“Automated Consent Management Systems And Methods For Using Same” in Patent Application Approval Process (USPTO 20230169519): Rhinogram Inc.

2023 JUN 21 (NewsRx) -- By a News Reporter-Staff News Editor at Insurance Daily News -- A patent application by the inventors Dressler, Keith (Ooltewah, TN, US); Dressler, Stanley (Chattanooga, TN, US); Ford, Kathy (Chattanooga, TN, US); Hastings, Shannon (London, OH, US), filed on January 19, 2023, was made available online on June 1, 2023, according to news reporting originating from Washington, D.C., by NewsRx correspondents.

This patent application is assigned to Rhinogram Inc. (Chattanooga, Tennessee, United States).

The following quote was obtained by the news editors from the background information supplied by the inventors: “In 1991, Congress passed the Telephone Consumer Protection Act (TCPA) to restrict unsolicited telemarketing phone calls to consumers. The TCPA protects consumers from receiving unwanted “robocalls” by placing restrictions on when and how such automated calls may be made and allowing consumers to opt out from receiving such calls. In accordance with the TCPA, the Federal Trade Commission (FTC) established a national “do not call” registry to protect consumers who do not wish to be contacted. Short Message Service (SMS) text messages sent to a consumer’s cellular phone are considered “calls” for purposes of the TCPA.

“According to the TCPA, and related Federal Communications Commission (FCC) rules, a consumer must provide its prior express consent before a telemarketer or other entity can make unsolicited calls or text messages to the consumer in a manner that would otherwise violate the TCPA’s restrictions. For some communications, such as containing unsolicited advertisements, the consumer’s prior express consent must be in writing. The TCPA’s regulations generally mean that, as a practical matter, organizations must receive express written consent from individuals prior to sending any text messages to them.

“In 1996, President Clinton signed the Health Insurance Portability and Accountability Act (HIPAA) into law. HIPAA protects the security and privacy of a patient’s health information when it is in the possession of a third party, such as a doctor or other health care provider. For example, HIPAA requires a patient’s written authorization before his or her protected health information (PHI) may be used or disclosed for marketing purposes. HIPAA security and privacy protections also cover electronic protected health information (ePHI) that is created, stored, transmitted, or received in any electronic format, including for example, via text messages.

“In view of the foregoing, when a health care provider wants to exchange text messages with a patient, the health care provider first must obtain the patient’s consent to send text messages as required by the TCPA. The health care provider also must give the patient an option to subsequently opt-out of text-message communications and, if they choose to opt out, the provider cannot send them any more text messages. Appointment reminders are exempt from opt-in consent, but not opt-out.

“In addition to receiving the patient’s TCPA consent to receive text messages, the health care provider also needs to obtain a separate prior written consent from the patient, as required by HIPAA, to begin exchanging ePHI with the patient using text messages. Further still, the health care provider may need separate additional consents from the patient for communicating payment, billing, survey, advertising, marketing, etc. information via text messages. In some cases, user consents also may be required to comply with the European Union’s General Data Protection Regulation (GDPR) data protection requirements.

“In this example, the health care provider desiring to communicate with its patients using text messages may need to acquire and manage a large number of user consents, e.g., separate types of consents (e.g., TCPA, HIPAA, etc.) per patient for many different patients. If the health care provider further wishes to create multiple “campaigns” in which it sends text messages and/or other types of messages (such as email) in each campaign for a common purpose, such as a first campaign to distribute patient invoices and a second campaign to confirm patient appointment times, the health care provider may need to manage an even greater number of user consents.

“Consent management therefore can be a very complicated and burdensome process, typically managed manually through data entry. For example, each user consent is conventionally entered manually as a binary value (e.g., “yes” or “no” consent). Frequent changes and updates to the various user consents, however, can quickly become an unwieldy process that is prone to error. The opportunities for data-entry error further increase with the number of concurrent campaigns and participating users. In this context, a “user” is any person or group of people that must provide its consent to another entity before that other entity may create, send, receive, and/or store information of the user in compliance with one or more statutes, rules, policies, and/or regulations (regardless how defined or by whom). The user consent may be required based on governmental laws, rules, or regulations, but need not be. For example, one or more user consents may be required to comply with a company’s policies or with certain contractual terms or conditions. As used herein, a “user consent” is an indication of a user’s permission or authorization to allow another entity to perform an associated action.

