The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Are Phone Calls HIPAA Compliant?

Posted By on Aug 23, 2022

Phones calls are HIPAA compliant provided those making the calls comply with the requirements of the Privacy Rule and the systems used to make the calls comply with – or are exempt from – the standards and implementation specifications of the Security Rule. In this article we will discuss:

  • Who do the HIPAA telephone rules apply to?
  • Implied consent and the FTC guidelines for phone calls
  • The Privacy Rule requirements for phone calls
  • Best practices for sharing patient information with family over the phone
  • Is PHI disclosed in a phone call subject to the Security Rule?
  • What is a HIPAA cell phone policy?
  • Are phone calls HIPAA compliant? FAQs

Who Do The HIPAA Telephone Rules Apply To?

Before discussing are phone calls HIPAA compliant, it is important to establish who the HIPAA telephone rules apply to. Almost two-thirds of HIPAA complaints received by HHS’ Office for Civil Rights are rejected because they allege a violation has been committed by a business that is not subject to the HIPAA Rules or because no violation of HIPAA has occurred.

HIPAA applies to most health plans, health care clearinghouses, and healthcare providers (“Covered Entities”), and to Business Associates providing a service for on behalf of a Covered Entity. Healthcare-related phone calls from these sources to individuals are permissible provided the recipient has given their implied consent to receive a call and the call follows FTC guidelines.

Implied Consent and the FTC Guidelines for Phone Calls

Phone calls to individuals from Covered Entities and Business Associates are permissible if the recipient of the phone call has given their implied consent by providing a contact telephone number to the Covered Entity or Business Associate. However, under HIPAA, individuals also have the right to revoke consent or request contact is made via an alternate channel of communication.

HIPAA Compliant
Patient Communication
Software

Keep Patients Informed,
Reduce No Shows & Increase
Staff Productivity

Rectangle Health’s Patient Engagement Software Is Used By 1,000s Of Healthcare Providers & Easily Integrates With All Existing Practise Management Systems

Your Privacy Respected

HIPAA Journal Privacy Policy

Healthcare-related – but not payment-related – phone calls and text messages from Covered Entities to individuals are FTC compliant if they are made for an allowable reason. Allowable reasons are limited to:

  • Appointments and reminders
  • Hospital pre-registration instructions
  • Health checkups
  • The provision of medical treatment
  • Lab test results
  • Notifications about prescriptions
  • Pre-operative instructions
  • Post-discharge follow-up calls
  • Home healthcare instructions

According to the FTC guidelines, calls to individuals should start with the Covered Entity stating their name and the reason for the call. Calls can last no longer than 60 seconds (text messages must be no longer than 160 characters), and Covered Entities cannot contact individuals more than three times per week. Any additional contact – by voice or by text – requires the individual´s authorization.

The Privacy Rule Requirements for Phone Calls

To make phone calls HIPAA compliant, Covered Entities and Business Associates are required to comply with the General Rules for Uses and Disclosures of PHI (§164.502 to §164.512), and the Minimum Necessary Standard when making phone calls to someone other than the individual which relate to the individual´s condition, treatment, or payment for treatment.

Other phone calls made by a Covered Entity or Business Associate (i.e., not to an individual for an allowable reason) are only subject to the General Rules for Uses and Disclosures and the Minimum Necessary Standard if the communication involves the disclosure of an individual´s PHI. Any phone calls that do not involve the disclosure of PHI are not subject to the Privacy Rule standards.

There are many types of HIPAA-related phone calls that are subject to Privacy Rule standards. For example, a phone call made from one Covered Entity to another for treatment, payment, or healthcare operations purposes, a phone call made to local authorities to report a public health issue, or a phone call made to the police to report patient abuse or neglect.

Covered Entities can communicate PHI to a Business Associate in a phone call, but before doing so, a Business Associate Agreement must be in place to stipulate the allowable uses and disclosures of PHI. In states where more stringent privacy protections exist, it may also be necessary for a Covered Entity to enter into a contract with another Covered Entity before disclosing PHI for any reason.

Best Practices for Sharing Patient Information with Family Over the Phone

One of the trickiest areas of Privacy Rule compliance is sharing patient information with family over the phone. Naturally, when a family member calls a healthcare facility to enquire about the wellbeing of a patient, they understandably want as much information as possible. However, there are circumstances when it is not permissible to share patient information with a family member.

These circumstances can range from a patient objecting to their information being included in a hospital directory to a healthcare provider deciding it is not in the patient’s best interest to discuss their condition with a family member. It can also be the case that certain types of disclosures may require authorization (i.e., SUD treatments) or an attestation (i.e., reproductive health).

