What is HIPAA Compliant Voicemail?
There are three answers to the question what is HIPAA compliant voicemail – the first relating to the systems used to record incoming messages, the second to the greeting recorded on a healthcare provider’s voicemail system, and the third to voicemail messages left on patients’ answerphone machines. For healthcare providers, it is important that all three types of voicemails are HIPAA compliant.
- What is HIPAA compliance?
- Who is required to comply with HIPAA?
- What is a HIPAA compliant voicemail system?
- What is a HIPAA compliant voicemail greeting?
- What is a HIPAA compliant voicemail message?
- Conclusion and HIPAA compliant voicemail FAQs.
What is HIPAA Compliance?
HIPAA compliance means complying with the applicable Administrative Simplification Regulations of the Health Insurance Portability and Accountability Act (HIPAA). These regulations can be found at 45 CFR Subtitle A Subchapter C and include well-known HIPAA Rules such as the Privacy Rule, the Security Rule, and the Breach Notification Rule.
The primary objectives of the Administrative Simplification Rules are to protect the privacy of individually identifiable health information and ensure the confidentiality, integrity, and availability of electronic Protected Health Information (PHI). The Rules also help protect individuals from fraud and theft when PHI is stolen, compromised, or disclosed impermissibly.
A further objective of the Privacy Rule is to give individuals rights over their PHI. These rights include the right to obtain a copy of their health records, to request corrections when errors or omissions exist, to receive an accounting of disclosures, and to direct a healthcare provider to transfer a copy of PHI maintained in an electronic health record to a third party.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Who is Required to Comply with HIPAA?
Health plans, health care clearinghouses, and healthcare providers that conduct HIPAA-covered transactions electronically are required to comply with any Administrative Simplification Regulations, standards, or implementation specifications that apply to their activities. Note: Not all healthcare providers conduct covered transactions electronically, and those that do not conduct covered transactions electronically do not qualify as “covered entities”.
Separately, third party businesses that provide a service for or on behalf of covered entities are required to comply with some Administrative Simplification Regulations. Generally, compliance with the Security Rule and Breach Notification Rule is mandatory, but many “business associates” may also be required to comply with the Transaction and Code Sets Rules and sections of the Privacy Rule that apply to their activities and their access to a covered entity’s PHI.
Employees of covered entities and business associates are also required – via workplace policies – to comply with any HIPAA standards that apply to their roles. It is the responsibility of the employer to develop appropriate workplace policies, determine which policies apply to each employee’s role, and provide training on the policies. Employers also have to provide a security and awareness training program for all members of the workforce irrespective of their access to – or use of – PHI.
What is a HIPAA Compliant Voicemail System?
A HIPAA compliant voicemail system is a system for receiving, retrieving, and storing audio messages that includes the capabilities required for a covered entity or business associate to comply with the HIPAA Administrative Simplification Regulations (Privacy Rule, Security Rule, Breach Notification Rule, etc.). The capabilities required to make a voicemail system HIPAA compliant include:
- End-to-end encryption,
- Unique user identification,
- Automatic log-off,
- Audit controls and event logs, and
- Emergency access procedures.
Depending on how organizations use a voicemail system, it may be necessary to integrate further capabilities such as message transcribing services and message archiving services – which also have to be configured to comply with the HIPAA Security Rule – while, if the voicemail system is deployed in the cloud, it is important to factor in redundancy in the event of an outage or downtime.
In addition to the above, if the voicemail system is acquired from a vendor who receives, stores, or transmits PHI, the vendor qualifies as a business associate – even if they have no access to the content of voice messages because they are encrypted. This means the vendor and the organization subscribing to the service must enter into a Business Associate Agreement in order to comply with HIPAA.
What is a HIPAA Compliant Voicemail Greeting?
A HIPAA compliant voicemail greeting is a message left for inbound callers when a phone service is busy or unattended that complies with HIPAA. It is quite difficult to conceive of a voicemail greeting that violates HIPAA because it would have to include individually identifiable health information relating to a patient. However, there are some best practices for voicemail greetings:
- A voicemail greeting should include your name or the name of your practice/department and the hours when you are available.
