Pennsylvania Emergency Health Services Council

Your Voice In EMS


600 Wilson Lane, Suite 101
Mechanicsburg PA, 17055
(717) 795-0740   |   [email protected]

You are here: Home / Contact Us / Privacy Policy & Terms of Use

Privacy Policy & Terms of Use

Pennsylvania Emergency Health Services Council (PEHSC) Privacy Policy

1) Overview & Scope

The Pennsylvania Emergency Health Services Council (“PEHSC,” “we,” “our,” “us”) is committed to protecting the privacy and security of individuals who interact with pehsc.org and our communications channels (email, SMS/MMS, event registrations, surveys, and related services). This Policy explains:

  • What information we collect and why
  • How we use, share, and secure information
  • Our Text Messaging (SMS/MMS) policy, including 10DLC compliance
  • Your choices, rights, and how to contact us

This Policy applies to visitors, subscribers, members, partners, committee participants, and other stakeholders who engage with PEHSC online or via text message. (Internal employee privacy notices may be addressed separately.)

2) Information We Collect

2.1 Categories of Data

  • Contact & identity data: name, employer/agency, title, email, phone, mailing address
  • Professional & program participation: committee membership, training enrollment, credentials, continuing education records (non‑PHI)
  • Account & preference data: usernames, passwords, communication preferences, opt‑in/opt‑out records
  • Usage & technical data: IP address, device/OS/browser data, pages viewed, referring URLs, cookies, and analytics identifiers
  • Message interaction data: timestamps, delivery/opt‑in logs, opt‑out (STOP) requests, HELP inquiries

Note (Pennsylvania breach-notice definitions): Pennsylvania’s Breach of Personal Information Notification Act defines “personal information” and sets notice requirements (including coverage for medical and health insurance information, usernames+passwords, and financial credentials). We map our data handling to these definitions.

2.2 Sensitive Data & PHI

PEHSC does not seek to collect Protected Health Information (PHI) through standard website forms or SMS/MMS. If any PHI processing is required for specific programs, it will occur outside of standard SMS via secure platforms consistent with HIPAA guidance and applicable conditions of participation (e.g., secure texting systems), and never through open, unsecured channels.

3) How We Use Information

We use information to:

  • Operate pehsc.org, manage committees and programs, and deliver training/education
  • Send transactional communications (confirmations, reminders, updates) and mission‑related notices
  • Provide non‑marketing informational alerts for EMS stakeholders (e.g., protocol updates, logistics)
  • Respond to inquiries, provide support, and honor STOP/opt‑out requests
  • Improve services, analyze usage, and maintain security (fraud prevention and system integrity)
  • Phone numbers collected and the consent received will not be shared with 3rd-party providers
  • No mobile information will be shared with third parties/affiliates for marketing/promotional purposes. All other categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties

For email communications, we follow CAN‑SPAM requirements (accurate sender info, physical address, opt‑out mechanism, honoring opt‑outs).

4) Policy for Text Messaging (SMS/MMS) & 10DLC

4.1 What is 10DLC & How PEHSC Complies

PEHSC uses sanctioned A2P 10DLC long codes for business texting, with Brand and Campaign registration via The Campaign Registry (TCR) and mobile network operators (AT&T, T‑Mobile, Verizon, etc.). As of February 1, 2025, major carriers block unregistered A2P traffic; PEHSC registers applicable campaigns and adheres to CTIA and carrier standards.

Our 10DLC program covers:

  • Verified Brand Registration (PEHSC) and Campaign Registration for everyday communications
  • Disclosed use cases (operational updates, training logistics, confirmations, policy guidance)
  • Sample messages and opt‑in pathways approved per CTIA/MNO requirements.

4.2 Consent, Opt‑In, & One‑to‑One (Marketing) Rule

  • Informational/Transactional Texts: Sent only to recipients who affirmatively opt in through web forms, event registrations, or keyword programs.
  • Marketing Texts: PEHSC does not use SMS for fundraising or marketing unrelated products/services. If any promotional messaging is ever contemplated, we will first obtain prior express written consent in compliance with FCC/TCPA (including the one‑to‑one seller requirement effective Jan. 27, 2025, and “logically/topically associated” content).
  • Electronic signatures/records: Where a “written” consent is required, PEHSC may use electronic consent processes consistent with the E‑SIGN Act (consumer disclosure prerequisites).

Standard disclosure in the opt‑in call‑to‑action and confirmation:

“PEHSC: You agree to receive informational texts. Msg&Data rates may apply. Reply STOP to opt out; HELP for info.” (Brand identification, opt‑out, HELP, frequency expectations)

4.3 Opt‑Out & HELP (Revocation of Consent)

  • STOP: Replying STOP (or “quit,” “end,” “revoke,” “opt out,” “cancel,” “unsubscribe”) immediately unsubscribes you; we honor revocations within the FCC timelines and will not send further robotexts absent renewed consent.
  • HELP: Replying HELP returns self‑service info and a contact method.

