INSIGHTS

In late 2025, a class action lawsuit was filed against Sharp HealthCare, centering on allegations that the San Diego-based provider used an artificial intelligence dictation and recording tool to capture patient-clinician conversations without adequate notice or consent. The complaint asserts that the ambient AI engine recorded sensitive clinical dialog in exam rooms and telephone conversations, generating automated clinical notes while failing to secure legally required consent documentation from patients.¹

The lawsuit claims that staff used the technology since April 2025, and that while Sharp purportedly documented patient consent, in many cases consent was not actually obtained and instead was retroactively inserted into records by the AI tool or other mechanisms.¹ Plaintiffs estimate that hundreds of thousands of encounters may have been recorded under the controversial process without proper transparency.¹

This legal action highlights the complex intersection among telecommunications law, call and voice recording consent requirements, AI-powered clinical tools, and federal privacy regimes like HIPAA.¹ While the litigation primarily cites violations of privacy and wiretapping statutes, the operational dimensions implicate healthcare contact systems that automate or monitor voice interactions under technology governance frameworks.¹

On December 23, 2025, the Federal Communications Commission submitted its annual report to Congress on robocalls and the transmission of misleading or inaccurate caller identification information, pursuant to the TRACED Act. The report consolidates complaint trends, enforcement posture, and the Commission’s ongoing emphasis on traceback, caller ID integrity, and upstream accountability. It is a telecom policy document, but its implications land directly on healthcare operations because patient access, revenue cycle, care navigation, and population outreach increasingly depend on phone and text channels. A single failure mode, such as spoofing, mislabeled calls, or blocked routing, can degrade appointment adherence, medication follow-up, and post-discharge engagement at scale. ¹

The operational risk is compounded by the reality that healthcare brands are prime targets for impersonation. Fraudsters exploit patient anxiety, open enrollment confusion, pharmacy benefit uncertainty, and billing complexity. When that fraud rides on the same networks healthcare uses for legitimate outreach, telecom policy changes can produce collateral operational consequences. In practice, “robocall mitigation” becomes a board-level patient experience and financial performance issue, not merely an IT hygiene item. ¹

For Compliant Communications customers and prospects, the point-in-time takeaway as of December 27, 2025 is straightforward: telecom governance is tightening, and healthcare outreach programs should assume more scrutiny of calling and texting behaviors, identity signals, and consent artifacts. The FCC’s report is a reminder that enforcement and ecosystem controls are being engineered upstream, and healthcare cannot treat deliverability as a vendor-only problem. ¹

What are the best HIPAA-compliant VoIP providers for small medical practices?  The most useful way to answer that question is to treat “HIPAA-compliant VoIP” as an operational claim that must be proven through governance, retention, access control, and evidence, not a vendor label.  Small medical practices searching for the “best HIPAA-compliant VoIP provider” are often reacting to the same pressure points. Missed calls are hurting patient access. Staff are overwhelmed at the front desk. Legacy phone systems cannot support remote work or multi-location scheduling. At the same time, compliance leaders and administrators know that voice systems increasingly handle protected health information and therefore sit squarely inside the HIPAA risk surface.

HIPAA does not regulate phone systems as a category. It regulates how covered entities and their business associates create, receive, maintain, and transmit electronic protected health information. That distinction matters. A VoIP platform can advertise security features and still leave a small practice exposed if recordings are always on, voicemail is retained indefinitely, or texting is enabled without consent controls and documentation workflows. In enforcement actions, regulators look for reasonable safeguards, documented decisions, and evidence of control, not marketing claims.

For small practices, the gap between what a platform can do and what the practice can realistically govern is where risk accumulates. The best HIPAA-aligned VoIP provider is therefore not the one with the longest feature list. It is the one designed to reduce unnecessary PHI exposure by default and to help a lean organization maintain an audit-ready posture over time. That framing is the foundation of Compliant Communications.

This week’s signal is not a single headline about healthcare organizations. It is the continued, coordinated push by federal regulators to reduce deceptive and unwanted calls and texts, paired with concrete infrastructure moves that raise the floor for identification and call authentication across the ecosystem. For healthcare operations teams, that combination matters because even well-intentioned operational messaging can be evaluated through the same consumer-expectations lens: clear consent, clear identity, and technical trust signals that reduce confusion and spoofing risk. [1]

Two developments are particularly operational. The FCC’s Wireline Competition Bureau issued a January 22, 2026 Public Notice that sets effective dates and implementation guidance tied to updated Robocall Mitigation Database filing requirements, including new recertification timing (March 1, 2026), multi-factor authentication for database access, and effective dates for certain amendments (February 5, 2026). [2] In parallel, the FTC’s enforcement posture in the health insurance marketing and lead generation space remains focused on alleged deception and aggressive telemarketing or robocall tactics, reinforcing that healthcare-adjacent calling and texting practices are under active scrutiny. [3]

Separately, the FCC continues to adjust the practical edges of consent revocation rules under the TCPA, including extending the effective date of a provision that would require treating certain opt-out or revocation requests as applying broadly across message types from the same caller. The operational takeaway is not to relax. It is to keep consent and preference management centralized so your teams can honor revocations promptly and consistently. [4]

In the final week of January 2026, Kaiser Foundation Health Plan, Inc., operating as Kaiser Permanente, disclosed a proposed multimillion-dollar settlement resolving class action claims tied to continued delivery of marketing text messages after recipients had opted out by replying STOP or similar commands.¹ The matter, filed under both the Telephone Consumer Protection Act and the Florida Telephone Solicitation Act, centers on whether opt-out requests were honored consistently across Kaiser’s outbound SMS operations.¹

While the legal allegations are familiar, the operational implications are not. The settlement documentation makes clear that liability exposure did not hinge on message content nuance or patient misunderstanding. Instead, it turned on governance execution. Once opt-out intent was expressed, the organization allegedly failed to suppress subsequent marketing messages across all relevant sending pathways.¹

This development lands amid heightened regulatory scrutiny of automated messaging practices across industries. For healthcare organizations already navigating HIPAA obligations, state privacy laws, and carrier enforcement regimes, the Kaiser settlement underscores that SMS compliance failures can escalate quickly into material financial and reputational consequences.¹ The message to the sector is unambiguous. Texting programs that are not architected for centralized consent and opt-out enforcement are no longer defensible.