INSIGHTS

Why is my business number coming up as spam on iPhones and Androids, and how do I fix it? If you are asking that question, you are likely seeing missed calls, calls going straight to voicemail, lower answer rates, and growing frustration from staff and customers alike. In healthcare and service-driven organizations, the impact can be even more immediate because patients and families may avoid returning a call that looks risky.

This problem usually is not caused by a simple caller ID setting inside your phone system. Most spam labeling is driven by carrier reputation systems and call-labeling analytics that evaluate calling patterns and user feedback at scale.¹ The good news is that it can be addressed, but it is rarely a single tweak. It is an end-to-end process that corrects reputation and labeling, manages registrations and whitelisting where appropriate, and can optionally add branded calling as a trust enhancer.

Compliant Communications is the communications partner that owns this process. We help you move from “business number labeled as spam” to a stable, managed calling footprint that supports consistent answer rates without overpromising outcomes.

In the final week of January 2026, Kaiser Foundation Health Plan, Inc., operating as Kaiser Permanente, disclosed a proposed multimillion-dollar settlement resolving class action claims tied to continued delivery of marketing text messages after recipients had opted out by replying STOP or similar commands.¹ The matter, filed under both the Telephone Consumer Protection Act and the Florida Telephone Solicitation Act, centers on whether opt-out requests were honored consistently across Kaiser’s outbound SMS operations.¹

While the legal allegations are familiar, the operational implications are not. The settlement documentation makes clear that liability exposure did not hinge on message content nuance or patient misunderstanding. Instead, it turned on governance execution. Once opt-out intent was expressed, the organization allegedly failed to suppress subsequent marketing messages across all relevant sending pathways.¹

This development lands amid heightened regulatory scrutiny of automated messaging practices across industries. For healthcare organizations already navigating HIPAA obligations, state privacy laws, and carrier enforcement regimes, the Kaiser settlement underscores that SMS compliance failures can escalate quickly into material financial and reputational consequences.¹ The message to the sector is unambiguous. Texting programs that are not architected for centralized consent and opt-out enforcement are no longer defensible.

This week’s signal is not a single headline about healthcare organizations. It is the continued, coordinated push by federal regulators to reduce deceptive and unwanted calls and texts, paired with concrete infrastructure moves that raise the floor for identification and call authentication across the ecosystem. For healthcare operations teams, that combination matters because even well-intentioned operational messaging can be evaluated through the same consumer-expectations lens: clear consent, clear identity, and technical trust signals that reduce confusion and spoofing risk. [1]

Two developments are particularly operational. The FCC’s Wireline Competition Bureau issued a January 22, 2026 Public Notice that sets effective dates and implementation guidance tied to updated Robocall Mitigation Database filing requirements, including new recertification timing (March 1, 2026), multi-factor authentication for database access, and effective dates for certain amendments (February 5, 2026). [2] In parallel, the FTC’s enforcement posture in the health insurance marketing and lead generation space remains focused on alleged deception and aggressive telemarketing or robocall tactics, reinforcing that healthcare-adjacent calling and texting practices are under active scrutiny. [3]

Separately, the FCC continues to adjust the practical edges of consent revocation rules under the TCPA, including extending the effective date of a provision that would require treating certain opt-out or revocation requests as applying broadly across message types from the same caller. The operational takeaway is not to relax. It is to keep consent and preference management centralized so your teams can honor revocations promptly and consistently. [4]

What are the best HIPAA-compliant VoIP providers for small medical practices?  The most useful way to answer that question is to treat “HIPAA-compliant VoIP” as an operational claim that must be proven through governance, retention, access control, and evidence, not a vendor label.  Small medical practices searching for the “best HIPAA-compliant VoIP provider” are often reacting to the same pressure points. Missed calls are hurting patient access. Staff are overwhelmed at the front desk. Legacy phone systems cannot support remote work or multi-location scheduling. At the same time, compliance leaders and administrators know that voice systems increasingly handle protected health information and therefore sit squarely inside the HIPAA risk surface.

HIPAA does not regulate phone systems as a category. It regulates how covered entities and their business associates create, receive, maintain, and transmit electronic protected health information. That distinction matters. A VoIP platform can advertise security features and still leave a small practice exposed if recordings are always on, voicemail is retained indefinitely, or texting is enabled without consent controls and documentation workflows. In enforcement actions, regulators look for reasonable safeguards, documented decisions, and evidence of control, not marketing claims.

For small practices, the gap between what a platform can do and what the practice can realistically govern is where risk accumulates. The best HIPAA-aligned VoIP provider is therefore not the one with the longest feature list. It is the one designed to reduce unnecessary PHI exposure by default and to help a lean organization maintain an audit-ready posture over time. That framing is the foundation of Compliant Communications.