“Failures to obtain the required user consents under the TCPA and HIPAA can result in severe financial penalties. For example, TCPA violations are enforced by the FCC, which may levy up to more than $18,000 per violation. Consent and opt-out management violations are common reasons for TCPA fines. The Department of Health and Human Service’s Office for Civil Rights similarly may impose tens of thousands of dollars in financial penalties for HIPAA violations. It is therefore important for health care providers, as well as other types of businesses, to comply with all relevant user-consent requirements set forth in the laws and regulations of the TCPA, HIPAA, FCC, FTC, GDPR, and more.

“There is a current need for a more efficient way for an organization, such as a health care provider, business, governmental agency, or other entity, to manage large numbers of user consents, subject to compliance with various statutes, rules, and regulations, for use in one or more campaigns.”

In addition to the background information obtained for this patent application, NewsRx journalists also obtained the inventors’ summary information for this patent application: “The present invention overcomes the disadvantages of the prior art by providing improved systems and methods for managing user consents. Unlike conventional systems, the disclosed embodiments can be used to automate the acquisition and management of user consents for one or more campaigns, thus reducing the possibility of unintended violations of consent requirements in statutes, rules, and regulations as compared with existing systems.

“In accordance with the disclosed embodiments, a user consent may be associated with one of at least three possible values comprising: a first value indicating that the user has not yet responded with a grant or denial of consent; a second value indicating that the user has granted consent; and a third value indicating that the user has denied consent. In some embodiments, the third value also may indicate that the user has revoked a previously-granted consent. The automated consent management system may be configured to filter those user consents that are assigned to the first value and send requests for user consents to the users associated with the filtered user consents. In some embodiments, the user consent values may be filtered and their appropriate users contacted periodically, at predetermined times, or asynchronously, such as at the start of a new campaign or upon occurrence of one or more predetermined events.

“For example, a health care provider may need to obtain a patient’s consent pursuant to the TCPA before it can communicate with the patient using text messages. The health care provider may associate a TCPA consent value with the patient, where the patient’s TCPA consent value is initially assigned a first (default) value indicating that the patient has not granted or denied consent for communicating via text messages. If the patient is associated with this first TCPA consent value, then the health care provider may send the patient a request for consent to exchange text messages. If the patient responds affirmatively, then the health care provider may change the patient’s associated TCPA consent value to a second value indicating that consent has been granted; if the patient denies the requested consent, then the patient’s TCPA consent value may be assigned a third value indicating that the patient may not be contacted using text messages. If, however, the patient in this example fails to respond, then the health care provider may keep the patient’s TCPA consent value equal to the first value.

“While the example above refers to a health care provider seeking a patient’s TCPA consent, the present invention is not limited to any particular types of organizations, consents, or users. That is, the consent management systems and methods of the present invention advantageously may be used by any entities, whether health care providers, businesses, enterprises, governmental agencies, non-profits, or any other entities that manage consents for one or more users.

“In some embodiments of the invention, the consent management systems and methods may manage multiple different types of consents for one or more users. Referring again to the example above, a patient may be associated with separate TCPA and HIPAA consent values and/or possibly other consent values, for example, for communicating billing, payment, ePHI, marketing, etc. information to the patient. In the disclosed embodiments where a single user is associated with multiple different types of consents, each consent value may be assigned a respective one of the above-described first, second, or third consent values.

“Further to the disclosed embodiments, the consent management systems and methods may be used to implement one or more campaigns. Each campaign may be configured to communicate different types of information to users and therefore may require different types of user consents. Again by way of example, and not limitation, a health care provider may implement a billing campaign in which it sends invoices to those patients that have provided their consents to receive such billing information and/or remit payments using certain electronic funds transfers. Even if a patient consented to receiving billing information and making electronic payments, the billing campaign may require the user’s additional consent to communicate over a particular channel or medium, such as over telephone or text messaging.

“In this example, the health care provider may implement separate campaigns for communicating ePHI and marketing information to its patients, for example, using text messages. Different groups of patients may be subject to each of the health care provider’s campaigns, depending on the user consents they have provided. In some cases, the same user may participate in multiple campaigns. More generally, those skilled in the art will appreciate the one or more campaigns described in accordance with the disclosed embodiments are not limited to any particular types of organizations, consents, or users, and may be tailored based on any desired consent-management implementation(s).

