Are Phone Calls HIPAA Compliant?
Phones calls are HIPAA compliant provided those making the calls comply with the requirements of the HIPAA Privacy Rule and the systems used to make the calls comply with – or are exempt from – the standards and implementation specifications of the HIPAA Security Rule. In this article we will discuss:
- Who do the HIPAA telephone rules apply to?
- Implied consent and the FCC guidelines for phone calls
- The HIPAA Privacy Rule requirements for phone calls
- Best practices for sharing patient information with family over the phone
- Is PHI disclosed in a phone call subject to the HIPAA Security Rule?
- What is a HIPAA cell phone policy?
- Are phone calls HIPAA compliant? FAQs
Who Do The HIPAA Telephone Rules Apply To?
Before discussing are phone calls HIPAA compliant, it is important to establish who the HIPAA telephone rules apply to. Almost two-thirds of HIPAA complaints received by HHS’ Office for Civil Rights are rejected because they allege a violation has been committed by a business that is not subject to the HIPAA Rules or because no violation of HIPAA has occurred.
HIPAA applies to most health plans, health care clearinghouses, and healthcare providers (“covered entities”), and to business associates providing a service for on behalf of a covered entity. Healthcare-related phone calls from these sources to individuals are permissible provided the recipient has given their implied consent to receive a call and the call follows FCC guidelines.
Implied Consent and the FCC Guidelines for Phone Calls
Phone calls to individuals from covered entities and business associates are permissible if the recipient of the phone call has given their implied consent by providing a contact telephone number to the covered entity or business associate. However, under HIPAA, individuals also have the right to revoke consent or request contact is made via an alternate channel of communication.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Healthcare-related – but not payment-related – phone calls and text messages from covered entities to individuals are FCC compliant if they are made for an allowable reason. Allowable reasons are limited to:
- Appointments and reminders
- Hospital pre-registration instructions
- Health checkups
- The provision of medical treatment
- Lab test results
- Notifications about prescriptions
- Pre-operative instructions
- Post-discharge follow-up calls
- Home healthcare instructions
According to the FCC guidelines, calls to individuals should start with the covered entity stating their name and the reason for the call. Calls can last no longer than 60 seconds (text messages must be no longer than 160 characters), and covered entities cannot contact individuals more than three times per week. Any additional contact – by voice or by text – requires the individual’s authorization.
The HIPAA Privacy Rule Requirements for Phone Calls
To make phone calls HIPAA compliant, covered entities and business associates are required to comply with the General Rules for Uses and Disclosures of PHI (§164.502 to §164.512), and the Minimum Necessary Standard when making phone calls to someone other than the individual which relate to the individual’s condition, treatment, or payment for treatment.
Other phone calls made by a covered entity or business associate (i.e., not to an individual for an allowable reason) are only subject to the General Rules for Uses and Disclosures and the Minimum Necessary Standard if the communication involves the disclosure of an individual’s PHI. Any phone calls that do not involve the disclosure of PHI are not subject to the HIPAA Privacy Rule standards.
There are many types of HIPAA-related phone calls that are subject to HIPAA Privacy Rule standards. For example, a phone call made from one covered entity to another for treatment, payment, or healthcare operations purposes, a phone call made to local authorities to report a public health issue, or a phone call made to the police to report patient abuse or neglect.
Covered entities can communicate PHI to a business associate in a phone call, but before doing so, a Business Associate Agreement must be in place to stipulate the allowable uses and disclosures of PHI. In states where more stringent privacy protections exist, it may also be necessary for a covered entity to enter into a contract with another covered entity before disclosing PHI for any reason.
Best Practices for Sharing Patient Information with Family Over the Phone
One of the trickiest areas of HIPAA Privacy Rule compliance is sharing patient information with family over the phone. Naturally, when a family member calls a healthcare facility to enquire about the wellbeing of a patient, they understandably want as much information as possible. However, there are circumstances when it is not permissible to share patient information with a family member.
These circumstances can range from a patient objecting to their information being included in a hospital directory to a healthcare provider deciding it is not in the patient’s best interest to discuss their condition with a family member. It can also be the case that certain types of disclosures may require authorization (i.e., SUD treatments) or an attestation (i.e., reproductive health).
The best practices for sharing patient information over the phone are:
- Wherever possible, obtain a patient’s consent for their name, location, and general condition to be included in a directory.
- Ask the patient if they want to place restrictions on what information is disclosed to family members.
- Ask the patient if they want to place restrictions on which family members information is disclosed to.
- If a family member calls, verify their identity before disclosing any information beyond directory information.
- Only disclose information relevant to the patient’s current condition provided it is consistent with the patient’s consent.
- If asked for further information than permitted/willing to give – or consented to by the patient – explain why.