On December 23, 2025, the Federal Communications Commission submitted its annual report to Congress on robocalls and the transmission of misleading or inaccurate caller identification information, pursuant to the TRACED Act. The report consolidates complaint trends, enforcement posture, and the Commission’s ongoing emphasis on traceback, caller ID integrity, and upstream accountability. It is a telecom policy document, but its implications land directly on healthcare operations because patient access, revenue cycle, care navigation, and population outreach increasingly depend on phone and text channels. A single failure mode, such as spoofing, mislabeled calls, or blocked routing, can degrade appointment adherence, medication follow-up, and post-discharge engagement at scale. ¹

The operational risk is compounded by the reality that healthcare brands are prime targets for impersonation. Fraudsters exploit patient anxiety, open enrollment confusion, pharmacy benefit uncertainty, and billing complexity. When that fraud rides on the same networks healthcare uses for legitimate outreach, telecom policy changes can produce collateral operational consequences. In practice, “robocall mitigation” becomes a board-level patient experience and financial performance issue, not merely an IT hygiene item. ¹

For Compliant Communications customers and prospects, the point-in-time takeaway as of December 27, 2025 is straightforward: telecom governance is tightening, and healthcare outreach programs should assume more scrutiny of calling and texting behaviors, identity signals, and consent artifacts. The FCC’s report is a reminder that enforcement and ecosystem controls are being engineered upstream, and healthcare cannot treat deliverability as a vendor-only problem. ¹

In late 2025, a class action lawsuit was filed against Sharp HealthCare, centering on allegations that the San Diego-based provider used an artificial intelligence dictation and recording tool to capture patient-clinician conversations without adequate notice or consent. The complaint asserts that the ambient AI engine recorded sensitive clinical dialog in exam rooms and telephone conversations, generating automated clinical notes while failing to secure legally required consent documentation from patients.¹

The lawsuit claims that staff used the technology since April 2025, and that while Sharp purportedly documented patient consent, in many cases consent was not actually obtained and instead was retroactively inserted into records by the AI tool or other mechanisms.¹ Plaintiffs estimate that hundreds of thousands of encounters may have been recorded under the controversial process without proper transparency.¹

This legal action highlights the complex intersection among telecommunications law, call and voice recording consent requirements, AI-powered clinical tools, and federal privacy regimes like HIPAA.¹ While the litigation primarily cites violations of privacy and wiretapping statutes, the operational dimensions implicate healthcare contact systems that automate or monitor voice interactions under technology governance frameworks.¹

Healthcare leaders often assume that spam labeling is caused by caller ID spoofing or lack of STIR SHAken authentication. That assumption is understandable and incorrect. Many healthcare organizations have fully authenticated calls and accurate caller ID information, yet their outbound calls still appear as “Potential Spam” on patient devices. This disconnect creates confusion and delays effective remediation.

Modern spam labeling is driven primarily by carrier reputation engines. These systems evaluate whether a specific outbound number, or DID, is known, categorized, trusted, and contextually appropriate for its calling behavior. Authentication frameworks such as STIR SHAken establish that a call is legitimate, but they do not establish that it is wanted.¹ Likewise, national caller ID databases can populate a name, but they do not influence spam classification decisions at the carrier analytics layer.²

For healthcare organizations, the impact is immediate and measurable. Patients do not answer calls flagged as spam. Appointment slots go unfilled. Revenue cycle follow-up is delayed. Staff escalate to repeated dialing or alternative contact methods that increase compliance risk. This is why Compliant Communications treats spam mitigation as an operational governance issue tied directly to patient access, not as a cosmetic caller ID enhancement.

On June 10, 2025, the Federal Trade Commission announced a settlement with the operators of Evoke Wellness tied to allegations that deceptive Google search ads and telemarketing were used to impersonate other substance use disorder treatment providers. The FTC stated that consumers searching online for specific treatment providers were allegedly routed through misleading advertisements and connected to call centers that misrepresented their affiliation. The resulting order includes a $7 million civil penalty judgment, partially suspended based on asserted inability to pay, with $1.9 million due, and permanent prohibitions on similar deceptive practices. ¹

For healthcare executives, the significance extends well beyond a single behavioral health organization. The FTC’s action treats the entire search-to-call pathway as a unified consumer experience. Paid search keywords, ad copy, click-to-call functionality, dynamic call routing, and call center scripts are evaluated collectively to determine whether patients were misled at any point in the access journey. That framing collapses traditional internal silos between marketing, IT, telecom, and operations into a single regulatory surface. ¹

The enforcement message is direct. When healthcare organizations rely on outsourced call centers, attribution numbers, or performance marketing vendors, responsibility for representations does not transfer. Governance failures in telecom configuration or call handling can be characterized as deceptive acts or practices when they alter how a reasonable patient understands who they are calling and what care they are accessing. Patient access infrastructure is now squarely within the FTC’s enforcement lens. ^{3 4}

On May 8, 2025, U.S. lawmakers reintroduced the Access to Prescription Digital Therapeutics Act of 2025 (H.R. 3288), placing prescription digital therapeutics (PDTs) squarely on the federal health policy agenda.¹ PDTs are software interventions prescribed by clinicians to prevent, manage, or treat specific conditions. Over the past several years, they have gained traction in clinical programs and attracted increasing regulatory and payer attention.

