10DLC & Communication Compliance

CareVixis uses SMS, email, phone calls, and text messages to communicate with patients and service providers about account information, scheduling, and reminders. All communications are strictly informational and transactional in nature.

CareVixis is fully 10DLC registered and compliant. All SMS and text messaging campaigns are registered with The Campaign Registry (TCR) and comply with all carrier requirements, the Telephone Consumer Protection Act (TCPA), and FCC regulations governing commercial messaging.

Consent-First Communication Policy

CareVixis operates under a strict consent-first policy for all communications:

  • Prior written consent is required from all patients and service providers before any communication is initiated via SMS, email, phone call, or text message
  • No communication is ever sent without documented opt-in consent on file
  • Consent is obtained through a formal signed consent document presented to each patient during intake or onboarding - patients explicitly authorize each communication channel individually
  • Opt-out is honored immediately - any patient or provider can reply STOP to any text message or request removal from any communication channel at any time
  • Consent records are maintained with date, time, method of consent, and the specific communication channels authorized
  • Signed consent documents are uploaded to the patient's electronic medical record and retained as part of their permanent chart until the patient requests removal

How Patient SMS Consent Is Collected (In-Person, Not Online)

SMS consent is not collected through this website or any web form. Consent is collected in-person at the healthcare practice during patient intake. The process works as follows:

  1. Patient intake at the practice: When a new patient visits the healthcare practice, the front desk or intake staff enters the patient's information into the practice's EMR/EHR system, including one or more phone numbers.
  2. Communication preferences selected per number: For each phone number entered, staff selects the patient's communication preferences from the available categories: Call, Text, Alerts, Voicemail, and Billing. Each channel is authorized individually -- no blanket consent is assumed.
  3. Physical consent form generated and printed: Based on the communication preferences selected, the system generates a Consent for Electronic Communications form customized to that patient's selections. This form is printed on paper at the practice.
  4. Patient reviews and signs the form: The printed consent form is presented to the patient by practice staff. The patient reviews the document, which includes full TCPA compliance language, HIPAA acknowledgment, opt-out instructions, and the specific categories of messages authorized. The patient signs and dates the form.
  5. Signed form uploaded to patient record: The signed physical consent form is scanned or photographed and uploaded into the patient's electronic medical record, where it is retained as part of their permanent chart.
  6. System enforces consent before messaging: The EMR/EHR system will not allow any SMS message to be sent to a patient's phone number until a signed consent document is on file for that number. If no signed consent form has been uploaded, the system blocks outbound text messages to that number.

Consent is never implied by simply providing a phone number. A phone number entered into the system without a signed consent form on file will not receive any text messages.

Sample Consent Form Language

The following is a representative sample of the consent language presented to and signed by each patient. This is a sanitized example -- no real patient data is displayed. Only the sections relevant to the patient's selected communication preferences appear on their individual consent form:

CONSENT FOR ELECTRONIC COMMUNICATIONS

I, [Patient Name], hereby authorize this healthcare practice and its affiliates to contact me at the phone number(s) listed above for the purposes indicated.

TEXT MESSAGES (SMS/MMS)

[ ] I CONSENT to receive text messages at the number(s) marked for texting above. This may include: appointment reminders, prescription notifications, test result notifications, billing reminders, and general health information.

I understand that standard message and data rates may apply. I may opt out at any time by replying STOP to any message.

HIPAA ACKNOWLEDGMENT

I understand that communications sent via text message, automated call, or voicemail may not be encrypted and could potentially be intercepted or accessed by third parties. I accept the risk that these communications may contain Protected Health Information (PHI) as defined under HIPAA.

TCPA COMPLIANCE

This consent is provided in accordance with the Telephone Consumer Protection Act (TCPA), 47 U.S.C. Section 227. I understand that:

  • My consent is voluntary and not a condition of receiving treatment or payment.
  • I may revoke this consent at any time by notifying the practice in writing.
  • Revocation of consent will not affect communications already in progress.
  • This consent covers calls, texts, and messages from the practice and its billing partners.

Signature: _________________________ Date: __________

The signed consent form is scanned and uploaded to the patient's electronic medical record, where it is retained as part of their permanent chart until the patient requests removal.

