Compliance Checklist

TCPA Compliance for Outbound Dental Recall: What Practices Confirm Before AI Calls Start

Outbound recall using AI voice calls is subject to the Telephone Consumer Protection Act, the same federal law that governs every other automated outbound call to a patient's cell phone. Practices that skip the compliance gates do not just risk fines — they risk losing the patient trust that recall is supposed to protect. This guide walks through the specific gates every practice should confirm before AI starts calling — vendor-agnostic, so the same checklist works whether you are evaluating Velyn or any other AI receptionist.

Already chose Velyn? See how the controls map to TCPA →

Problem framing

Most dental practices have never had to think carefully about TCPA because their old recall process was human-staffed and didn't trigger the same statutory thresholds. AI changes that. An automated voice call to a patient's cell phone is a TCPA-regulated call, full stop.

TCPA violations carry $500 to $1,500 per call in statutory damages. A practice that runs an AI recall campaign without proper SMS opt-in to 500 patients is looking at $250,000 to $750,000 in maximum statutory exposure. The risk is real even when the recall is well-intentioned.

Patients who receive an AI recall call without prior opt-in feel surprised at best and violated at worst. The same recall handled with proper consent feels considerate. Compliance is not just legal hygiene — it is part of the patient experience.

Implementation checklist

Confirm the right consent gate before any AI voice call goes out: written consent for telemarketing, and counsel-reviewed consent for healthcare recall messages.

Use clear opt-in language that names AI specifically, not just 'phone communications.'

Record the date, time, source, and exact text of every patient's opt-in.

Honor opt-outs immediately when the healthcare-message exemption applies, and in every other case within the TCPA's reasonable-time window, never later than ten business days.

Confine outbound calls to 8 AM to 9 PM in the patient's local time zone, not the practice's.

Confirm the AI discloses itself as AI on the call ('This is Brynn, an AI assistant calling on behalf of [PRACTICE]...').

Never use AI to deliver clinical results, treatment plans, or anything that could be construed as practicing dentistry remotely.

Verify your state's AI-call rules (some states have added specific disclosure or consent requirements on top of federal TCPA).

Keep the consent record for at least four years (federal TCPA statute of limitations).

Build a daily reconciliation: opt-outs received via any channel (SMS STOP, voicemail, email, in-office) propagate to the AI calling list within 24 hours as Velyn's internal operating standard.

Document the consent flow as part of your privacy practices notice.

Review the AI script with counsel before launching any campaign that touches more than a handful of patients.

What TCPA actually requires for AI-driven dental recall calls

The Telephone Consumer Protection Act and its implementing FCC rules regulate calls that use an artificial or prerecorded voice. The consent analysis depends on the line called and the purpose of the message: telemarketing calls generally require prior express written consent, while certain healthcare messages from a HIPAA covered entity or business associate may fit a narrower exemption if the rule's conditions are met.

Prior express written consent for telemarketing is more specific than 'the patient is in our system.' It requires a clear, conspicuous disclosure that the practice will contact the patient using an artificial or prerecorded voice for marketing purposes, and an affirmative action by the patient to consent. SMS opt-in (patient texts YES to a clear opt-in message) is the operational pattern that most cleanly preserves that record.

Existing patient-of-record status should not be treated as a blanket permission slip. A patient who has been coming to the practice for ten years has consented to clinical care and HIPAA handling; whether a recall message can rely on healthcare-message rules or needs written telemarketing consent is a campaign-specific question counsel should review before calls begin.

SMS opt-in: the foundation of legal AI outbound recall

The cleanest operational path for AI recall calls is an SMS opt-in flow. The practice sends a single SMS to the patient with clear language about what they are opting into, and the patient replies YES to confirm. The reply is the consent record.

Opt-in language has to name AI specifically, not euphemize. 'Want a friendly reminder when it's time for your next cleaning? Reply YES to get periodic calls and texts from our practice, including AI-assisted scheduling calls. STOP to opt out anytime.' That sentence does the work — it names the technology, the purpose, and the exit path.

Skip the easy-but-risky patterns: implicit consent ('you gave us your phone number, so we're calling you'), pre-checked opt-in boxes on the intake form, or assuming HIPAA authorization covers every AI outbound scenario. Those assumptions leave the practice without a campaign-specific consent record.

The consent record: what to keep, where to keep it

For every patient who opted in, the practice should retain the date, time, source channel (SMS, web form, in-office paper form), and the exact text the patient was shown. If a question ever comes up — a complaint, a regulatory inquiry, a litigation hold — the consent record is what proves the call was lawful.

Keep the records for at least four years. The TCPA statute of limitations is four years from the violation, so any case brought against the practice would look back across that window. A consent record from three years ago that satisfies the standard is what shuts down a complaint quickly.

Store the records in a system the practice owns and can export. If the AI vendor stores the records on their side only, the practice loses access to its own compliance evidence if the vendor relationship ends. The consent record belongs to the practice.

Time-of-day rules: 8 AM to 9 PM in the patient's local time

TCPA restricts non-emergency automated calls to the hours of 8 AM to 9 PM in the called party's local time zone, not the caller's. A practice in Massachusetts calling a snowbird patient in Florida is bound by Eastern time for the patient — but a practice on the East Coast calling a patient in California is bound by Pacific time, which means no calls before 11 AM Eastern.

AI outbound systems should enforce this automatically based on the patient's area code or, better, the patient's recorded address. Practices that let the AI call between 7 AM and 8 PM 'because the office is open then' create per-call violations when the patient is in a different time zone.

Some states have tighter rules. Check your state's regulations and the regulations of any state where you have patients with non-local area codes.

