What is a HIPAA Compliant Phone Number?
A HIPAA-compliant phone number is most often a secondary phone number used by healthcare providers for communications in which Protected Health Information (PHI) may be disclosed. In many cases, the HIPAA-compliant phone number is a virtual phone number used by systems with secure voice, messaging, and video capabilities that are configured to comply with HIPAA.
- What is a HIPAA-compliant phone number?
- Why have a secondary phone number?
- What is a virtual phone number?
- Which HIPAA-compliant systems use virtual phone numbers?
- How do secondary phone numbers support HIPAA compliance?
- What else may healthcare providers need to consider?
What is a HIPAA Compliant Phone Number?
A HIPAA-compliant phone number is a number linked to a communication system that complies with the administrative, physical, and technical safeguards of the Security Rule. Because the system complies with HIPAA, it can be used to make calls, send secure messages, conduct telemedicine consultations, and much more without risking the confidentiality of PHI.
This article explains why a HIPAA-compliant phone number is most often a secondary, virtual phone number, what type of communications systems use virtual phone numbers, how the systems support HIPAA compliance, and what else healthcare providers may need to consider before subscribing to a system suitable for a HIPAA compliant phone number.
Why Have a Secondary Phone Number?
Organizations that use secondary phone numbers generally use the primary number for the day-to-day running of the organization and the secondary number for collecting, receiving, storing, and transmitting PHI. Having a secondary number dedicated for HIPAA-compliant communications can help prevent inadvertent disclosures of PHI via the primary number.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
As mentioned in the introduction, when a secondary phone number is used for HIPAA-compliant communications, the number is often a virtual number associated with a system that facilitates secure voice, messaging, and video. This enables healthcare professionals to communicate with patients with fewer risks to the privacy and security of PHI.
What is a Virtual Number?
Unlike a regular phone number that identifies a specific location or device – i.e., a landline or smartphone – a virtual number is a number that identifies an online communications account. In many cases, a virtual number is not a numeric number at all but rather a username and a password or another user authentication method.
The communications account usually connects users to a Voice over Internet Protocol (VoIP) service or Unified Communication as a Service (UCaaS) platform via the Internet. Provided the service or platform is configured to ensure the confidentiality, integrity, and availability of electronic PHI, it is suitable to use as a HIPAA-compliant telephone number.
Which HIPAA-Compliant Systems use Virtual Phone Numbers?
Many third-party service providers offer systems that use virtual phone numbers. Not all are HIPAA-compliant systems. Therefore, organizations are required to conduct due diligence of prospective services to ensure the system supports HIPAA compliance and that the vendor is willing to enter into a Business Associate Agreement.
Among the service providers identified as offering HIPAA-compliant services (at the time of publication), RingCentral, 8×8, and Vonage are generally regarded as being suitable for most healthcare providers. However, organizations with existing Microsoft or Google business accounts may wish to evaluate Teams, Skype, or Workspace for Healthcare.
How do Secondary Phone Numbers Support HIPAA Compliance?
When linked to a VoIP service or UCaaS platform configured to comply with the Security Rule, secondary phone numbers support HIPAA compliance by providing customizable access controls, event logs, audit trails, data backup, and end-to-end encrypted voice, messaging, and video communications between healthcare providers and patients.
These capabilities do not guarantee HIPAA compliance because users still have to comply with Privacy Rule standards relating to patient verification, permissible uses and disclosures, and – where required – the minimum necessary standard. It is also important that voice and video calls are not conducted from – or to – busy environments in which conversations can be overheard.
What Else May Organizations Need to Consider?
Using a secondary, HIPAA-compliant telephone number can support HIPAA compliance inasmuch as users will be conscious of using the secondary number when communicating PHI. A secondary number not connected to a landline or mobile device can also support HIPAA compliance among remote workers who work both in the community and from an office.
However, organizations have to take care not to adopt systems that communicate text messages via SMS, not to subscribe to a system if the vendor refuses to sign a Business Associate Agreement, and not to assume that, because users understand how to use personal communication systems such as WhatsApp, they will not require training on a business communication channel.
Conclusion
A secondary HIPAA-compliant phone number can be beneficial to a healthcare organization, but it may also have a number of compliance overheads. HIPAA-covered entities and business associates should assess whether such a service can support existing good faith compliance efforts and, if so, conduct due diligence on potential providers before subscribing to a service.
Organizations that need further information with regards to a secondary HIPAA-compliant phone number – or implanting measures to make an existing phone number HIPAA-compliant – should seek professional compliance advice.
FAQs
Why are SMS text messages violations of HIPAA?
SMS text messages are violations of HIPAA because they transmit PHI via unencrypted channels that can be intercepted and the content of the message read. Additionally, copies of SMS text messages sit on providers’ servers indefinitely, and covered entities have no control over how PHI in the messages is protected from authorized access and impermissible disclosures.
Why might a vendor refuse to sign a Business Associate Agreement?
A vendor might refuse to sign a Business Associate Agreement if they claim they have no access to PHI because all communications are encrypted and they do not hold the decryption key. However, HHS has issued guidance on “no view services”, stating a Business Associate Agreement is necessary in such circumstances as encryption is not the only implementation specification required by the Security Rule to safeguard the confidentiality, integrity, and availability of PHI.
In the context of a HIPAA-compliant phone number, what training needs to be provided?
In the context of a HIPAA-compliant phone number, the training provided to members of the workforce should include how to use the phone number in compliance with HIPAA, why it is important not to circumnavigate system controls (i.e., by sharing login credentials), and what to do in the event of an impermissible disclosure of PHI.
Workforce members should also be trained in patient verification procedures, permissible uses and disclosures, and the minimum necessary standard. Additionally, while most healthcare providers are careful about making sure they contact patients from a private space, users should be trained on what to do when a patient does not make the same effort to take a call in private.
How can landline phones be configured to comply with the Security Rule?
Landline phones do not have to be configured to comply with the Security Rule if they are a “traditional” landline phone that uses a circuit switched voice communication service technology to communicate with patients via the Public Switched Telephone Network (PSTN). This is because HHS does not regard PHI disclosed via a landline telephone to be an electronic transmission.
What happens if a HIPAA-compliant telephone number is used in a non-compliant way?
What happens if a HIPAA-compliant telephone number is used in a non-compliant way depends on how it is used in a non-compliant way and the consequences of the non-compliant event. If, for example, more than the minimum necessary PHI is disclosed in a phone conversation between healthcare providers, and no adverse event results, the likely sanction will be a verbal warning and additional Privacy Rule training.
If, however, a HIPAA-compliant telephone number is used to disclose individually identifiable health information knowingly and wrongfully in violation of §1177 of the Social Security Act, the consequences could be a fine of up to $250,000 and a prison sentence of up to ten years on top of any civil monetary penalties imposed by HHS’ Office for Civil Rights and State Attorneys General for the failure to comply with HIPAA and state privacy regulations.
