According to the HHS, “The rule does not require covered entities to tape or digitally record oral communications, nor retain digitally or tape-recorded information after transcription. But if such records are maintained and used to make decisions about the individual, they may meet the definition of designated record set.”
Healthcare providers should obtain patient consent before recording any conversation and clearly explain the purpose and nature of the recording. However, audio recording carries significant privacy risks that can lead to HIPAA violations.
Recorded conversations between healthcare professionals about a patient's care or treatment are considered protected health information (PHI), as are recorded conversations with patients. Recordings that identify a patient or include patient photos, photos of unique identifying marks, or images of patients that are date stamped (reflecting the date of service) are subject to HIPAA.
HIPAA requires informed patient consent, proper documentation, and the implementation of security measures to protect recorded health information. Healthcare providers should obtain patient consent before recording any conversation and clearly explain the purpose and nature of the recording. Patients should also be warned against recording other patients without permission.
Healthcare providers should have clearly defined guidelines for audio recording as part of their privacy policies and provide regular HIPAA training to staff. These guidelines should ensure that patient consent is obtained, and protected health information is recorded, stored, and shared according to HIPAA regulations.
See more: HIPAA authorization vs. Common Rule informed consent
Using audio recordings in healthcare comes with substantial risks. Unauthorized access to recorded conversations can expose patients' private medical discussions and data, leading to identity theft, insurance fraud, and other data misuse.
See also: What are the penalties for HIPAA violations?
To avoid HIPAA violations when recording audio, healthcare providers should be aware of common examples of non-compliance:
Recording patient conversations without consent: Healthcare providers need permission before recording a conversation with a patient.
Storing audio recordings insecurely: Physical safeguards should be implemented in physical facilities, such as locks and biometrics. Technical safeguards, like data encryption and strong passwords on devices, should also be in place. Lastly, administrative safeguards, such as providing only the minimum necessary information to authorized personnel, must be implemented.
Sharing audio recordings without proper authorization: Sharing audio or video recordings without obtaining patient authorization is a HIPAA violation. Patients' data can end up in the wrong hands and be used for criminal activities. Even unintentional sharing of audio recordings can lead to a HIPAA violation with fines and penalties.
Healthcare providers can take proactive steps to ensure HIPAA compliant audio recording:
Obtain proper consent for audio recording: Healthcare providers must get patient consent before recording any conversation. Provide staff with a consent form that clearly explains privacy policies. Using informational signage can also remind patients and staff about the importance of obtaining consent and respecting privacy.
Use secure storage and encryption of audio data: HIPAA requires the use of secure storage and data encryption. Physical storage devices should be housed in secure facilities and protected by passwords and other authentication methods. Data that is digitally stored, sent, or maintained must be encrypted. Sharing an audio recording must be done via HIPAA compliant email or secure file transfer.
Implement access controls and audit trails: Access to recorded audio should be restricted to authorized individuals directly involved in the care of the patient who is the subject of the recording. Any access to audio recordings should be logged in detail through audit trails to track any potential breaches.
Business associate agreements: If using audio software or 3rd-party storage services, a business associate agreement is required.
See also: Audio-only telehealth services and HIPAA compliance
Yes, audio recordings are considered PHI under HIPAA if they contain individually identifiable health information.
To make audio recordings of patients under HIPAA, you must obtain written patient consent or authorization and ensure the recordings are protected as PHI.
Audio recordings should be stored securely using encryption and access controls, ensuring only authorized personnel can access them.
Audio recordings can be shared with third parties only if the patient has given explicit consent, or if the sharing complies with HIPAA regulations and is necessary for treatment, payment, or healthcare operations.
Non-compliance with HIPAA regulations on audio recordings can result in civil and criminal penalties, reputational damage, and potential lawsuits from affected patients.