Types of Communications Sent

CareVixis sends the following types of communications only after receiving explicit prior written consent via signed consent form:

  • Account Information - billing statements, payment confirmations, balance notifications, insurance updates
  • Scheduling - appointment confirmations, scheduling requests, provider availability updates
  • Reminders - appointment reminders, payment due date reminders, follow-up care reminders
  • Health Alerts - urgent care notifications, preventive care reminders, medication refill reminders
  • Voicemail - appointment reminders, callback requests, general practice notifications
  • Billing - billing statements, payment reminders, balance notifications, insurance claim updates

CareVixis does not send promotional or marketing messages through these channels. All communications are directly related to the patient's or provider's account, care coordination, or scheduled services.

10DLC Registration Details

  • Brand Registration - CareVixis is registered as a verified brand with The Campaign Registry (TCR)
  • Campaign Registration - All messaging use cases are registered as individual campaigns with appropriate message class designations
  • Carrier Approval - All campaigns are approved by participating carriers prior to message delivery
  • Message Content Compliance - All messages include required opt-out language and sender identification
  • Throughput Management - Message volume is managed within registered campaign limits to maintain deliverability and compliance

TCPA Compliance

  • Express written consent obtained before any automated or prerecorded calls or texts
  • All calls and texts sent only during permitted hours
  • Internal Do-Not-Call list maintained and checked before every outbound communication
  • National Do-Not-Call Registry checked for all applicable communications
  • Caller ID accurately displays CareVixis or the practice partner name and callback number

Daily Compliance Audits

CareVixis conducts daily automated compliance audits across all systems, communications, and data handling processes. These audits are not periodic reviews or quarterly check-ins - they run every single day to ensure continuous, real-time adherence to all regulatory requirements.

What Our Daily Audits Cover

  • Consent Verification - Every outbound communication is verified against documented consent records before delivery
  • Message Delivery Compliance - All SMS and text messages are audited for required opt-out language, sender identification, and content compliance
  • Data Encryption Status - All stored and transmitted data is verified as encrypted to current standards (AES-256 at rest, TLS 1.2+ in transit)
  • Access Control Review - User access levels, authentication logs, and permission changes are reviewed daily
  • PHI Handling Verification - All protected health information access, storage, and transmission is audited for HIPAA compliance
  • Payment Data Security - Credit card and payment data handling is verified against PCI DSS requirements
  • Opt-Out Processing - All opt-out requests from the previous 24 hours are verified as processed and confirmed
  • Regulatory Change Integration - New regulatory requirements identified through our real-time monitoring are verified as implemented

We Meet & Exceed All Healthcare & Payment Compliance Standards

CareVixis does not treat compliance as a checkbox. We exceed the minimum requirements of every standard we adhere to, and we verify that adherence daily - not annually.

HIPAA Compliant

Health Insurance Portability and Accountability Act

  • Full administrative, physical, and technical safeguard implementation
  • Business Associate Agreements (BAAs) executed with all practice partners
  • Minimum necessary standard applied to all PHI access
  • Breach notification procedures tested and documented
  • Workforce training completed and verified annually
  • All data stored in HIPAA-compliant US-based data centers

HITECH Compliant

Health Information Technology for Economic and Clinical Health Act

  • Enhanced enforcement provisions fully addressed
  • Breach notification rules implemented with 60-day reporting compliance
  • Business associate liability provisions acknowledged and met
  • Electronic health record security standards exceeded
  • Audit trail capabilities maintained for all PHI access and modifications

PCI DSS Compliant

Payment Card Industry Data Security Standard

  • Cardholder data environment fully isolated and secured
  • Network segmentation and firewall rules reviewed daily
  • Encryption of cardholder data in transit and at rest
  • Access to payment data restricted on a need-to-know basis
  • Vulnerability scanning and penetration testing conducted regularly
  • All patient payment processing meets Level 1 PCI DSS standards

SOC 2 Compliant

Service Organization Control 2

  • Trust Service Criteria met across all five categories: Security, Availability, Processing Integrity, Confidentiality, Privacy
  • Continuous monitoring of control effectiveness
  • Incident response procedures documented and tested
  • Vendor management controls in place for all third-party integrations
  • Change management processes enforced for all system modifications

NIST Aligned

National Institute of Standards and Technology Cybersecurity Framework

  • Full implementation of NIST CSF core functions: Identify, Protect, Detect, Respond, Recover
  • Risk assessment methodology aligned with NIST SP 800-30
  • Security controls mapped to NIST SP 800-53
  • Continuous monitoring program based on NIST SP 800-137
  • Incident response plan aligned with NIST SP 800-61