“According to certain disclosed embodiments, each of the first, second, and third consent values may be represented graphically to allow an operator (such as an administrator) of the consent management system to easily identify the statuses of users’ consents. In some embodiments, for example, the first, second, and third consent values for each user consent may be respectively depicted as yellow, green, and red icons, analogous to a traffic light. Accordingly, a yellow icon assigned to a user consent may indicate that its associated user may be contacted to request consent because the user has not previously granted or denied the user consent, whereas the green and red icons respectively indicate the user’s previously communicated grant or denial of the consent.

“In some disclosed embodiments, the consent management systems and methods allow a user to provide consent to allow communications of the user’s information to certain “connected parties.” For example, the consent management system may associate a child with one or more of the child’s parents or siblings, who may be defined as the child’s “connected parties” for purposes of the consent management system. Each connected party may comprise one or more individual users. In the example above, the child’s connected parties may include individual family members, health care providers, acquaintances, etc., and/or groups of loved ones, teams of doctors, or other user groups. The child may provide consent to a third party, such as a health care provider, to share or communicate certain of the child’s health, financial, and/or other information to its connected parties. The connected parties, moreover, also may need to separately provide their user consent(s) as necessary to effectuate the communications in compliance with one or more laws, rules, or regulations. In accordance with certain disclosed embodiments, a user may be associated with multiple connected parties within the consent management system. In some embodiments, each user may be assigned a unique User ID, and each user in a group of connected parties optionally may be assigned a common Group ID.

“Advantageously, the consent management system in the disclosed embodiments may store, maintain, and update user-consent data for individual users comprising the status of their user consents, including any connected-party consents, and other related user information. The user-consent data may be used to implement automated consent management for one or more campaigns as described in the exemplary embodiments herein.”

The claims supplied by the inventors are:

“1-19. (canceled)

“20. A method for providing automated management of user consents when one or more user consents are required for a consent management system to communicate with a plurality of users over a network, the method comprising: accessing a first user record from a set of user records stored in a physical memory, each user record in the set of user records comprising one or more user consent values for a user associated with the user record, wherein each user consent value is assigned one of a first value indicating that the user has not granted or denied consent, a second value indicating that the user has granted consent, or a third value indicating that the user has denied consent, and wherein the first user record comprises an identification of a connected party to the user associated with the first user record and further comprises a first connected-party consent value for the connected party; determining if the first value has been assigned to a first type of user consent in the accessed first user record; sending, in response to determining that the first value has been assigned to the first type of user consent, a first message from the consent management system over the network to the user to request the user’s consent for the first type of user consent; receiving at the consent management system a response from the user over the network, the response indicating that the user either grants or denies consent for the first type of user consent; changing the first value assigned to the first type of user consent in the accessed user record to either (i) the second value if the received response indicates that the user has granted consent or (ii) the third value if the received response indicates that the user has denied consent; sending, from the consent management system to the user over the network, a second message containing information corresponding to the first type of user consent if the user consent value for the first type of user consent in the accessed first user record is assigned to the second value; accessing a second user record corresponding to the connected party identification in the first user record from the set of user records, wherein the second user record comprises a second connected-party consent value for the connected party; and sending, from the consent management system to the connected party over the network, the second message if the first connected-party consent value is assigned to the second value and the second connected-party consent value is assigned to the second value.

“21. A method for providing automated management of user consents for a plurality of users that are configured to communicate with a computer system over a network, the method comprising: accessing, by the computer system, a first user record from a set of user records stored in a physical memory, the first user record being associated with a first user in the plurality of users, wherein the first user record comprises an identification of a connected party associated with the first user and a first connected-party consent value associated with the connected party; accessing, by the computer system, a second user record from the set of user records stored in the physical memory, the second user record being associated with the same connected party whose connected-party identification is stored in the first user record, wherein the second user record comprises a second connected-party consent value for the connected party; and sending a message from the computer system over the network to the connected party if: (i) the first connected-party consent value in the accessed first user record is assigned a value indicating that the first user granted consent for the computer system to communicate with the connected party; and (ii) the second connected-party consent value in the accessed second record is assigned a value indicating that the connected party granted a type of consent associated with the message.