4.4 Message Content & Prohibited Uses

PEHSC texts are informational/transactional, not promotional. We do not send political persuasion, adult/sexual content, hate/discriminatory content, firearms/tobacco promotions, spam, or emergency alerts that replace 911. We follow CTIA content principles and carrier restrictions and will avoid deceptive, illicit, or unwanted content.

4.5 Frequency/Volume

We aim for 1–4 messages per week per opted‑in recipient (role‑based), with short‑term peaks during statewide initiatives (up to ~6 per week). We segment audiences to minimize fatigue and maintain relevance (consistent with CTIA best practices).

4.6 Example Opt‑In Pathways (Website‑ready)

  • Web Forms (preferred): Checkbox with clear CTA: “Yes, I agree to receive PEHSC texts related to EMS operations, training, and policy updates. Msg&Data rates may apply. Reply STOP to unsubscribe, HELP for info.” (links to Privacy/Terms)
  • Event Registration: Consent language embedded in registration and confirmation pages/forms (same disclosures).
  • Keyword Opt‑In: Publishing a keyword to the 10DLC number; double‑opt‑in confirmation message sent upon initial opt‑in.

4.7 Logging & Audit

We log opt‑in source, timestamp, channel, IP/device (web forms), and opt‑out events, consistent with CTIA best practices and carrier expectations.

5) Regulatory Compliance (Federal & Pennsylvania)

5.1 TCPA & FCC Rules (47 U.S.C. § 227; 47 C.F.R. § 64.1200)

PEHSC adheres to the TCPA and FCC rules for robotexts and automated calls. We obtain appropriate consent before sending texts and honor revocations. We also comply with FCC’s “single seller” one‑to‑one written consent for any marketing texts (if ever used), and with revocation requirements and timelines.

5.2 CTIA Messaging Principles & Best Practices

We align our text program to CTIA guidance: clear opt‑in CTAs, brand identification, STOP/HELP support, privacy policy availability, maintaining updated subscriber information, and preventing illicit/deceptive content.

5.3 CAN‑SPAM (Email Only)

For emails, we comply with CAN‑SPAM (opt‑out, accurate headers, physical address, timely honoring of opt‑out). For wireless mobile service commercial messages, the FCC has related rules; our SMS program is primarily informational/transactional and follows TCPA/CTIA standards.

5.4 Pennsylvania Breach of Personal Information Notification Act (73 P.S. § 2301–2329)

If PEHSC experiences a breach of computerized data materially compromising personal information of Pennsylvania residents, we will provide notice without unreasonable delay, using permissible notice methods (written, telephonic, email subject to conditions, or substitute notice under statutory thresholds), and following the law’s definitions and safe‑harbor for encryption.

5.5 Pennsylvania Wiretap & Electronic Surveillance Control Act (18 Pa.C.S. § 5701 et seq.)

Pennsylvania is a two‑party consent state for interception/recording of communications. PEHSC will not intercept, record, or disclose communications without appropriate consent or legal authorization, and will follow applicable exceptions.

5.6 COPPA (Children’s Online Privacy Protection Act; 16 C.F.R. Part 312)

pehsc.org is not directed to children under 13. We do not knowingly collect personal information from children under 13; if we discover such collection, we will delete it and take appropriate steps, including parental notice where applicable.

5.7 HIPAA (If Applicable)

PEHSC is not generally a HIPAA covered entity. If a program involves PHI (e.g., a special initiative with a covered entity), PEHSC will use HIPAA‑compliant secure platforms (not standard SMS), apply required safeguards, and execute Business Associate Agreements where necessary.

5.8 FTC Telemarketing Sales Rule (TSR; 16 C.F.R. Part 310—voice calls)

For voice telemarketing (if any), PEHSC adheres to TSR (disclosures, call time limits, honoring do‑not‑call). SMS is governed primarily by TCPA/FCC/CTIA, but we apply similar consumer‑protection principles across channels.

5.9 E‑SIGN Act (15 U.S.C. § 7001 et seq.)

Where “written” consent is required (e.g., TCPA marketing texts), PEHSC may use electronic records and signatures consistent with E‑SIGN consumer disclosure requirements and valid electronic signature standards.

6) Data Security

We implement administrative, technical, and physical safeguards designed to protect information against unauthorized access, alteration, disclosure, or destruction (e.g., HTTPS, role‑based access, encryption in transit, logging, least‑privilege access, vendor due diligence, staff training). For any health‑related programs, additional safeguards apply per HIPAA guidance and secure texting policies.

7) Data Retention

We retain information only as long as necessary to fulfill program purposes, meet legal/regulatory obligations, and resolve disputes. Opt‑out records and consent logs are retained per compliance guidelines; for any health‑related use cases, retention follows applicable regulatory and contractual requirements. (COPPA prohibits retaining children’s data longer than reasonably necessary; PEHSC does not target children.)