Opt-out handling: legal deadlines and Velyn's 24-hour operating target

When a patient replies STOP to an SMS, says 'remove me from your list' on a call, calls the front desk to opt out, or sends an email asking to be removed, the practice should suppress the patient from all AI outbound channels as soon as the request is received. Under the FCC's healthcare-message conditions, healthcare providers must honor opt-outs immediately; more general TCPA consent revocations must be honored within a reasonable time, not exceeding ten business days.

The operational risk is that opt-outs come through multiple channels and have to propagate to one calling list. A patient who tells the front desk in person should not get an AI call the next day. A patient who replies STOP via SMS should not get an AI call later that afternoon.

Velyn's internal operating target is stricter than the outer federal window: every channel should write opt-outs to one shared do-not-call list within 24 hours, and the AI calling system should check that list before every call, not just before every campaign launch.

AI disclosure on the call itself

The AI must disclose that it is AI early in the call — within the first one or two sentences, before any substantive content. This is both a TCPA-adjacent best practice and increasingly a state-law requirement (California, Florida, and several other states have AI-call disclosure laws).

A clean opening pattern: 'Hi, am I speaking with [PATIENT NAME]? This is Brynn, an AI assistant calling on behalf of [PRACTICE NAME]. Is this still a good time to talk?' The name confirmation, the AI self-identification, the practice attribution, and the consent gate are all in the first three turns of the call.

Never bury the AI disclosure. A call that starts with substantive content and only mentions AI when the patient asks 'are you a robot' is a compliance and trust problem.

State-specific add-ons every practice should check

Federal TCPA is the floor. Many states have layered additional rules on top, especially around AI calls. California's CPRA, Florida's Mini-TCPA, New Jersey's CPRA, and others all have requirements that go beyond federal law in specific areas.

The most common state-law add-ons are stricter consent language, additional disclosure requirements on the call itself, shorter response windows for opt-outs, and broader definitions of what counts as a 'marketing' call versus an 'informational' call. Recall is often considered marketing under these laws, even when the practice considers it patient care.

Before any AI recall campaign launches, confirm the rules in every state where the practice has patients — not just the state where the practice is located. A practice in Florida with patients who relocated to California is bound by California law for those patients.

Common TCPA violations to avoid

Most TCPA enforcement against dental practices is not about systematic abuse. It is about procedural shortcuts that seemed reasonable at the time but did not satisfy the law's specific requirements. The pattern is consistent across cases that result in fines or settlements.

Assuming patient-of-record status equals consent for every AI-call campaign.

Pre-checked opt-in boxes on intake forms (TCPA requires affirmative opt-in).

Calling cell phones before 8 AM or after 9 PM in the patient's time zone.

Failing to honor healthcare-message opt-outs immediately or other revocations within the TCPA's reasonable-time window.

Using AI to deliver clinical information that should come from a provider.

Storing consent records only on the vendor side, with no practice-owned export.

Skipping the AI disclosure at the top of the call.

Treating recall as 'informational' to avoid the marketing-call rules — most states consider recall marketing.

FAQ

Does TCPA actually apply to dental recall calls if the patient is already a patient of record?

Yes. Patient-of-record status is relevant, but it is not a blanket answer. TCPA rules still apply to artificial or prerecorded voice calls, and the practice has to confirm whether a specific recall campaign fits healthcare-message conditions or needs prior express written consent because it is telemarketing. Treat the consent gate as separate from clinical-care consent.

What is the difference between an answering service callback and an AI recall call under TCPA?

An answering service callback initiated by a human agent is a manual call and does not trigger the AI / prerecorded voice rules. An AI voice call placed automatically to a patient's cell phone for non-emergency purposes does trigger those rules — even when the AI is well-designed and the recall is friendly. The legal distinction is automated voice, not the quality of the voice.

Can we get TCPA consent through a paper intake form that mentions phone communications?

Only if the form is drafted for the specific consent gate the campaign needs. For telemarketing, the consent should clearly disclose artificial or prerecorded voice calls and the marketing purpose; generic 'phone communications' language is too thin to rely on. For healthcare recall messages, counsel should still confirm that the message and cadence fit the healthcare-message conditions.

How fast do we have to honor an opt-out request?

Velyn's operating standard is within 24 hours across every channel, and healthcare-message opt-outs should be honored immediately. For other TCPA consent revocations, the FCC's outer window is a reasonable time not exceeding ten business days. SMS STOP replies, voicemail opt-outs, calls to the front desk, and email requests all need to reach the AI calling system's do-not-call list quickly enough that the next outbound run does not include that patient.

What happens if a patient sues over a TCPA violation? What is the realistic exposure?

TCPA carries statutory damages of $500 per violation, treble to $1,500 if the violation is willful. Class actions can aggregate thousands of calls. A practice that ran an AI recall campaign to 500 patients without proper consent could face $250,000 to $750,000 in maximum statutory exposure. Settlements are typically much smaller, but the legal cost of defending the case alone is significant. The math strongly favors getting consent right up front.

Does Velyn's outbound recall product handle TCPA compliance automatically?

The Concierge Recall product is built around a TCPA-compliant SMS opt-in flow. Patients must reply YES to an opt-in SMS before any AI voice call is placed. The opt-in record (date, time, source, exact opt-in text shown) is stored on the practice side and exportable. The AI discloses itself as AI on every call. Time-of-day rules are enforced automatically based on patient time zone. STOP replies propagate to the do-not-call list within minutes. See the Concierge Recall page for the full compliance posture.

Should we run an AI recall campaign before our state's AI-call disclosure law is settled?

Generally not, if your state has an active law or proposed rules. State-law AI-call requirements are evolving fast in 2026, and the safest pattern is to wait until the rules are clear in your state. The federal TCPA floor still applies. Most states will not enforce against good-faith compliance with current rules, but launching an AI campaign while a state law is in flux creates uncertainty the practice does not need.