Are You Leaving HIPAA Compliant Voicemail Messages?
As organizations work to achieve HIPAA compliance, it’s easy to overlook something as seemingly benign as a simple voicemail message. Without a system to leave and receive HIPAA compliant voicemails, healthcare practices or businesses risk violations that may result in substantial fines.
Although texting and email have become more dominant, voice messages still play an essential role in communication between healthcare providers, patients, and vendors.
Leaving and Receiving HIPAA Compliant Voicemail Messages
Before diving into HIPAA compliant voicemail options, let’s take a moment to think about the message you are leaving. HHS recognizes that there will be times when you need to leave messages for patients and provides a bit of guidance.
May physician’s offices or pharmacists leave messages for patients at their homes, either on an answering machine or with a family member, to remind them of appointments or to inform them that a prescription is ready? May providers continue to mail appointment or prescription refill reminders to patients’ homes?
Yes. The HIPAA Privacy Rule permits health care providers to communicate with patients regarding their health care. This includes communicating with patients at their homes, whether through the mail or by phone or in some other manner. In addition, the Rule does not prohibit covered entities from leaving messages for patients on their answering machines. However, to reasonably safeguard the individual’s privacy, covered entities should take care to limit the amount of information disclosed on the answering machine. For example, a covered entity might want to consider leaving only its name and number and other information necessary to confirm an appointment, or ask the individual to call back.
HIPAA’s position is that less information is always better. Specifically, HIPAA is concerned with what protected health information (PHI) is left on a voicemail. In the example above, HHS suggests leaving only the provider’s name, contact number, and other information necessary to confirm an appointment or simply a HIPAA compliant voicemail message asking the patient to return the call.
Let’s Simplify Compliance
Do you need help with HIPAA? Compliancy Group can help!
Because of the many pitfalls surrounding voicemail messages, many providers have switched to emails or other forms of electronic communication. Companies like Paubox offer an integrated email solution that encrypts all outbound emails and delivers them directly to patients’ inboxes without requiring them to enter a password or use a portal or third-party app to open them. Healthcare providers do not have to change their email service provider, as Paubox integrates with Microsoft 365, Google Workspace, and Microsoft Exchange.
In addition to offering a HIPAA compliant email solution, Paubox also offers HIPAA compliant voicemail transcription services for practices and business associates. This HIPAA compliant voicemail service delivers voicemails in transcribed and audio formats to designated email addresses. These options allow a team member to read the patients’ message, rather than listen to a voicemail that may be overheard by unauthorized individuals, preventing an accidental breach of PHI.
Key indicators of a HIPAA compliant voicemail service provider include their security practices and willingness to sign a business associate agreement. Compliancy Group lists Paubox as one of our Endorsed Service Providers because of its commitment to supporting and maintaining complete HIPAA compliance.
How to Leave HIPAA Compliant Voicemail Messages
If you must leave a message, it’s wise to assume that the patient may not be the only person who can access it. The safest course of action is often the least personal, such as the following HIPAA compliant voicemail example:
“Please call Provider Name concerning your reason for the call