Compliance Guide

TCPA SMS + AI Voice Compliance: How Velyn Handles It

TCPA is not just an SMS spam rule. It governs automated outbound voice calls too, which means any AI receptionist that places outbound calls falls inside it. The practice — not the vendor — is usually the party on the hook. This guide explains how Velyn's controls handle each gate so the practice can review what runs on its behalf — read it once Velyn is the chosen platform, or use the vendor-neutral buyer's checklist linked below if you're still evaluating.

Still evaluating vendors? See the TCPA buyer's checklist →

Problem framing

Most dental teams hear TCPA and think of marketing texts. The bigger exposure is on the voice side: any AI-generated outbound call is treated as an automated call under TCPA, and enforcement actions land on the practice that placed the call, not the technology vendor behind it.

Many practices using third-party recall services inherit TCPA risk without realizing it. The recall vendor assumes consent based on prior patient contact, the practice never sees the consent record, and a single complaint can surface a gap that has been quietly there for years.

Implementation checklist

Confirm SMS opt-in is captured before any outbound AI contact runs — voice or text — and keep the consent record where staff can read it.

Verify opt-out is honored within ten business days, the TCPA standard, and that the system the AI uses to make calls receives the opt-out the moment it is recorded.

Keep the dentist-approval queue in front of every AI-proposed action so no patient contact goes out until staff has reviewed the call list.

Hold written records of consent and opt-out timestamps so the practice can produce them if a complaint is filed.

Confirm the BAA addresses TCPA-adjacent data handling — phone numbers, opt-in timestamps, opt-out logs — not just clinical PHI.

What TCPA actually requires for dental SMS

TCPA distinguishes between marketing and non-marketing outbound contact. Marketing SMS — discount offers, new-patient promotions, anything pitching a service the patient did not ask for — requires prior express written consent. Non-marketing SMS, such as a recall reminder for an existing patient already in the schedule, requires prior express consent, which is a lower bar but still requires affirmative opt-in.

The dental wrinkle is that the line moves. A routine recall reminder is usually non-marketing. The moment that reminder adds a discount, a referral incentive, or a new-service mention, it pushes toward the marketing classification, and the consent standard tightens with it.

What counts as opt-in: a documented action by the patient — checking a box, replying YES to a confirmation prompt, signing a form — with the date, the channel, and the language they agreed to recorded.

What does not count: an implied consent from a prior visit, a phone number collected at intake without an SMS-specific opt-in, or a list handed over by a third party with no consent record attached.

Opt-out mechanics: STOP replies, written requests, and verbal requests during a call all count. The TCPA standard is honor within ten business days; honoring immediately is the safer practice and is what Velyn does by default.

Where AI voice calls add new TCPA exposure

AI-generated voice calls fall under TCPA's automated-call provisions in the same way pre-recorded robocalls do. The compliance bar is the same: prior express consent before the call goes out. The practice that placed the call is the liable party in most enforcement actions, even when a vendor's system actually dialed the number.

This matters for any AI receptionist evaluation. A vendor that runs outbound AI voice without first confirming an SMS opt-in puts the practice on the hook for whatever those calls turn up — opt-in gaps, opt-out misses, and complaints alike. Ask the vendor where the consent record lives and how staff reads it before live calls move.

Velyn's gate: an SMS opt-in must be captured and recorded before any AI voice call is allowed to that number. No opt-in, no outbound.

Velyn's audit trail: every consent record and every opt-out is timestamped and reviewable in the daily portal queue alongside the proposed bookings.

What Velyn does not do: cold-call patients without a prior opt-in, infer consent from a past appointment, or push a proposed booking past the dentist-approval queue.

How Velyn's controls map to TCPA

The operational chain is opt-in capture, then AI voice eligibility, then dentist-approval queue, then recorded action. Each step is a TCPA-relevant control. Opt-in capture is the consent record. AI voice eligibility is the gate that blocks outbound until the record exists. The dentist-approval queue is the human review step that catches anything the system proposed but should not send. The recorded action is the audit trail that produces evidence on demand.

What stays with the practice is the legal interpretation. The scope of the consent language, the wording of the opt-in form, and counsel review of either are decisions for the practice and its attorney. Velyn does not provide legal advice and does not author consent copy. Velyn operates on the consent records the practice captures and stops outbound the moment a record is missing or revoked.

Opt-in capture is gated by the practice's own consent form — Velyn does not author legal copy or interpret what the consent covers.

Opt-out is honored immediately in Velyn's contact graph and propagated to the practice's PMS through the routing path the office approved during setup.

Every AI-proposed outbound action passes through the daily dentist-approval queue before any patient contact moves — the practice approves or rejects each one.

Common mistakes practices make

Most TCPA exposures in dental come from third-party services that inherit consent assumptions without verifying them. A recall vendor reads the patient list, treats prior treatment as implied permission, and dials. The practice never sees the consent record, never sees the opt-out log, and finds out the system was silently out of scope only when a complaint arrives. Velyn explicitly does not assume consent and does not place outbound without a record the practice can read.

Assuming a prior patient relationship implies SMS consent — TCPA requires an affirmative opt-in, and a treatment history does not substitute for one.

Using a recall vendor that conflates prior contact with consent, or that cannot show staff where the consent record for a given patient lives.

Sending discount or promotional SMS to patients who opted in only for non-marketing reminders — the consent scope was narrower than the message.

Failing to log opt-outs in a system the AI vendor can read, so the next outbound run still includes patients who already asked to stop.

FAQ

Does Velyn provide TCPA legal advice?

No. Velyn does not give legal advice and does not draft consent language. What Velyn provides is the operational controls — opt-in gating, opt-out propagation, dentist-approval queue, timestamped audit trail — and a record the practice's counsel can review. Run the consent form past counsel before live calls move.

What happens if a patient opts out mid-campaign?

The opt-out is honored immediately. Any outbound AI contact to that patient stops the same moment the opt-out is recorded, the contact graph is updated, and the action is logged for the practice's audit trail. The next morning's portal queue reflects the change.

Can Velyn use prior appointment data as consent?

No. A prior treatment relationship is not TCPA consent for SMS or AI voice. Velyn requires an affirmative opt-in record before any AI outbound goes to a patient number, regardless of how long the patient has been with the practice.

Is the opt-in form Velyn's responsibility or the practice's?

The practice owns the consent form and the language inside it. Velyn operates on the consent records the practice captures. If the form changes, the change belongs to the practice and its counsel; Velyn reads the resulting records and gates outbound accordingly.

Does this apply to inbound calls too?

No. TCPA governs automated outbound contact. Inbound IVR routing — a patient calling the office and being routed by the AI — does not trigger TCPA consent requirements, because the patient initiated the call.