Healthcare providers can record patient calls and visits but must adhere to state laws, ensure HIPAA compliance, and safeguard PHI properly.
Recording and consent
Before delving into the specific regulations regarding patient telephone calls and visits, review the general rules surrounding telephone recordings. In the United States, individual states have established requirements for recording phone conversations.
One-party consent
The first consideration is whether one can record any phone call regardless of the healthcare context. Some states follow one-party consent laws, which means that only one party involved in the conversation needs to give consent for the recording to be legal.
All-party consent
On the other hand, some states have all-party consent laws, also known as two-party consent laws, since most conversations occur between two parties. In these states, all parties involved in the conversation must consent before recording is permitted.
See also: Understanding HIPAA regulations for audio recording
Consent to record patient telephone encounters
When recording patient telephone calls and visits, healthcare practices should adhere to the consent laws of the states involved.
To ensure compliance, healthcare providers should establish written policies on obtaining patient consent for recording phone calls. These policies may include having patients sign an additional informed consent form explicitly acknowledging that each call will be recorded.
Even in one-party consent states, it is considered a best practice to ask patients for consent before recording phone calls. This provides an opportunity to educate patients on the purpose of the recording, how it will be used, where it will be stored, and whether they will have access to the recording.
See also: HIPAA authorization vs. Common Rule informed consent
Considerations for HIPAA compliance
Apart from state-specific consent laws, healthcare providers must also consider compliance with the Health Insurance Portability and Accountability Act (HIPAA) when recording patient phone calls. If a patient consents to being recorded, the subsequent recording becomes protected health information (PHI) and is subject to the HIPAA Privacy and Security Rules.
Ensuring HIPAA compliant phone systems
Healthcare providers who record patient calls must ensure their phone systems are HIPAA compliant. This includes implementing protocols to securely store and protect the PHI generated from each call. If a covered entity contracts with a third-party company to provide call recording services, a business associate agreement (BAA) must be signed to ensure the third party's compliance with HIPAA regulations.
Policies for handling PHI
Healthcare practices should establish clear policies regarding access to PHI recorded during phone calls. These policies should specify which employees within the entity have access to the recordings, where the recordings are stored, and the security measures to protect against unauthorized access.
Additionally, covered entities should have procedures to verify the identity of individuals with whom they have phone conversations. This helps prevent the disclosure of PHI to unauthorized individuals over the phone. Covered entities need to have written HIPAA policies and procedures that guide the handling of all forms of PHI, including voice recordings, electronic health records, and paper records.
See also: HIPAA Compliant Email: The Definitive Guide
Farah Amod
