Here's a question that trips up more clinics than you'd expect: a patient you last saw 26 months ago is due for a cleaning, and your recall system fires off a text. Is that compliant?
Most front-office staff will say yes — "we have their consent." And they might be technically right about the consent form. But the answer actually depends on what kind of message you're sending and whether the treatment relationship that justified it still exists. That gap is where a routine recall text can quietly turn into a Telephone Consumer Protection Act (TCPA) problem, with statutory damages that run $500 to $1,500 per text.
Full disclosure: I work for ReadySMS, and yes, we sell an SMS platform with a compliance stack that helps here. But this is a legal-and-relationship problem first. The tooling only matters once you understand the trigger. So let's get the trigger right.
Two different permissions live inside one consent form
The first thing to untangle is that "patient consent to text" is really two separate legal permissions, governed by two separate frameworks.
HIPAA treatment communications. When you text a patient a recall reminder, an appointment confirmation, or lab-result-ready notification, that's a treatment communication. HIPAA permits it as part of the treatment, payment, and healthcare-operations umbrella — you generally don't need separate marketing-grade opt-in. The patient gave you their number for the purpose of their care.
TCPA marketing consent. The moment your message promotes something — a teeth-whitening special, a "we miss you, come back for 20% off" reactivation, a new cosmetic service — you've crossed into marketing. That requires prior express written consent under the TCPA, and it's a higher bar than "the patient handed us their phone number."
We wrote a whole piece on exactly where this line sits — A Recall Text and a Promo Text Need Different Consent — because it's the single most common accidental crossing in healthcare SMS. Read that if you haven't. This post is about the time dimension of the same problem.
Consent doesn't have an expiration date. The relationship does.
There's a persistent myth that TCPA consent "expires" after some number of months. It doesn't. Once a patient gives valid prior express written consent, that consent persists until they revoke it (a STOP reply, a written request, a phone call).
The thing that does lapse is the underlying treatment relationship — and that's what justifies your HIPAA-covered, non-marketing recall texts in the first place.
Picture the timeline:
- Month 0–18: Patient is active. Recall reminders are clean treatment communications. No marketing consent needed.
- Month 18–36: Patient hasn't returned. Are they still "your patient"? Legally fuzzy. A neutral "you're due for a visit" reminder is defensible. A "we miss you — here's 15% off" is marketing, full stop.
- Month 36+: The treatment relationship has, for practical purposes, gone dormant. A reactivation text that dresses up a discount as a "reminder" is the riskiest message in your whole database.
The trap: reactivation campaigns are by design aimed at the exact patients whose relationship has gone cold — the ones where your treatment-communication cover is thinnest and your message is most likely to be promotional. You're pointing your highest-risk message type at your highest-risk audience segment. That's the collision.
The two questions that decide every message
Before any bulk send to a lapsed segment, run each message through two gates:
- Is this message promotional? If it mentions a price, a discount, a "special," a new service you want to sell, or otherwise nudges toward a purchase — yes, it's marketing. A pure "our records show you're due for your annual exam, reply or call to schedule" is not.
- Do I have marketing consent, and is it documented? Not "did they become a patient." Did they affirmatively opt in to promotional texts, and can you produce the record?
If the answer to question 1 is "yes, promotional" and the answer to question 2 is "no" or "not sure" — you don't send. You re-permission first.
Here's the uncomfortable part most clinics skip: even a purely informational recall text to a patient who's been gone three years invites the argument that no bona fide treatment relationship remains. You're safer treating the long-lapsed cohort as a group you need to re-permission before running anything that even smells like marketing.
A re-permission workflow that doesn't torch your list
The instinct is to just blast the whole dormant list with a promo and see who bites. Don't. That's the move that generates STOP-reply spikes, carrier filtering, and — with the wrong recipient — a demand letter.
Instead, run a two-step re-permission flow. The first message is a compliant, non-promotional re-engagement. The second, marketing message only goes to people who actively signaled they still want to hear from you.
Step 1 — the neutral re-engagement (treatment-framed, no offer):
Hi [Name], this is [Clinic]. Our records show it's been a while since your last visit. Reply YES if you'd like to keep receiving reminders and occasional updates from us, or STOP to opt out.