ACA Compliant

Affordable Care Act

  • All billing processes comply with ACA reporting requirements
  • Essential health benefit coding and billing handled correctly
  • Marketplace plan billing and reconciliation supported
  • Preventive care billing coded to eliminate patient cost-sharing where required
  • ACA-mandated coverage verification integrated into eligibility workflows

10DLC Registered

10-Digit Long Code Messaging Compliance

  • Brand registered and verified with The Campaign Registry (TCR)
  • All SMS campaigns individually registered with appropriate use-case designations
  • Carrier-approved messaging with verified throughput limits
  • All messages include required opt-out language and sender identification
  • Consent records maintained for every recipient

TCPA Compliant

Telephone Consumer Protection Act

  • Express written consent obtained before any automated or prerecorded calls or texts
  • All calls and texts sent only during permitted hours
  • Internal and National Do-Not-Call registries checked before every outbound communication
  • Caller ID accurately identifies CareVixis or the practice partner
  • Immediate opt-out processing for all channels

HITRUST CSF Aligned

Health Information Trust Alliance Common Security Framework

  • Security controls mapped to HITRUST CSF categories
  • Risk management framework aligned with HITRUST requirements
  • Information protection program covers all 19 HITRUST control domains
  • Continuous monitoring and assessment of control effectiveness
  • Third-party risk management aligned with HITRUST standards

NACHA / ACH Compliant

National Automated Clearing House Association Operating Rules

  • All ACH transactions processed in compliance with NACHA Operating Rules
  • Proper authorization obtained before initiating any ACH debit or credit
  • ACH return and reversal handling meets all timeframe requirements
  • Account validation performed prior to ACH origination
  • Fraud detection and monitoring systems in place for all electronic payments

Reg E / EFTA Compliant

Regulation E - Electronic Fund Transfer Act

  • Proper disclosure provided before initiating any electronic fund transfer
  • Error resolution procedures meet all Reg E timeframe and notification requirements
  • Unauthorized transfer liability protections honored for all consumers
  • Periodic statements and transaction receipts provided as required
  • Preauthorized transfer consent and revocation procedures fully implemented

Red Flags Rule Compliant

FACTA Identity Theft Prevention

  • Written Identity Theft Prevention Program implemented and maintained
  • Red flags identified, detected, and responded to across all covered accounts
  • Staff trained on identity theft detection and escalation procedures
  • Program reviewed and updated regularly based on emerging threats
  • Service provider oversight ensures third parties also detect and report red flags

CMS Compliant

Centers for Medicare & Medicaid Services

  • All Medicare and Medicaid billing follows current CMS guidelines and fee schedules
  • Proper use of HCPCS, CPT, and ICD-10 code sets per CMS requirements
  • Timely filing limits tracked and met for all government payers
  • Compliance with CMS conditions of participation and coverage determinations
  • Real-time monitoring of CMS transmittals, MLN updates, and policy changes

FCRA Compliant

Fair Credit Reporting Act

  • Patient billing data handled in accordance with FCRA requirements
  • Dispute resolution procedures meet all FCRA timeframe and notification rules
  • Adverse action notices provided when required for credit-related decisions
  • Accuracy and integrity of information furnished to consumer reporting agencies
  • Proper permissible purpose verified before obtaining or using consumer reports

Data Security & Infrastructure

  • 100% US-Based Data Centers - All patient data, communication records, and payment information are stored exclusively in secure US-based data centers
  • Encryption - AES-256 encryption at rest, TLS 1.2+ encryption in transit for all data
  • Zero Outsourcing - No offshore access to any systems, data, or communications. Every team member is US-based
  • PII Protection - 19+ pattern types stripped before any external processing. Patient data is never exposed to third-party systems
  • Access Controls - Role-based access with multi-factor authentication, session management, and complete audit logging
  • All Form Submissions Stored On-Premises - No third-party form services. All submitted data remains on CareVixis servers

Questions About Our Compliance Program?

CareVixis takes compliance seriously because our practice partners and their patients deserve nothing less. If you have questions about our compliance posture, communication policies, consent procedures, or data security practices, contact us directly.

Phone: (352) 897-8598

When you call, you speak directly with decision makers - not a call center.