HIPAA Compliant Voicemail Messages

As organizations work to achieve HIPAA compliance, it’s easy to overlook something as seemingly benign as a simple voicemail message. Without a system to leave and receive HIPAA compliant voicemails, healthcare practices or businesses risk violations that may result in substantial fines.

Although texting and email have become more dominant, voice messages still play an essential role in communication between healthcare providers, patients, and vendors. 

Leaving and Receiving HIPAA Compliant Voicemail Messages

Before diving into HIPAA compliant voicemail options, let’s take a moment to think about the message you are leaving. HHS recognizes that there will be times when you need to leave messages for patients and provides a bit of guidance.

May physician’s offices or pharmacists leave messages for patients at their homes, either on an answering machine or with a family member, to remind them of appointments or to inform them that a prescription is ready? May providers continue to mail appointment or prescription refill reminders to patients’ homes?

Answer:

Yes. The HIPAA Privacy Rule permits health care providers to communicate with patients regarding their health care. This includes communicating with patients at their homes, whether through the mail or by phone or in some other manner. In addition, the Rule does not prohibit covered entities from leaving messages for patients on their answering machines. However, to reasonably safeguard the individual’s privacy, covered entities should take care to limit the amount of information disclosed on the answering machine. For example, a covered entity might want to consider leaving only its name and number and other information necessary to confirm an appointment, or ask the individual to call back.

HIPAA’s position is that less information is always better. Specifically, HIPAA is concerned with what protected health information (PHI) is left on a voicemail. In the example above, HHS suggests leaving only the provider’s name, contact number, and other information necessary to confirm an appointment or simply a HIPAA compliant voicemail message asking the patient to return the call.

Let’s Simplify Compliance

Do you need help with HIPAA? Compliancy Group can help!

Learn More!
HIPAA Seal of Compliance

Choosing a HIPAA Compliant Voicemail Service

Because of the many pitfalls surrounding voicemail messages, many providers have switched to emails or other forms of electronic communication. Companies like Paubox offer an integrated email solution that encrypts all outbound emails and delivers them directly to patients’ inboxes without requiring them to enter a password or use a portal or third-party app to open them. Healthcare providers do not have to change their email service provider, as Paubox integrates with Microsoft 365, Google Workspace, and Microsoft Exchange. 

In addition to offering a HIPAA compliant email solution, Paubox also offers HIPAA compliant voicemail transcription services for practices and business associates. This HIPAA compliant voicemail service delivers voicemails in transcribed and audio formats to designated email addresses. These options allow a team member to read the patients’ message, rather than listen to a voicemail that may be overheard by unauthorized individuals, preventing an accidental breach of PHI.

Key indicators of a HIPAA compliant voicemail service provider include their security practices and willingness to sign a business associate agreement. Compliancy Group lists Paubox as one of our Endorsed Service Providers because of its commitment to supporting and maintaining complete HIPAA compliance. 

How to Leave HIPAA Compliant Voicemail Messages

If you must leave a message, it’s wise to assume that the patient may not be the only person who can access it. The safest course of action is often the least personal, such as the following HIPAA compliant voicemail example:

“Please call Provider Name concerning your reason for the call (appointment/invoice/results) at phone number.

Notice that there was no patient name because including that in a voicemail message could violate the HIPAA Privacy Rule if someone other than the patient  retrieved the message.

What if you include the practice or group name in the message? For example, “This is Dr. Smith with The Oncology Group….” In this case,  the practice name reveals treatment or diagnosis information. If the patient would not want that information shared with anyone else, that could be a HIPAA violation.

You can leave more information in a voicemail message if you have specific written consent from the patient to do so. A statement similar to the following on your patient authorization forms completed and signed by the patient should permit more detailed messa