You Can Leave a Message – But Make Sure It Is HIPAA Compliant

By Art Gross, President and CEO, HIPAA Secure Now!
Twitter: @HIPAASecureNow
Read other articles by this author

Even though telephone conversations and answering machines are considered outdated or passe to some people, it remains necessary to sometimes leave a message for the intended call recipient.

In healthcare, voice messages are often necessary for appointment reminders, follow-up calls, and communication to patients. Within the realm of HIPAA, what are you allowed to say? And who are you allowed to speak with?

The HIPAA Privacy Rule does permit health care providers to communicate via voicemail to their patients. This may be regarding their appointments, prescriptions, or other information about their care. Messages can be left on an answering machine, but the information that is recorded should be done in a way that safeguards protected health information (PHI) because you should never assume that the message will only be heard by the patient.

What Should I Say?
When leaving a voice message, remember that less is more. You can leave the contact number that the office can be reached at, the time to call back if applicable, and the provider’s name. Omitting the patient’s name is suggested to safeguard with respect to the HIPAA Privacy Rule, and additionally, if the name of the practice indicates the type of treatment that the patient is receiving, you may want to omit that as well. If the patient has signed a waiver indicating that they give permission for the provider and staff to leave details on a voicemail, you can work around these instances, but that should be verified before doing so.

What If They Call Back?
You may receive a return call from someone other than the patient if they retrieve the message first, or on the behalf of the patient. Caution should be taken in these instances, as they can easily put you in violation of the HIPAA Privacy Rule. For example, even if you simply confirm an appointment without authorization, you are in violation. So, what should you say in a situation where the person is insistent on getting a response? You could say something as simple as, “I apologize, but because of federal law, I’m unable to share that type of information with you. I appreciate your understanding.”

There are answering services and other options that you can research to fulfill your healthcare business’s needs for HIPAA-compliant response methods.

This article was originally published on HIPAA Secure Now! and is republished here with permission.