Our Acceptable Messaging Policy is meant to outline regulations tied to the use of SMS and Voice messaging via the CareMessage platform. It is not meant to cover all possible uses of CareMessage products or services to be covered under a broader Acceptable Usage Policy. This policy applies to all CareMessage customers, who may provide their authorized users the ability to send messages, and are responsible for the messaging activity of these users. All SMS and Voice Messaging via CareMessage are subject to this policy, which includes:

CareMessage’s policy is informed by multiple factors such as federal laws, policies, and regulations across the Messaging Ecosystem, including, but not limited to, the Telephone Consumer Protection Act (47 U.S.C. § 227) (“TCPA”), the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (“CAN-SPAM”), the Health Insurance Portability and Accountability Act of 1996, as amended (“HIPAA”), as well as Application-to-Person through 10-digit longcodes ("10DLC"). However, it does not replace adherence with any of these federal laws, policies, and/or regulations.

All of the entities that are a part of the messaging ecosystem, including but limited to those referenced above, provide us the freedom to implement our own policies. Our policy outlines what is and is not permitted in the use of our product, but is not meant to constitute legal advice. Individual customers may have a different interpretation and/or may be willing to take a compliance risk that exceeds that which CareMessage allows. Customers are encouraged to review all this with their legal counsel to determine how they may want to enforce their own approach to messaging.

With very few exceptions, CareMessage works exclusively with non-profits primarily in the healthcare space. We interpret the intersection of policies, and base decisions on our ability to defend this interpretation if a challenge were to come up.

We do so by centering the needs of the low-income, historically marginalized communities we serve and their feedback, combined with mitigating the risks to the non-profit organizations who serve them.

As such, our priorities are to:

All phone numbers customers upload and message via CareMessage are numbers customers have acquired through a previously-established relationship with the owner of the phone number.

CareMessage requires use of the Welcome Message as a first attempt to validate the accuracy of a consumer phone number. This introduces an organization to a consumer (a consumer being the owner of a phone number) and is the first validation that the consumer is the intended recipient of communication. We require the following:

Customers are responsible for maintaining contact lists for anyone who receives their services. This may be patients (for Healthcare Covered Entities and Business Associates) as well as community members or beneficiaries (for 501(c)3 non-profit organizations). Customers maintain their own processes and controls to apply any phone number or opt-out request they receive from consumers, patients, or community members.

Opt-Out Requests

Opt-out requests are respected immediately and at any time. Consumers can send in a variety of words (STOP, OPT-OUT, QUIT) as well as phrases (wrong patient). An opt-out request must be applied globally to end all communication to the consumer via both SMS and voice messaging. An opt-out request from a consumer is placed into an organization’s “Blocklist” which prevents any additional profiles from sending messages to that consumer phone number.

Opt-Out Confirmation

We are allowed one last message to consumers confirming their opt-out request. This message confirms their opt-out and provides an opportunity to opt-back in. This message cannot currently be edited by customers to ensure adherence with standard content.

Opt-In Requests

Opt-in requests are respected immediately and apply globally. The amount of time a consumer has to opt back in varies depending on the feature they opted-out from. The variation exists because of our system's use of various long codes to deliver messages, where a long code used to message a patient or community member or beneficiary may no longer be in use by the organization. This means if more than 3 days have passed, you may need to contact our support team to explore options to opt them back in. In most scenarios we find long codes are still in use and the number to text can be provided to the consumer.

Customers are responsible and accountable for all content sent through their use of the CareMessage product by their users. They have the freedom to set their own processes or limitations, as well as train their own staff on their approved use cases. For example, they could set stricter standards for internal purposes that go beyond what CareMessage allows via its own Acceptable Messaging Policy. Customer should immediately notify CareMessage of any unauthorized use of or suspected unauthorized use of the Service upon becoming aware of such unauthorized use or suspected unauthorized use. CareMessage may monitor Customer’s and Authorized Users’ use of the Service, but shall have no obligation to do so.

We do not allow the use of shared CareMessage logins as this may make it difficult to detect or identify the original creator of content if it violates our moderation standards.

An audit can be triggered by an external entity (messaging services, law enforcement), internal entity (content review), customer self-reporting or reporting staff misuse, standard business review, etc. CareMessage remains committed to responding in a timely manner to audits triggered by any third party such as messaging service provider, law enforcement, etc and operating under a good-faith effort to provide the requested information.

Any known violations of this policy should be immediately reported to [email protected].

CareMessage will evaluate the scenario and aim to complete a fair, comprehensive, and timely evaluation. CareMessage will conduct a root-cause-analysis to evaluate adherence with our policies along with any applicable local, federal, or state laws, policies and regulations.

For example, this could include reviewing content for adherence with CareMessage Acceptable Messaging Policy as well as federal law, regulations, and policies. It could also include reviewing the origin of a phone number which was messaged and if the prior express consent policy applies.

CareMessage will make a customer aware of a violation when a scenario requires customer review or action. This will be considered the first notice. Customers will be provided with 3 business days to respond and discuss a plan to remedy any violations. This may include discussing either discontinued use of a use case, or redirecting to alternative uses of the CareMessage service.

We expect a good-faith effort from our customers in resolving any issues. If a violation is not discussed within 15 business days of the initial notice OR customer is unwilling to resolve the issue, CareMessage will temporarily shut off all messaging services. Customers who are unwilling to cooperate with the CareMessage team will have up to 15 business days to respond and remedy any violation. If a customer or their representatives are unresponsive or unwilling to remedy a known violation within 30 business days of the initial notice, CareMessage may suspend access to the entire CareMessage application and suspend their service. Suspension of the Service will not relieve Customer from its obligation to pay all amounts due under this Agreement or otherwise limit CareMessage’s rights or remedies.

CareMessage will maintain a log of any messaging compliance audits along with a summarized resolution. Upon the completion of an investigation, we will adhere with any requirements including reporting to external parties as necessary.

Although CareMessage's Acceptable Messaging Policy determines the allowed use of our own products and services, organizations may evaluate and create stricter guideline when evaluating their unique scenarios and risk as it applies to TCPA, HIPAA, 10DCL, CAN-SPAM, etc. The below is does not constitute legal advice and is simply provided as a consideration beyond CareMessage's Acceptable Messaging Policy.

Include Your Organization's Name

CareMessage offers a tag (@OrganizationName) that can be leveraged to make it clear to users who you are. We recommend including this as often as possible.

Message Length

Although most of our features allow messages up to 320 characters, we recommend staying at or below 160 characters. This may require iterating on messaging content to be concise, keep messages to a single idea, and have a short call to action.

Opt-Out Reminders

Although not always possible due to character length, we do recommend frequent use of “Text STOP to opt-out” or a similar phrase.

Message Frequency

We recommend customers develop an annual messaging strategy to both prioritize and plan mass-messaging campaigns. This can help organizations navigate other requirements and control for messaging frequency.

Do-Not-Contact Lists

We encourage the porting of data across all messaging platforms to ensure maximum coverage and risk mitigation. On the CareMessage side, you can download patient lists including opt-out data from the Patients section. You can also import “Opt-out” lists via the file center. Integrations can also be configured to reflect opt-out data that may exist in external systems such as the EHR.

Version one of this document: July 30, 2024

Future changes to this policy will be posted publicly on the CareMessage website and available to all customers via the Help Center portal. Annual update notices may be sent to the primary contact on file.

For any questions, contact [email protected] or your CareMessage representative.