“22. The method of claim 21, wherein the type of consent associated with the message corresponds to a user consent required to comply with at least one of the Telephone Consumer Protection Act (TCPA), Health Insurance Portability and Accountability Act (HIPAA), or General Data Protection Regulation (GDPR).

“23. The method of claim 21, wherein the message is a text message.

“24. The method of claim 21, wherein the message contains personal health information of the first user.

“25. The method of claim 21, wherein the computer system is configured to provide user consent management at a health care provider.

“26. The method of claim 21, further comprising sending the message from the computer system over the network to the first user if the first user record comprises a user consent value indicating that the first user granted the type of consent associated with the message.

“27. The method of claim 21, further comprising sending a second message from the computer system over the network to the first user in order to request the first user’s consent for the type of consent associated with the message.

“28. The method of claim 21, further comprising sending a second message from the computer system over the network to the first user in order to request the first user’s consent for the computer system to communicate with the connected party.

“29. The method of claim 21, further comprising sending a second message from the computer system over the network to the connected party in order to request the connected party’s consent for the type of consent associated with the message.

“30. The method of claim 21, wherein the method is performed as part of a campaign.

“31. A consent management system for providing automated management of user consents when one or more user consents are required for the consent management system to communicate with a plurality of users over a network, the system comprising: one or more physical processors; one or more network interfaces configured to send messages to the plurality of users and receive messages from the plurality of users over the network; and a memory configured to store a set of user records for the plurality of users and computer program instructions that, when executed by the one or more physical processors, configure the consent management system to: access a first user record from a set of user records stored in a physical memory, the first user record being associated with a first user in the plurality of users, wherein the first user record comprises an identification of a connected party associated with the first user and a first connected-party consent value associated with the connected party; access a second user record from the set of user records stored in the physical memory, the second user record being associated with the same connected party whose connected-party identification is stored in the first user record, wherein the second user record comprises a second connected-party consent value for the connected party; and send a message from the computer system to the connected party over the one or more network interfaces if: (i) the first connected-party consent value in the accessed first user record is assigned a value indicating that the first user granted consent for the computer system to communicate with the connected party; and (ii) the second connected-party consent value in the accessed second record is assigned a value indicating that the connected party granted a type of consent associated with the message.

“32. The consent management system of claim 31, wherein the type of consent associated with the message corresponds to a user consent required to comply with at least one of the Telephone Consumer Protection Act (TCPA), Health Insurance Portability and Accountability Act (HIPAA), or General Data Protection Regulation (GDPR).

“33. The consent management system of claim 31, wherein the message is a text message.

“34. The consent management system of claim 31, wherein the message contains personal health information of the first user.

“35. The consent management system of claim 31, wherein the consent management system is configured to provide user consent management at a health care provider.

“36. The consent management system of claim 31, wherein the computer program instructions, when executed by the one or more physical processors, further configure the consent management system to send the message over the one or more network interfaces to the first user if the first user record comprises a user consent value indicating that the first user granted the type of consent associated with the message.

“37. The consent management system of claim 31, wherein the computer program instructions, when executed by the one or more physical processors, further configure the consent management system to send a second message to the first user over the one or more network interfaces in order to request the first user’s consent for the type of consent associated with the message.

“38. The consent management system of claim 31, wherein the computer program instructions, when executed by the one or more physical processors, further configure the consent management system to send a second message to the first user over the one or more network interfaces in order to request the first user’s consent for the consent management system to communicate with the connected party.

“39. The consent management system of claim 31, wherein the computer program instructions, when executed by the one or more physical processors, further configure the consent management system to send a second message to the connected party over the one or more network interfaces in order to request the connected party’s consent for the type of consent associated with the message.”

URL and more information on this patent application, see: Dressler, Keith; Dressler, Stanley; Ford, Kathy; Hastings, Shannon. Automated Consent Management Systems And Methods For Using Same. U.S. Patent Application Number 20230169519, filed January 19, 2023 and posted June 1, 2023. Patent URL (for desktop use only): https://ppubs.uspto.gov/pubwebapp/external.html?q=(20230169519)&db=US-PGPUB&type=ids

(Our reports deliver fact-based news of research and discoveries from around the world.)