As organizations work to achieve HIPAA compliance, it’s easy to overlook something as seemingly benign as a simple voicemail message. Without a system to leave and receive HIPAA compliant voicemails, healthcare practices or businesses risk violations that may result in substantial fines.
Although texting and email have become more dominant, voice messages still play an essential role in communication between healthcare providers, patients, and vendors.
Leaving and Receiving HIPAA Compliant Voicemail Messages
Before diving into HIPAA compliant voicemail options, let’s take a moment to think about the message you are leaving. HHS recognizes that there will be times when you need to leave messages for patients and provides a bit of guidance.
May physician’s offices or pharmacists leave messages for patients at their homes, either on an answering machine or with a family member, to remind them of appointments or to inform them that a prescription is ready? May providers continue to mail appointment or prescription refill reminders to patients’ homes?
Answer:
Yes. The HIPAA Privacy Rule permits health care providers to communicate with patients regarding their health care. This includes communicating with patients at their homes, whether through the mail or by phone or in some other manner. In addition, the Rule does not prohibit covered entities from leaving messages for patients on their answering machines. However, to reasonably safeguard the individual’s privacy, covered entities should take care to limit the amount of information disclosed on the answering machine. For example, a covered entity might want to consider leaving only its name and number and other information necessary to confirm an appointment, or ask the individual to call back.
HIPAA’s position is that less information is always better. Specifically, HIPAA is concerned with what protected health information (PHI) is left on a voicemail. In the example above, HHS suggests leaving only the provider’s name, contact number, and other information necessary to confirm an appointment or simply a HIPAA compliant voicemail message asking the patient to return the call.
Choosing a HIPAA Compliant Voicemail Service
Because of the many pitfalls surrounding voicemail messages, many providers have switched to emails or other forms of electronic communication. Companies like Paubox offer an integrated email solution that encrypts all outbound emails and delivers them directly to patients’ inboxes without requiring them to enter a password or use a portal or third-party app to open them. Healthcare providers do not have to change their email service provider, as Paubox integrates with Microsoft 365, Google Workspace, and Microsoft Exchange.
In addition to offering a HIPAA compliant email solution, Paubox also offers HIPAA compliant voicemail transcription services for practices and business associates. This HIPAA compliant voicemail service delivers voicemails in transcribed and audio formats to designated email addresses. These options allow a team member to read the patients’ message, rather than listen to a voicemail that may be overheard by unauthorized individuals, preventing an accidental breach of PHI.
Key indicators of a HIPAA compliant voicemail service provider include their security practices and willingness to sign a business associate agreement. Compliancy Group lists Paubox as one of our Endorsed Service Providers because of its commitment to supporting and maintaining complete HIPAA compliance.
How to Leave HIPAA Compliant Voicemail Messages
If you must leave a message, it’s wise to assume that the patient may not be the only person who can access it. The safest course of action is often the least personal, such as the following HIPAA compliant voicemail example:
“Please call Provider Name concerning your reason for the call (appointment/invoice/results) at phone number.”
Notice that there was no patient name because including that in a voicemail message could violate the HIPAA Privacy Rule if someone other than the patient retrieved the message.
What if you include the practice or group name in the message? For example, “This is Dr. Smith with The Oncology Group….” In this case, the practice name reveals treatment or diagnosis information. If the patient would not want that information shared with anyone else, that could be a HIPAA violation.
You can leave more information in a voicemail message if you have specific written consent from the patient to do so. A statement similar to the following on your patient authorization forms completed and signed by the patient should permit more detailed messages:
“I give my consent for Provider Name and his staff to leave specific information regarding my type of information (appointment scheduling, billing issues, etc.) on my voicemail at phone number.”
Remember that patient consent can be altered or withdrawn at any time, so it’s wise to check patient files before any call to verify their current consent status.
Responding to Voicemail Messages
The last step is to remember that the person who responds to the voicemail message may not be the patient. A family member or co-worker may have received the message and then called to obtain more information.
Revealing any information to an unauthorized party, even if simply confirming that the patient had an appointment, violates the HIPAA Privacy Rule. If there is no authorization to release the information, you and your staff must be careful to follow the HIPAA guidelines.
When in doubt, a firm but respectful response is the best way to handle this type of situation:
“I’m very sorry, but federal law prohibits me from sharing this kind of confidential information. I hope you understand.”
A call like this could lead to awkward or even tense interactions with a patient’s family members or friends. However, a HIPAA violation that results in a substantial fine is much more severe.