The PDT Act would create a formal Medicare and Medicaid coverage pathway by directing the Centers for Medicare and Medicaid Services (CMS) to establish coding and payment approaches for these products.¹ For health technology developers and provider organizations, that shift matters because reimbursement ambiguity has been one of the largest barriers to operational adoption at scale, particularly in settings where patients depend on government coverage for access.

The reintroduction also aligns with broader federal activity aimed at modernizing digital health access and interoperability. In mid-May 2025, CMS and federal health IT leadership sought public input on the market for digital health products for Medicare beneficiaries and on interoperability infrastructure, underscoring an intent to shape a more coherent, technology-enabled care ecosystem.²³

Healthcare stakeholders often describe efforts like H.R. 3288 as part of a longer transition, moving digital health products from “innovation” pilots into covered benefits that can be ordered, documented, and reimbursed with the same discipline as more traditional modalities. If implemented carefully, this kind of policy can reduce inequities created by out-of-pocket payment models and improve access for patients with chronic, behavioral, or high-friction conditions that benefit from sustained engagement.

In early 2025, the Office of the National Coordinator for Health Information Technology (ONC) took a significant step in shaping healthcare data exchange by publishing the ONC Standards Bulletin 2025-1 Draft United States Core Data for Interoperability Version 6 (USCDI v6). The draft proposes updates to the standardized minimum dataset used for electronic exchange across health systems, payers, technology vendors, public health entities, and patients.¹

Interoperability remains a central technology and policy priority for U.S. healthcare. Persistent friction in electronic data exchange can slow care coordination, increase redundant documentation, and limit patient access to usable information across providers and settings. Against this backdrop, draft USCDI v6 continues ONC’s pattern of expanding the minimum dataset over time to reflect emerging care and reporting needs.¹

The USCDI initiative serves as a reference baseline for health IT developers and healthcare organizations when designing and implementing exchange workflows. It is also a practical roadmap for data capture and normalization efforts, since data elements cannot be exchanged consistently unless they are captured consistently, mapped to usable terminologies, and represented in implementation-ready forms.¹

The Telephone Consumer Protection Act (TCPA) and the FCC’s implementing rules shape how organizations contact consumers and patients by phone and text. For many healthcare programs, automated or semi-automated calls and texts require an appropriate form of prior express consent and must stop when a recipient revokes consent.³

In February 2024, the FCC adopted amendments addressing how consumers can revoke consent to receive robocalls and robotexts and clarified that certain revocation methods are per se reasonable. The FCC later set an effective date of April 11, 2025 for those consent revocation rules.²³

Healthcare organizations often operate multiple outreach systems across scheduling, care management, billing, contact centers, and third-party patient engagement vendors. That fragmentation makes consent and opt-out handling a systems integration and governance problem, not just a policy problem, which is why the industry closely tracked the April 2025 effective date.³

In February 2025, the U.S. business messaging landscape moved into a stricter enforcement phase for Application to Person (A2P) 10 Digit Long Code (10DLC) texting, with ecosystem guidance indicating that unregistered traffic is subject to blocking by carriers in the messaging ecosystem.⁴

This enforcement milestone represents a major transition from earlier phases where some senders experienced warnings, filtering, fees, or partial deliverability issues. In the enforcement phase, the operational impact is more direct: if a sender is not properly registered and aligned to an approved campaign, messages can fail to deliver at scale.⁴

Healthcare organizations are among those most directly affected because SMS is often embedded into day-to-day patient operations, including appointment reminders, patient alerts, prescription readiness notifications, and care coordination. If a healthcare program was not fully registered for 10DLC, messages can be filtered or blocked, interrupting time-sensitive patient communications and creating avoidable operational risk.¹

In late April 2024, the Federal Trade Commission announced a significant update to the Health Breach Notification Rule (HBNR) that positions the agency to regulate breaches involving digital health technologies not covered under HIPAA, setting a stronger baseline for privacy protections as the ecosystem moves into 2025.¹

The HBNR historically required vendors of personal health records (PHRs) and related entities to notify individuals, the FTC, and in certain cases the media of breaches involving unsecured PHR identifiable health information.²

With the proliferation of mobile health apps, wearable devices, and connected health platforms, the FTC’s final changes clarify the scope of coverage to include entities and technologies that fall outside the traditional HIPAA framework, bringing more consumer health data practices under an enforceable notification regime.¹²

Digital health companies relying on consumer engagement through applications and devices should evaluate whether the expanded definitions of PHR vendors and related entities subject them to new breach notification obligations and operational expectations.¹²

Implementation timelines place the effective date 60 days after publication in the Federal Register, shaping compliance planning and enforcement posture heading into 2025.¹