The HIPAA Privacy Rule does permit healthcare providers to communicate via voicemail with their patients. The information conveyed may relate to appointments, prescriptions, or other aspects of patient care and can be recorded on an answering machine. However, it is important that any messages left protect sensitive protected health information (PHI), since providers cannot assume that only the patient will hear the message.
What can be said?
When leaving a voicemail, it's best to keep your message brief. Only provide the office's contact number and call-back time (if necessary) along with the provider's name. To maintain HIPAA privacy standards, you should avoid mentioning the patient by name or any specifics about their treatment, especially if these details are indicated in the practice name itself.
If the patient has signed a waiver indicating that they give permission for the provider and staff to leave details on a voicemail, you can work around these instances, but that should be verified before doing so.
According to Compliance Group, an example of a voicemail that can be left includes “Please call Provider Name concerning your reason for the call (appointment/invoice/results) at phone number.” This ensures that no PHI is included while providing adequate information for the receiver.
See also: What are the permitted uses and disclosures of PHI?
How to ensure HIPAA compliance in voicemails
Healthcare organizations can take proactive steps to safeguard voicemail communications and avoid HIPAA violations. Implementing secure voicemail systems, training staff on HIPAA compliance, and establishing policies and procedures are essential.
Secure voicemail systems can include encryption measures and access controls to protect the confidentiality of voicemail messages. Staff training should focus on recognizing what constitutes PHI and the proper handling of such information in voicemails. Clear policies and procedures help guide employees in maintaining HIPAA compliance in their daily communication practices.
Business associates and voicemail compliance
It's not only healthcare providers that need to be mindful of HIPAA regulations; business associates and their subcontractors are also subject to these standards. If a third-party service or individual handles voicemail services for a covered entity and comes into contact with PHI, they must adhere to HIPAA regulations. This underscores the importance of choosing reliable business associates who prioritize and maintain compliance with these privacy standards.
Practical considerations
While HIPAA provides a framework for compliance, practical considerations also play a crucial role. Healthcare organizations should conduct regular risk assessments to identify potential vulnerabilities in their communication systems, including voicemails. Periodic audits can ensure that policies and procedures are being followed and that any necessary adjustments can be made to enhance security and compliance.
FAQs
What makes a phone service HIPAA compliant?
HIPAA compliant phone services ensure the security of electronic PHI by employing various measures to protect patient information before, during, and after phone calls in which PHI is disclosed. These measures include user authentication, encryption, and secure storage.
Go deeper: What is the HIPAA Security Rule?
What alternative solutions can I use?
HIPAA compliant email solutions are a better solution for healthcare providers to communicate with patients.
Is voicemail more secure than email?
No; modern chat and email communications are often more secure than traditional voice communications.
What is a secure voicemail?
A secure voicemail is where only the owner and the recipient of a voice message can decrypt it.
Tshedimoso Makhene