This does three things. It re-establishes a live channel. It captures a fresh, timestamped opt-in for the people who reply YES. And it lets the uninterested quietly leave via STOP before you ever spend money marketing to them.
Step 2 — the marketing message, sent only to YES responders:
Now — and only now — the reactivation offer goes to a segment with documented, recent, affirmative consent. Everyone else stays untouched.
Before you even hit send on Step 1, scrub the list. A 12-month-old list is roughly 30% reassigned or disconnected numbers, and a dormant-patient list is often older than that. Texting a reassigned number that now belongs to a stranger — especially a known litigator — is a distinct TCPA exposure that has nothing to do with your original patient's consent.
How the ReadySMS compliance stack maps to this flow
I'll keep this specific, because generic "we handle compliance" claims are worthless. Here's what actually does the work in a re-permission campaign:
- Automatic STOP / opt-out handling. When someone replies STOP to your Step 1 re-engagement, ReadySMS honors it immediately and propagates the opt-out so that contact can't be messaged again across any of your campaigns — not just the one that triggered it. That's exactly the behavior you want on a re-permission send, where the whole point is letting the uninterested leave cleanly.
- Quiet-hours enforcement. Sends are held outside permitted local hours based on the recipient's area. A dormant-patient blast that fires at 8 a.m. sharp across three time zones is the kind of detail that shows up in complaints. Holding sends automatically removes a whole category of avoidable TCPA exposure. (More on why the smart quiet-hours window is narrower than the legal one: SMS Quiet Hours.)
- Litigator / DNC scrubbing. Our standalone TCPA & DNC Litigator Scrub runs $0.005 per contact and checks each number against known TCPA-litigator lists and DNC-complainer lists before send. For a 5,000-contact dormant list, that's $25 to screen out the numbers most likely to cost you $500–$1,500 each. And remember — a number can pass DNC and still sue you; the litigator database is the one that catches the plaintiffs.
- Consent / attestation capture. Opt-in attestation is recorded for bulk and API sends, so when someone replies YES to Step 1, you've got a timestamped record. That audit trail is what turns "we're pretty sure they consented" into "here's the record."
None of this makes you lawsuit-proof. Compliance is ultimately the sender's responsibility, and no platform changes that. What the stack does is remove the mechanical failure modes — the wrong-hour send, the un-honored STOP, the un-scrubbed litigator — so the only thing left for you to get right is the human judgment about what's marketing and who's still your patient.
The re-permission cadence, as a checklist
For any patient cohort dormant 18+ months that you want to run marketing to:
- Segment the dormant list by last-visit date. Treat 18–36 months and 36+ months differently.
- Scrub the whole segment for litigators and disconnected numbers ($0.005/contact) before spending a cent on messaging.
- Send Step 1 — the neutral, treatment-framed re-engagement with an explicit YES/STOP ask, inside quiet hours.
- Wait a reasonable window (48–72 hours is typical) for replies.
- Build a fresh segment of YES responders only.
- Send Step 2 — your actual marketing message — to that fresh segment.
- Archive everyone who didn't respond. Silence isn't consent. Don't market to non-responders.
- Keep the attestation records for the YES cohort.
The practical takeaway
The consent form your patient signed three years ago probably didn't expire. But the treatment relationship it was tied to may have gone dormant — and that's what determines whether your next text is a protected treatment communication or an unconsented marketing message. The riskiest thing you can do is aim a promotional reactivation blast at your coldest, oldest patient segment without re-permissioning first.
The fix isn't complicated: neutral re-engagement first, marketing only to people who raise their hand, scrub before you send, and let the tooling enforce quiet hours and STOP automatically so you're only judging the parts that actually require judgment.
If you want to see how the scrub, quiet-hours, and STOP handling line up against your own list size, the cost calculator will give you a real number, and the healthcare SMS HIPAA guide covers the treatment-vs-marketing framework in more depth. Start with 2,500 free credits and run a Step 1 re-engagement on a small dormant segment before you commit to the full list — that's the cheapest way to find out how much of your "consented" database actually still wants to hear from you.