There are so many facets of being HIPAA compliant that it is easy to overlook something commonplace as a voicemail message. Leaving an overly detailed voicemail message can lead to potential HIPAA violations when overheard by an unintended party. For this reason, HIPAA limits what information you can leave on a voicemail.
Leaving a HIPAA Compliant Voicemail Message
How do you leave a HIPAA-compliant voicemail message? When it comes to leaving messages about healthcare, the Department of Health and Human Services (HHS) provides guidance; less is more.
The HHS states, “The HIPAA Privacy Rule permits health care providers to communicate with patients regarding their health care. This includes communicating with patients at their homes, whether through the mail, phone, or in some other manner. In addition, the Rule does not prohibit covered entities from leaving messages for patients on their answering machines. However, to reasonably safeguard the individual’s privacy, covered entities should take care to limit the amount of information disclosed on the answering machine. For example, a covered entity might want to consider leaving only its name and number and other information necessary to confirm an appointment, or ask the individual to call back.”
Under this guidance, it is fair to assume that a HIPAA compliant voicemail message can only contain the provider’s name and contact information. Leaving additional information on an answering machine, such as a patient’s health condition, could expose the patient’s sensitive information to unauthorized parties, thus leading to a HIPAA violation.
How to Find a HIPAA Compliant Voicemail Service
Now that we’ve covered what information is permitted to leave on a patient’s voicemail, it is important to consider voicemails left on your answering machine or service. Most providers no longer use a traditional answering machine but use a voicemail service that stores messages in the cloud. These types of services are classified as business associate services, as the voicemail service provider can access electronically protected health information (ePHI) stored on their servers.
A HIPAA compliant voicemail service offers a minimum level of security protection to secure ePHI and sign a business associate agreement (BAA) with their healthcare clients. See TBHI’s previous article How to Choose the Right HIPAA Business Associate Vendor and HIPAA Business Associates for more information. Voicemail service providers who will not sign a BAA are not HIPAA compliant and can violate HIPAA. Healthcare providers cannot use them regardless of how secure their platform is.
Some examples of HIPAA compliant voicemail services include:
- Zoom for healthcare: offers a voicemail service through their “Zoom Phone” add-on. It is important to note that Zoom’s free and pro versions are not HIPAA compliant. Zoom will only sign a BAA with their “Zoom for Healthcare” clients.
- Phone.com: offers a full-service phone platform including voicemail, text, voice, and video calling. All of their services are HIPAA compliant with a signed BAA.
- Paubox: offers a non-traditional form of HIPAA compliant voicemail in the form of transcription services. Rather than listening to a patient voicemail and risk someone overhearing it, Paubox transcribes the message and automatically sends a secure email to you with the transcription and audio file.
This Article is Contributed by Compliancy Group
Need assistance with HIPAA compliance? Compliancy Group can help!
Basic Telehealth Legal Issues: Rules, Regulations & Risk Management
Bring your telehealth practice into legal compliance. Get up to date on inter-jurisdictional practice, privacy, HIPAA, referrals, risk management, duty to warn, the duty to report, termination, and much more!