Are phone calls HIPAA compliant?

Phone calls in healthcare communication can be HIPAA compliant. Compliance requires adherence to privacy and security rules.

Understanding the applicability 

HIPAA regulations apply to most health plans, healthcare providers, and healthcare clearinghouses, collectively known as covered entities. Additionally, business associates providing services for covered entities are subject to HIPAA rules. Almost two-thirds of HIPAA complaints received by the HHS Office for Civil Rights are rejected due to violations reported against entities not subject to the HIPAA rules. 

Implied consent 

Phone calls from covered entities and business associates to individuals are permissible if the call's recipient has implied consent by providing a contact telephone number. 

Implied consent means that the individual has willingly shared their contact information and can reasonably expect to receive calls related to healthcare matters. However, individuals can revoke consent or request alternative communication channels.

FTC guidelines

Healthcare-related phone calls and text messages should adhere to the Federal Trade Commission (FTC) guidelines, which states healthcare-related calls should be limited to specific allowable reasons, including: 

• Appointments and reminders
• Hospital pre-registration instructions
• Health checkups
• The provision of medical treatment
• Lab test results
• Notifications about prescriptions
• Pre-operative instructions
• Post-discharge follow-up calls
• Home healthcare instructions

Calls should be concise and limited to 60 seconds, while text messages should not exceed 160 characters. Additional contact beyond these limits requires individual authorization.

Read also: How does HIPAA differentiate between consent and authorization? 

Privacy rule requirements

To make phone calls HIPAA compliant, covered entities and business associates must comply with the General Rules for Uses and Disclosures of protected health information (PHI) and the Minimum Necessary Standard. 

When making phone calls to someone other than the individual, these rules apply if the call relates to the individual's condition, treatment, or payment for treatment and involves the disclosure of PHI. When communicating PHI to a business associate over the phone, a business associate agreement (BAA) must be in place to stipulate PHI's allowable uses and disclosures.

Read also: Business Associate Agreement (BAA) 

Security rule requirements 

The Security Rule under HIPAA focuses on protecting electronic protected health information (ePHI). While phone calls made over the Public Switched Telephone Network (PSTN) are not considered electronic transmissions of PHI, specific phone systems like Voice over IP (VoIP) or Unified Communications as a Service (UCaaS) can involve the disclosure of ePHI. 

The system must be configured to comply with the administrative, physical, and technical safeguards outlined in the Security Rule. Additionally, a BAA must be signed with the system vendor to ensure compliance.

Read also: What is ePHI? 

Best Practices

Sharing patient information with family over the phone can be a sensitive matter, and it is necessary to follow best practices to be HIPAA compliant. Here are some recommended practices:

Obtain consent: 

Obtain a patient's consent to include their name, location, and general condition in a directory whenever possible.

Restriction preferences: 

Ask the patient if they want to restrict the information disclosed to family members and which family members can access it.

Verify identity: 

Before disclosing any information beyond directory information, verify the identity of the family member calling to prevent unauthorized disclosures.

Disclose relevant information:

Only disclose information relevant to the patient's condition, ensuring it aligns with their consent.

Explain limitations: 

If asked for more information than permitted or consented to by the patient, explain the limitations and reasons for withholding certain information.

Inform the patient: 

Inform the patient of the call and allow them to authorize further disclosures or object to shared information.

See also: HIPAA Compliant Email: The Definitive Guide