Are phone calls HIPAA compliant?

Phone calls in healthcare communication can be HIPAA compliant. Compliance requires adherence to privacy and security rules.

Understanding the applicability 

HIPAA regulations apply to most health plans, healthcare providers, and healthcare clearinghouses, collectively known as covered entities. Additionally, business associates providing services for covered entities are subject to HIPAA rules. Almost two-thirds of HIPAA complaints received by the HHS Office for Civil Rights are rejected due to violations reported against entities not subject to the HIPAA rules. 

Implied consent 

Phone calls from covered entities and business associates to individuals are permissible if the call's recipient has implied consent by providing a contact telephone number. 

Implied consent means that the individual has willingly shared their contact information and can reasonably expect to receive calls related to healthcare matters. However, individuals can revoke consent or request alternative communication channels.

FTC guidelines

Healthcare-related phone calls and text messages should adhere to the guidelines set by the Federal Trade Commission (FTC). According to the FTC guidelines, healthcare-related calls should be limited to specific allowable reasons, including: 

• Appointments and reminders
• Hospital pre-registration instructions
• Health checkups
• The provision of medical treatment
• Lab test results
• Notifications about prescriptions
• Pre-operative instructions
• Post-discharge follow-up calls
• Home healthcare instructions

Additionally, calls should be kept brief, lasting no more than 60 seconds, and text messages should be limited to 160 characters. Any further contact beyond these limits must be individually authorized.

Read also: How does HIPAA differentiate between consent and authorization? 

Privacy rule requirements

To make phone calls HIPAA compliant, covered entities and business associates must comply with the General Rules for Uses and Disclosures of protected health information (PHI) and the Minimum Necessary Standard. 

When making phone calls to someone other than the individual, these rules apply if the call relates to the individual's condition, treatment, or payment for treatment and involves the disclosure of PHI. When communicating PHI to a business associate over the phone, a business associate agreement (BAA) must be in place to stipulate PHI's allowable uses and disclosures.

Read also: Business Associate Agreement (BAA) 

Security rule requirements 

The Security Rule under HIPAA focuses on protecting electronic protected health information (ePHI). While phone calls made over the Public Switched Telephone Network (PSTN) are not considered electronic transmissions of PHI, specific phone systems like Voice over IP (VoIP) or Unified Communications as a Service (UCaaS) can involve the disclosure of ePHI. 

The system must be configured to comply with the administrative, physical, and technical safeguards outlined in the Security Rule. Additionally, a BAA must be signed with the system vendor to ensure compliance.

Read also: What is ePHI? 

Best Practices

Sharing patient information with family over the phone can be a sensitive matter, and it is necessary to follow best practices to be HIPAA compliant. Here are some recommended practices:

Obtain consent

Obtain a patient's consent to include their name, location, and general condition in a directory whenever possible.

Restriction preferences

Ask the patient if they want to restrict the information disclosed to family members and which family members can access it.

Verify identity

Before disclosing any information beyond directory information, verify the identity of the family member calling to prevent unauthorized disclosures.

Disclose relevant information

Only disclose information relevant to the patient's condition, ensuring it aligns with their consent.

Explain limitations

If asked for more information than permitted or consented to by the patient, explain the limitations and reasons for withholding certain information.

Inform the patient

Inform the patient of the call and allow them to authorize further disclosures or object to shared information.

FAQs

Are phone calls considered HIPAA compliant?

Phone calls can be HIPAA compliant if they are conducted securely and do not disclose protected health information (PHI) to unauthorized individuals.

What measures ensure HIPAA compliance during phone calls?

To ensure compliance, healthcare providers should use secure lines, confirm the identity of the caller, and avoid discussing PHI in public or unsecured environments.

Are there specific phone systems that enhance HIPAA compliance?

Yes, using encrypted phone systems or secure communication platforms can help ensure that conversations involving PHI are protected from interception.

What should providers do if they inadvertently disclose PHI during a call?

If PHI is unintentionally disclosed, providers should document the incident, notify their compliance officer, and assess any potential breaches to determine if reporting is necessary.

How can training improve HIPAA compliance in phone communications?

Training staff on HIPAA regulations, proper communication protocols, and the importance of safeguarding PHI can help minimize risks during phone calls and enhance overall compliance.

See also: HIPAA Compliant Email: The Definitive Guide