Providers may want to record conversations that they have with patients to refer back to for treatment purposes. However, there are certain restrictions placed on recording protected health information (PHI). HIPAA compliant call recording is discussed below.
Are you adequately protecting patient data? Find out now with our HIPAA compliance checklist.
What is Permitted for HIPAA Compliant Call Recording
To ensure HIPAA compliant call recording, covered entities should consider the protections that the recording service has in place. Covered entities have an obligation to maintain the confidentiality, integrity, and availability of PHI. As such, when choosing a call recording service, covered entities should look for the following:
- Access Controls: Ensure that only authorized users have access to protected health information (PHI). HIPAA requires that covered entities adhere to the minimum necessary standard in regards to use and disclosure of PHI. As such, only employees that require access to complete a job function should be given access to PHI. Access controls are enabled through the use of unique login credentials. Each employee should be given unique login credentials that permit them to access only the PHI they need to perform their job responsibilities.Â
- Audit Controls: Monitors and tracks access to PHI. This ensures that covered entities adhere to the minimum necessary standard.
- Encryption: Masks sensitive data by converting into a format that can only be read with a decryption key.
- Policies and Procedures: For HIPAA compliant call recording, the call recording service should have policies and procedures to secure the PHI that they create, receive, transmit, store, or maintain on behalf of their covered entity client.
- Business Associate Agreement: A business associate agreement (BAA) is required to be signed between a covered entity and their business associates before it is permitted to share PHI. Under the HIPAA Privacy Rule, call recording services are considered business associates, as such, for HIPAA compliant call recording, a business associate agreement must be signed before it is permitted to use the service. A BAA dictates the protections the business associate must have in place securing PHI. It also limits the liability of each signing party, as each party is responsible for monitoring and maintaining their own compliance.