The best practices for sharing patient information over the phone are:

  • Wherever possible, obtain a patient’s consent for their name, location, and general condition to be included in a directory.
  • Ask the patient if they want to place restrictions on what information is disclosed to family members.
  • Ask the patient if they want to place restrictions on which family members information is disclosed to.
  • If a family member calls, verify their identity before disclosing any information beyond directory information.
  • Only disclose information relevant to the patient’s current condition provided it is consistent with the patient’s consent.
  • If asked for further information than permitted/willing to give – or consented to by the patient – explain why.
  • If possible, inform the patient of the call in case they wish to authorize further disclosures or object to information being disclosed.

Is PHI Disclosed in a Phone Call Subject to the Security Rule?

One final point about making phone calls HIPAA compliant concerns whether PHI disclosed in a phone call is subject to the Security Rule. According to guidance issued by HHS’ Office for Civil Rights, phone calls made over a Public Switched Telephone Network (PSTN) are not subject to the Security Rule because they are not considered to be electronic transmissions of PHI.

If a Covered Entity or Business Associate uses a VoIP or UCaaS system for making and receiving calls in which PHI is disclosed, the system must be configured to comply with applicable administrative, physical, and technical safeguards of the Security Rule, plus a Business Associate Agreement must be signed with the system vendor.

What is a HIPAA Cell Phone Policy?

A HIPAA cell phone policy is a policy developed by a Covered Entity that stipulates under what circumstances a cell phone can be used to disclose PHI. In most cases, it is not permissible to disclose PHI using a standard cell phone because both voice and text messages travel via unencrypted channels and can be intercepted in transit or at a carrier’s server.

However, if a Covered Entity or Business Associate uses a HIPAA compliant VoIP or UCaaS service that also has mobile capabilities, a HIPAA cell phone policy will guide authorized users on when and how mobile applications can be used. In such cases, it may also be necessary for workforce members to implement security mechanisms on their mobile devices to prevent unauthorized access if the device is lost, stolen, or left unattended.

Are Phone Calls HIPAA Compliant? FAQs

Can nurses give patient information over the phone?

Nurses can give patient information over the phone because nurses are members of a Covered Entity’s workforce. However, before nurses give patient information over the phone, it is important they verify the identity of the person they are speaking with in order to prevent unauthorized disclosures or disclosing more than the minimum necessary patient information.

Is sharing patient information with family over the phone HIPAA compliant?

Sharing patient information with family over the phone is HIPAA compliant provided that – when possible – patients have been given the opportunity to object to their information being shared with family members. It is important that healthcare providers are trained on what information can be disclosed over the phone if a patient is undergoing SUD or reproductive health treatment.

If a patient is incapacitated and unable to object to their information being shared, healthcare providers can share patient information over the phone with family members provided that the disclosure of PHI is considered to be in the patient´s best interests. Once the patient is no longer incapacitated, he or she must be given the opportunity to object as soon as possible.

Are cell phones HIPAA compliant?

Cell phones are HIPAA compliant provided calls made on the devices are made through an application that has been configured to comply with the applicable administrative, physical, and technology safeguards of the Security Rule. Calls to patients’ cell phones are also HIPAA compliant if a patient has given their implied consent or requested that they are contacted by cell phone.

What information can hospitals give over the phone?

What information hospitals can give over the phone depends on who is requesting the information. Generally, healthcare providers should only release directory information (name, location, and general condition) unless the caller is family member or personal representative – in which case, it is possible to disclose information relevant to the patient’s condition provided the disclosure is consistent with the patient’s wishes.

Is a landline HIPAA compliant?

A landline does not need to be HIPAA compliant if uses circuit switched voice communication service technologies through the Public Switched Telephone Network (PSTN). This is because HHS’ Office for Civil Rights has issued guidance stating that PHI disclosed via a landline is not considered to be an electronic transmission of PHI.

If a Covered Entity or Business Associate uses any other type of landline system (i.e., a VoIP service), the system has to be configured to comply with the applicable administrative, physical, and technology safeguards of the Security Rule. (Note: In provider-to-patient communications, these rules apply regardless of the nature of device being used by the patient).

Is giving out a phone number a HIPAA violation?

Giving out a phone number can be a HIPAA violation, but only in certain circumstances. Generally, a phone number is an “identifier” that, when included in a patient´s “designated record set”, becomes Protected Health Information. Any protected identifier in a designated record set can be disclosed if the disclosure is permitted by the General Rules for Uses and Disclosures of PHI.

If a patient has objected to their phone number being given out, if the phone number is given out without authorization for a disclosure requiring an authorization, or if the phone number is given out in the course of an impermissible disclosure, these are examples of HIPAA violations – if the phone number is included in the patient´s designated record set. If it is not part of the patient´s designated record set, the phone number is not protected, and no HIPAA violation has occurred.

What happens if a patient’s son calls to ask for information?

If a patient’s son calls to ask for information, the nature of the information it is possible to disclose depends on any limitations the patient has requested, any authorizations or attestations required, satisfactory verification of the son’s identity, and the healthcare provider deciding it is in the patient’s best interest to discuss their condition with a family member.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist