According to the HHS, “The rule does not require covered entities to tape or digitally record oral communications, nor retain digitally or tape-recorded information after transcription. But if such records are maintained and used to make decisions about the individual, they may meet the definition of designated record set.”
Healthcare providers should obtain patient consent before recording any conversation and clearly explain the purpose and nature of the recording. However, audio recording carries significant privacy risks that can lead to HIPAA violations.
Patient privacy and audio recordings
Recorded conversations between healthcare professionals about a patient's care or treatment are considered protected health information (PHI), as are recorded conversations with patients. Recordings that identify a patient or include patient photos, photos of unique identifying marks, or images of patients that are date stamped (reflecting the date of service) are subject to HIPAA.
HIPAA regulations for audio recording
HIPAA requires informed patient consent, proper documentation, and the implementation of security measures to protect recorded health information. Healthcare providers should obtain patient consent before recording any conversation and clearly explain the purpose and nature of the recording. Patients should also be warned against recording other patients without permission.
Healthcare providers should have clearly defined guidelines for audio recording as part of their privacy policies and provide regular HIPAA training to staff. These guidelines should ensure that patient consent is obtained, and protected health information is recorded, stored, and shared according to HIPAA regulations.
See more: HIPAA authorization vs. Common Rule informed consent
Risks and consequences of unauthorized audio recording
Using audio recordings in healthcare comes with substantial risks. Unauthorized access to recorded conversations can expose patients' private medical discussions and data, leading to identity theft, insurance fraud, and other data misuse.
See also: What are the penalties for HIPAA violations?
Examples of audio recording HIPAA violations
To avoid HIPAA violations when recording audio, healthcare providers should be aware of common examples of non-compliance:
Recording patient conversations without consent: Healthcare providers need permission before recording a conversation with a patient.
Storing audio recordings insecurely: Physical safeguards should be implemented in physical facilities, such as locks and biometrics. Technical safeguards, like data encryption and strong passwords on devices, should also be in place. Lastly, administrative safeguards, such as providing only the minimum necessary information to authorized personnel, must be implemented.
Sharing audio recordings without proper authorization: Sharing audio or video recordings without obtaining patient authorization is a HIPAA violation. Patients' data can end up in the wrong hands and be used for criminal activities. Even unintentional sharing of audio recordings can lead to a HIPAA violation with fines and penalties.
Ensuring HIPAA compliant audio recording
Healthcare providers can take proactive steps to ensure HIPAA compliant audio recording:
Obtain proper consent for audio recording: Healthcare providers must get patient consent before recording any conversation. Provide staff with a consent form that clearly explains privacy policies. Using informational signage can also remind patients and staff about the importance of obtaining consent and respecting privacy.
Use secure storage and encryption of audio data: HIPAA requires the use of secure storage and data encryption. Physical storage devices should be housed in secure facilities and protected by passwords and other authentication methods. Data that is digitally stored, sent, or maintained must be encrypted. Sharing an audio recording must be done via HIPAA compliant email or secure file transfer.
Implement access controls and audit trails: Access to recorded audio should be restricted to authorized individuals directly involved in the care of the patient who is the subject of the recording. Any access to audio recordings should be logged in detail through audit trails to track any potential breaches.
Business associate agreements: If using audio software or 3rd-party storage services, a business associate agreement is required.
See also: Audio-only telehealth services and HIPAA compliance
FAQs
Are audio recordings considered protected health information (PHI) under HIPAA?
Yes, audio recordings are considered PHI under HIPAA if they contain individually identifiable health information.
What are the requirements for making audio recordings of patients under HIPAA?
To make audio recordings of patients under HIPAA, you must obtain written patient consent or authorization and ensure the recordings are protected as PHI.
How should audio recordings be stored to comply with HIPAA?
Audio recordings should be stored securely using encryption and access controls, ensuring only authorized personnel can access them.
Can audio recordings be shared with third parties?
Audio recordings can be shared with third parties only if the patient has given explicit consent, or if the sharing complies with HIPAA regulations and is necessary for treatment, payment, or healthcare operations.
What are the consequences of not complying with HIPAA regulations on audio recordings?
Non-compliance with HIPAA regulations on audio recordings can result in civil and criminal penalties, reputational damage, and potential lawsuits from affected patients.
Farah Amod
