phones. You can visit the Government of Canada’s website to learn more about CASL.

It is your responsibility to comply with all aspects of CASL as it relates to sending messages to your patients. The Solutionreach Platform is designed with this in mind, and it includes safeguards and features that, if used appropriately, will help you stay compliant.

Read the following sections to understand the various regulations and how Solutionreach helps you remain compliant with CASL.


In order to lawfully send CEMs to patients after July 1, 2014 you will need to have the necessary consent. Under CASL, consent can be either express or implied.

You may already have a practice of obtaining express consent (either oral or written) to send messages to your patients, but even if you have not collected express consent to send messages to your patients you may still benefit from implied consent under CASL.

Implied Consent

CASL allows for implied consent to send CEMs where there is an "existing business relationship" between the sender and the recipient. This relationship derives from the purchase of a product, goods, or service within the past two years or an inquiry about products or services within the past six months.

Therefore, as long as you are using the SR Platform to communicate with your bona fide patients (as intended) then you are likely to have an "existing business relationship" for the purposes of CASL based on that patient relationship.

Under implied consent derived from an established business relationship, you are able to send messages to your patients, including appointment reminders, follow-up care outreach/recall/recare reminders, eyewear notifications (where applicable), and other similar messages – whether express consent for receiving messages has been obtained or not.

If you do not have an established business relationship with a particular patient, do not send messages to that individual.

Opt-out / Unsubscribe Requests

CASL requires you to honor patient requests to opt-out or unsubscribe from future messages, so every message sent to patients using the Solutionreach Platform includes an opt-out or unsubscribe mechanism:

Text Messages from Solutionreach:

The instruction “Reply STOP to Opt-out” appears on each message you send. The recipient need only reply with the word STOP to any text message received and future text messages will stop.

Email Messages from Solutionreach:

For email messages, the “unsubscribe” link appears in the footer of each message you send. The recipient need only click the link to unsubscribe from future messages.

Individual Preferences

There are tools built in to the platform that will allow you to honor opt-out or unsubscribe requests on an individual patient basis. If a patient contacts you to request that you stop sending messages then you can do so by either disabling the types of messages received and/or disabling the patient’s devices to which messages are sent.

In this regard, the Solutionreach Platform is extremely customizable to accommodate patient preferences. Be sure to honor any patient opt-out requests within 10 days in order to comply with CASL.


CASL requires you to identify yourself in all messages you send to patients. The Solutionreach Platform will enforce this rule by requiring you to include identifying tokens in all message templates. These tokens will automatically display your contact information in the messages you send. You will not be able to send any messages that do not contain complete and proper identification.

Your Responsibility

The Solutionreach Platform is designed to give you the most functionality possible when it comes to communicating and engaging with your patients. As such, the platform allows you some flexibility in the messaging content you create, but you will be asked to confirm and verify that your message content meets certain requirements. It is also your responsibility to promptly respond to and immediately honor all patient requests to opt-out or unsubscribe from future email or text messages.

For more information about your responsibilities under the CASL, please visit the Government of Canada’s website at


Please note that, while we are dedicated to giving you tools that will help you stay compliant with HIPAA and TCPA regulations, the information we provide is not legal advice. You are responsible for ensuring the compliance of your patient messages. We encourage you to seek out competent legal counsel for specific direction and guidance.

We have provided the following information to help you understand what your responsibilities are, and how the Solutionreach service aids you in remaining compliant with these objectives.