- If your organization provides a 24 hour service, the greeting should provide alternative contact information for when lines are busy or unattended.
- The greeting should thank the caller for their call and – without making the greeting too long – apologize for the line being busy or unattended.
- With regards to the length of the voicemail greeting, it should be no longer than 30 seconds and indicate clearly when it is time for the caller to leave a message.
If your organization provides SUD, HIV/AIDS, or reproductive health services, it can sometimes be a best practice to omit the nature of your services from your voicemail greeting. This is because if a family member or friend of a patient has acquired the number, it discloses the nature of treatment the patient is receiving. While the acquisition of the number is not the fault of the organization, omitting the nature of the service may help avoid accusations of HIPAA violations at a later date.
What is a HIPAA Compliant Voicemail Message?
A HIPAA compliant voicemail message left by a healthcare provider for a patient has to follow the guidelines issued by HHS. These guidelines state that, although the Privacy Rule does not prohibit healthcare providers from leaving voicemail messages on patients’ answering machines, care should be taken to limit the amount of information disclosed in in a voicemail message in case a family member, work colleague, or friend of the patient hears it.
Although the Privacy Rule permits healthcare providers to disclose individually identifiable health information to family members, friends, and other people involved with an individual’s care, the amount of information disclosed in a HIPAA compliant voicemail message should be limited to the minimum necessary to achieve the purpose of the message – and only if the healthcare provider believes it is in the patient’s best interests to do so.
The exception to the above guidelines is if a patient has requested that voicemail messages are not left on an answerphone machine. In such cases, it is best to obtain the request in writing so it can be documented, and request an alternative contact method for the patient for when a message is of an urgent nature. Any alternate contact method provided by the patient should also be documented to avoid future allegations of HIPAA violations.
Conclusion
Discussing HIPAA compliant voicemail can seem complicated because the discussion can relate to a service, a greeting, or a message, but this is not necessarily the case. Most voicemail services that can be used by healthcare providers are marketed as HIPAA compliant – and healthcare providers may only need to configure the service and enter into a Business Associate Agreement to use the service in compliance with HIPAA.
As mentioned previously, it is difficult – although not impossible – to conceive a voicemail greeting that violates HIPAA, while the situation regarding HIPAA compliant voicemail messages is an extension of permissible uses and disclosures that workforce members should be trained on anyway. However, if your organization is experiencing challenges with HIPAA compliant voicemail services, greetings, or messages, it is recommended you seek professional compliance advice.
FAQs
How does a voicemail system become HIPAA compliant?
A voicemail system becomes HIPAA compliant when the security capabilities of the system are configured to comply with the Security Rule. However, before the system is used to collect, receive, store, or transmit PHI, it is necessary to enter into a Business Associate Agreement with the service vendor.
Why is HIPAA compliant voicemail important in healthcare?
HIPAA compliant voicemail is important in healthcare because it supports patient privacy and helps prevent breaches of PHI. With a HIPAA compliant voicemail system, healthcare providers can maintain the privacy of individually identifiable health information and make a good faith effort to ensure the confidentiality, integrity, and availability of electronic PHI.
What are some key features of a HIPAA compliant voicemail system?
Some key features of a HIPAA compliant voicemail system include end-to-end encryption, unique user identification, automatic log-off, audit controls and event logs, and emergency access procedures. If PHI is stored on the system, it may also be necessary for the system to have real time back-up and failover capabilities.
What are common mistakes to avoid when implementing a HIPAA compliant voicemail system?
Most common mistakes to avoid when implementing a HIPAA compliant voicemail system revolve around training – either training users on how to use the system compliantly or, if the system is used for outbound communications, how to leave a HIPAA compliant voicemail message. Regular training sessions should be conducted to ensure all users understand the system’s operation and the importance of maintaining patient confidentiality.
How can healthcare organizations ensure their voicemail system remains HIPAA compliant?
Healthcare organizations can ensure their voicemail systems remain HIPAA compliant by conducting regular risk assessments, monitoring user compliance, and enforcing sanctions when a violation of HIPAA occurs. If a business associate provides the system, it is also necessary to review the Business Associate Agreement periodically and the vendor’s compliance with the Agreement.