8) Data Sharing & Processors

We do not sell personal information. We may share data with service providers (e.g., SMS platforms, event systems, analytics) strictly for PEHSC purposes under contract, with obligations to protect data and prohibit secondary use. For 10DLC, campaign/brand metadata is shared with The Campaign Registry and carriers to enable sanctioned delivery. No mobile information will be shared with third parties/affiliates for marketing/promotional purposes. All other categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties

9) Your Choices & Rights

  • Opt‑Out of Texts: Reply STOP to any message. We will honor revocations promptly consistent with FCC rules.
  • Opt‑Out of Emails: Use the unsubscribe link or contact us; we honor CAN‑SPAM timelines.
  • Manage Preferences: Update your contact and communication preferences via our website or by contacting us.
  • Access/Correction: Request access to or correction of your information by contacting PEHSC.

10) Children’s Privacy

pehsc.org is not intended for children under 13. We do not knowingly collect children’s personal information. If you believe a child has provided data to PEHSC, please contact us; we will delete the data as required by COPPA.

11) Changes to This Policy

We may update this Policy. Material changes will be posted on pehsc.org with an updated “Last Updated” date and, where appropriate, notified via email or SMS to opted‑in users.

12) Contact Us

  • PEHSC Privacy Office
    Email: [email protected]
    Phone: 717-795-0740
    Mailing Address: 600 Wilson Lane, Suite 101, Mechanicsburg, PA 17055

Appendix A — Website‑Ready Disclosures & Templates

A.1 SMS Opt‑In CTA (for web forms and event registrations)

“By checking this box, you agree to receive informational texts from PEHSC about EMS operations, training, meetings, and policy updates to the phone number you provide. Msg&Data rates may apply. You can opt out at any time by replying STOP; reply HELP for assistance. Our [Privacy Policy] and [Terms] explain how we collect and use data.”
(Complies with CTIA’s clear CTA, brand ID, opt‑out/HELP, and frequency disclosure best practices; supports TCPA consent logging.)

A.2 SMS Confirmation Message (Double Opt‑In)

“PEHSC: You’re subscribed to EMS updates. Msg&Data rates may apply. Reply STOP to unsubscribe; HELP for info. Expect ~1–4 msgs/wk.”

A.3 STOP & HELP Responses

  • STOP: “You’re unsubscribed from PEHSC texts. No further messages will be sent.” (revocation honored per FCC)
  • HELP: “PEHSC Support: Visit [link] or email [[email protected]]. Msg&Data rates may apply.”

A.4 TCPA Marketing (If Ever Applicable)

If PEHSC ever sends marketing texts (e.g., for paid events, sponsorship promotions), the opt‑in must meet prior express written consent and one‑to‑one seller identification and be topically related to the context of consent:

Model language (web form):

“I consent to receive automated marketing texts from Pennsylvania Emergency Health Services Council (PEHSC) at the number provided. I understand this consent applies only to PEHSC, that messages will be related to [describe topic], that Msg&Data rates may apply, and I can revoke at any time by replying STOP.”
(Meets 47 C.F.R. § 64.1200(f)(9) and “single seller” consent; use E‑SIGN disclosures.)

Appendix B — Pennsylvania Breach Notice Summary (for internal use & public transparency)

  • Trigger: Unauthorized access/acquisition of computerized data materially compromising personal information and reasonably causing/will cause loss or injury.
  • Covered data: First name/initial + last name with: SSN; driver’s license/state ID; financial account + access code; medical information; health insurance information; usernames/emails + password/security Q&A.
  • Timing: Notice without unreasonable delay, consistent with scope determination and system integrity restoration.
  • Methods: Written, telephonic (clear/conspicuous), email (if prior relationship and valid address), or substitute notice (cost > $100k; affected persons >175k; insufficient contact info).
  • Encryption safe harbor: Notice not required if data was encrypted and key not accessed, subject to law’s specifics.

Notes & References

  • TCPA/FCC: 47 C.F.R. § 64.1200 (delivery restrictions & consent), revocation keywords, timelines; FCC compliance date Jan. 27, 2025 for single‑seller consent (closing the lead generator loophole).
  • CTIA: Messaging Principles & Best Practices (May 2023)—opt‑in, opt‑out, privacy policy, content standards, HELP/STOP.
  • 10DLC/TCR: Carrier‑sanctioned A2P 10DLC; Brand & Campaign registration; industry move to blocked unregistered traffic (2025).
  • CAN‑SPAM: 16 C.F.R. Part 316 & FCC guidance for mobile service messages.
  • Pennsylvania Breach Act: Statutory text & practitioner summaries.
  • Pennsylvania Wiretap: 18 Pa.C.S. § 5701 et seq. two‑party consent.
  • COPPA: FTC Rule & eCFR (16 C.F.R. Part 312).
  • HIPAA & Secure Texting: HHS guidance; CMS memo allowing secure texting platforms subject to CoPs (2024).
  • Telemarketing Sales Rule (voice): 16 C.F.R. Part 310.
  • E‑SIGN Act: Validity of electronic records/signatures & consumer disclosures.