- If possible, inform the patient of the call in case they wish to authorize further disclosures or object to information being disclosed.
Is PHI Disclosed in a Phone Call Subject to the Security Rule?
One final point about making phone calls HIPAA compliant concerns whether PHI disclosed in a phone call is subject to the HIPAA Security Rule. According to guidance issued by HHS’ Office for Civil Rights, phone calls made over a Public Switched Telephone Network (PSTN) are not subject to the HIPAA Security Rule because they are not considered to be electronic transmissions of PHI.
If a covered entity or business associate uses a VoIP or UCaaS system for making and receiving calls in which PHI is disclosed, the system must be configured to comply with applicable administrative, physical, and technical safeguards of the HIPAA Security Rule, plus a Business Associate Agreement must be executed with the system vendor.
What is a HIPAA Cell Phone Policy?
A HIPAA cell phone policy is a policy developed by a covered entity that stipulates under what circumstances a cell phone (or smartphone) can be used to disclose PHI. In most cases, it is not permissible to disclose PHI using a standard cell phone because both voice and text messages travel via unencrypted channels and can be intercepted in transit or at a carrier’s server.
However, if a covered entity or business associate uses a HIPAA compliant VoIP or UCaaS service that also has mobile capabilities, a HIPAA cell phone policy will guide authorized users on when and how mobile applications can be used. In such cases, it may also be necessary for workforce members to implement PIN locks or other security mechanisms on their mobile devices to prevent unauthorized access if the device is lost, stolen, or left unattended.
Are Phone Calls HIPAA Compliant? FAQs
Can nurses give patient information over the phone?
Nurses can give patient information over the phone because nurses are members of a covered entity’s workforce. However, before nurses give patient information over the phone, it is important they verify the identity of the person they are speaking with in order to prevent unauthorized disclosures or disclosing more than the minimum necessary patient information.
Is sharing patient information with family over the phone HIPAA compliant?
Sharing patient information with family over the phone is HIPAA compliant provided that – when possible – patients have been given the opportunity to object to their information being shared with family members. It is important that healthcare providers are trained on what information can be disclosed over the phone if a patient is undergoing SUD or reproductive health treatment.
If a patient is incapacitated and unable to object to their information being shared, healthcare providers can share patient information over the phone with family members provided that the disclosure of PHI is considered to be in the patient’s best interests. Once the patient is no longer incapacitated, he or she must be given the opportunity to object as soon as possible.
Are cell phones HIPAA compliant?
Cell phones are HIPAA compliant provided calls made on the devices are made through an application that has been configured to comply with the applicable administrative, physical, and technology safeguards of the HIPAA Security Rule. Calls to patients’ cell phones are also HIPAA compliant if a patient has given their implied consent or requested that they are contacted by cell phone.
What information can hospitals give over the phone?
What information hospitals can give over the phone depends on who is requesting the information. Generally, healthcare providers should only release directory information (name, location, and general condition) unless the caller is family member or personal representative – in which case, it is possible to disclose information relevant to the patient’s condition provided the disclosure is consistent with the patient’s wishes.
Is a landline HIPAA compliant?
A landline does not need to be HIPAA compliant if it uses circuit switched voice communication service technologies through the Public Switched Telephone Network (PSTN). This is because HHS’ Office for Civil Rights has issued guidance stating that PHI disclosed via a landline is not considered to be an electronic transmission of PHI.
If a covered entity or business associate uses any other type of landline system (i.e., a VoIP service), the system has to be configured to comply with the applicable administrative, physical, and technology safeguards of the HIPAA Security Rule. (Note: In provider-to-patient communications, these rules apply regardless of the nature of device being used by the patient).
Is giving out a phone number a HIPAA violation?
Giving out a phone number can be a HIPAA violation, but only in certain circumstances. Generally, a phone number is an “identifier” that, when included in a patient’s “designated record set”, may become Protected Health Information if it forms part of their medical record. Any protected identifier in a designated record set can be disclosed if the disclosure is permitted by the General Rules for Uses and Disclosures of PHI.
If a patient has objected to their phone number being given out, if the phone number is given out without authorization for a disclosure requiring an authorization, or if the phone number is given out in the course of an impermissible disclosure, these are examples of HIPAA violations – if the phone number is included in the patient’s designated record set. If it is not part of the patient’s designated record set, the phone number is not protected, and no HIPAA violation has occurred.
What happens if a patient’s son calls to ask for information?
If a patient’s son calls to ask for information, the nature of the information it is possible to disclose depends on any limitations the patient has requested, any authorizations or attestations required, satisfactory verification of the son’s identity, and the healthcare provider deciding it is in the patient’s best interest to discuss their condition with a family member.
