Stay Compliant: HIPAA Phone Call Guidelines for Healthcare
Patients put a lot of trust in their healthcare providers regarding their personal information making privacy an absolute must when working with a HIPAA compliant answering service. As technology has advanced, the pathways for communicating with patients has increased but they also introduce potential risks when not handled according to HIPAA regulations. Phone calls continue to be one of the primary methods of communication. We hope to shed some light on best practices following the HIPAA telephone rules.
We will cover:
Understanding HIPAA Compliance for Phone Calls
HIPAA is intended to protect patient privacy by classifying certain data as protected health information or PHI. A single careless action can result in losing patient trust, reduce patient retention, and incur costly fines and serious legal repercussions. On their first visit and usually every following visit, patients are given the chance to change or update their privacy preferences. Because patients can withdraw approval at any time, if your documentation is lagging, a staff member might end up sharing patient information with family over the phone even after the patient has removed that family member. Patient can also withdraw their permission to be contacted by phone and instead request that the provider use other communication channels, such as written and secure digital channels, such as text messaging and patient portals.
It is required that healthcare organizations must document and honor these preferences under HIPAA telephone rules.
As part of the Telecommunications Consumer Protection Act (TCPA) HIPAA helps to ensure that patients personal and medical information are protected, but also inhibits unsolicited or unauthorized calls. Patient information typically falls into 2 categories: public and private or clinical information.
What information can hospitals give over the phone and still remain HIPAA compliant? General information such as room number after a patient has been admitted, is usually considered public because it would also appear in a hospital directory, but discussing future appointments that have been made is not. Each healthcare organization should have a preset of questions to identify if the caller is the patient or an approved contact before answering any clinical questions regarding condition, treatment, diagnosis, etc, to ensure consistent compliance with HIPAA and avoid unintentional violations.
Many
healthcare organizations rely on a HIPAA-compliant answering service that trains its agents on verification protocols, identity checks, and flagging uncertain scenarios for provider review.
Sharing Patient Information with Family Over the Phone
Patients must verbally or in writing grant consent for disclosure of their information, and usually must name specific people the information can be shared with. In certain situations where the patient may not be able to provide consent, coma, brain injuries etc. providers can use professional judgement to provide information if it is in the best interest of the patient and their care. Patients can make changes to their consent at any time, and that must be honored. That can help protect the patient's privacy, your practice, and your employees.
Emotions run high during times of illness or accident, which can lead to pressure being applied to staff to divulge information. This is where consistent training and protocols like those used by a HIPAA compliant answering service can help protect a healthcare provider from unintentionally violating HIPAA telephone rules.
HIPAA Compliance for Phone Answering Services
When a healthcare provider partners with a remote medical reception service or call answering service to handle calls on their behalf, they become business associates under HIPAA. This means they’re subject to the same compliance requirements as the provider itself.
The most common examples of business associates that healthcare facilities utilize must follow HIPAA guidelines.
- Medical answering services
- Call centers
- Telehealth support lines
These vendors must sign Business Associate Agreements (BAAs) and implement strict training, encryption policies, and audit trails in place to prove accountability.
Does a Clinic’s Phone Number Need to Be HIPAA Compliant?
So, back to the question, does a clinic phone number need to be HIPAA compliant? The number itself doesn't—but how it's used does matter. Using proper verification procedures and staff training to verify the caller's identity, their approved access to the patient information can create a relatively impenetrable shield against HIPAA violations when communicating clinical or private health information over the phone.
In office staff have a lot of duties, that’s why up-to-date information ins a must. Using a HIPAA compliant answering service, whether it’s for overflow or after-hours calls, can relieve some of the stress on harried staff that can lead to unintended breaches of HIPAA rules for sharing information over the phone.
Staying Compliant with HIPAA Phone Rules
By being proactive with training and protocols, following the HIPAA telephone rules is much easier. Several key points to keep in mind:
- Document patient consent and preferences
- Verify caller identities
- Limit the sharing of PHI unless clearly authorized
- Use a HIPAA-trained answering service for overflow or after-hours support
Appointment Desk® is a HIPAA compliant answering service offering healthcare organizations support for day-to-day reception needs, overflow answering service and after-hours patient communication services. Based in Frisco, TX, we provide compliance-focused answering services across the U.S. with trained agents who understand the sensitive nature of every call.
Contact Appointment Desk® today and see how we help practices stay connected and HIPAA-compliant—every step of the way
