What are the HIPAA Telephone Rules?

The HIPAA telephone rules govern what information can be disclosed over the telephone by a member of a covered entity’s or business associate’s workforce, who the information can be disclosed to, and what safeguards must be implemented to prevent impermissible disclosures of Protected Health Information.

In the healthcare and health insurance industries, there are many scenarios in which patient information might be disclosed over the telephone. Some of these scenarios are not covered by the HIPAA telephone rules when an exemption applies or when the information being disclosed does not include Protected Health Information (PHI).

In other scenarios, different HIPAA telephone rules can apply depending on the nature of patient information being disclosed (i.e., SUD or reproductive health records), who the information is being disclosed to (and whether the minimum necessary standard applies), and what type of phone is being used to disclose the information.

Because of the range of scenarios that exist, covered entities and business associates must develop their own HIPAA telephone rules for using the telephone in compliance with HIPAA – seeking advice where necessary on policies for making HIPAA compliant phone calls, workforce training, and using a HIPAA compliant phone service.

The Variety of HIPAA Phone Call Rules

The variety of rules and regulations covering how workforce members of covered entities and business associates can use the telephone to communicate PHI can be confusing. Different HIPAA phone call rules can apply depending on:

  • If a covered entity is communicating PHI to another covered entity with whom the patient has a direct treatment relationship,
  • If a covered entity is communicating PHI to another covered entity with whom the patient does not have a direct treatment relationship,
  • If a member of a covered entity’s workforce is communicating PHI to a colleague for treatment, payment, or healthcare operations,
  • If a member of a covered entity’s workforce is communicating PHI to a colleague for any other purpose,
  • If a covered entity is communicating PHI to a business associate (or vice versa), or
  • If a covered entity is communicating PHI with a patient or receiving PHI from a patient.

The rules relating to sharing patient information with family over the phone can also be confusing. For example, sharing patient information over the phone with family is permitted when the information being disclosed is “directory information” and the patient has not objected, or when a healthcare provider believes it is in the patient’s best interests – unless the patient has stated they want the information withheld.

However, when sharing patient information with family over the phone, it is not permitted to disclose information about a past medical problem that is unrelated to the patient’s current condition. In addition, it is necessary for healthcare providers to develop policies for HIPAA compliant phones calls to comply with the HIPAA Privacy Rule’s identity verification requirements when a caller is not known to the healthcare provider.

Covered Entity and Business Associate HIPAA Telephone Rules

The HIPAA telephone rules for communications between covered entities – or between covered entities and business associates – are the same as the permissible disclosures of PHI under the HIPAA Privacy Rule. PHI can only be disclosed for treatment, payment, and healthcare operations, when the disclosure has been authorized by the subject of the PHI, or for a purpose allowed by §164.512 of the HIPAA Privacy Rule.

With regards to purposes allowed by §164.512 of the HIPAA Privacy Rule, it is important to be aware that restrictions exist on disclosures of SUD records and reproductive health records to parties other than covered entities and business associates (*). Healthcare providers must develop HIPAA phone call rules – and train workforces on the rules – to prevent avoidable privacy violations and potential criminal charges.

Other than disclosures for treatment purposes and those required by law, communications between covered entities – or between covered entities and business associates – must be restricted to the minimum necessary to achieve the objective of the disclosure; and, when PHI is communicated by a covered entity to a business associate, a valid Business Associate Agreement must be in place between the two parties before any PHI is disclosed.

(*) Although the restrictions on disclosures of reproductive health records were vacated by a Texas judge in 2015, many states have subsequently introduced legislation mirroring the former HIPAA requirements. In addition, some states have introduced restrictions on disclosing patients’ ethnicity or place of birth to avoid situations in which patients cancel healthcare appointments due to immigration issues.

The Situation Regarding HIPAA and Patient Telephone Calls

The situation regarding HIPAA and patient telephone calls is more complicated because the nature of phone calls to patients may be conditional upon whether or not the patient has given their consent to be contacted by a healthcare provider by phone. Generally, a patient is considered to have given their consent to receive healthcare-related phone calls and texts if they have provided the covered entity with a telephone number. However, allowable reasons for patient telephone calls are limited to:

  • Appointments and reminders
  • Health checkups
  • The provision of medical treatment
  • Lab test results
  • Notifications about prescriptions
  • Pre-operative instructions
  • Post-discharge follow-up calls
  • Home healthcare instructions
  • Hospital pre-registration instructions

Even when consent is considered to have been given, further HIPAA telephone rules apply to patient telephone calls. For example, calls to patients should start with the covered entity stating their name and the reason for the call, calls should last no longer than sixty seconds, and covered entities should not contact patients for “allowable” reasons more than three times per week. Any other form of contact – either by voice call or text – requires the patient’s express consent.

Patient consent should also be obtained before leaving messages with family members or voicemail messages. It may the case that the patient does not want members of their family to know about a health condition, or that the telephone number given by the patient is their work number – in which case there may be no way of controlling who PHI is disclosed to. The failure to obtain patient consent in these circumstances is likely to be viewed as a HIPAA violation if the patient subsequently complains to HHS’ Office for Civil Rights.

Technology and HIPAA Compliant Phone Calls

A further factor that may impact an organization’s HIPAA rules for phone calls is whether or not PHI exchanged during a telephone call is subject to the HIPAA Security Rule. According to §160.103 of the HIPAA Privacy Rule, PHI exchanged during a telephone call is not considered to be subject to the HIPAA Security Rule “if the information being exchanged did not exist in electronic form immediately before the transmission”.

However, the above definition was published in 2002 when most phone communications were conducted via traditional landline telephones that used circuit-switched voice communication services through the Public Switched Telephone Network. If a phone call disclosing PHI is made via a VoiP or UCaaS service (i.e., SkypeTeams, etc.), the phone call is considered electronic and HIPAA applies to both the content of the call and the technology through which it is made.

In this circumstance, a Business Associate Agreement must be entered into with the vendor of the VoiP or UCaaS service. This is because the vendor may store voice messages containing PHI on their servers which could be exposed in the event of a data breach. All calls containing PHI made from a cell phone by a member of a covered entity’s workforce are subject to the HIPAA requirements for mobile devices regardless of whether the cell phone is provided by the organization or is a personal device.

How Federal and State Laws Impact HIPAA Telephone Rules

Federal and state laws can have an impact on HIPAA telephone rules inasmuch as they may govern the nature of calls covered entities can make to patients. Federal laws are mostly designed to prevent unsolicited telemarketing calls and automated “robocalls”. Covered entities have to be careful how they use automated dialers that transmit prerecorded messages for appointment reminders and home healthcare instructions.

Some federal and state laws govern what type of health date can – and cannot – be communicated by phone. For example, under Section 543 of the Public Health Service Act, the medical records of SUD patients cannot be disclosed without specific authorization. In Texas, the Texas Medical Records Privacy Act extends this requirement to most mental health records and records or tests relating to AIDS or genetic diseases.

Some automated calls are allowed under the Federal Communication Commission’s telemarketing rules and the Consumer Fraud and Abuse Prevention Act, but these may also be subject to state laws – especially if the patient’s telephone number is on a do not call registry. With regards to HIPAA compliant phone calls and the updated Telephone Consumer Protection Act (TCPA), several states (i.e., Florida and Oklahoma) have introduced their own legislation with more stringent requirements than TCPA.

In conclusion, there are no one-size-fits-all HIPAA telephone rules that can accommodate all types of HIPAA-covered activities. It will be necessary for covered entities and business associates to develop policies that apply to their activities, train workforce members on the policies, and monitor compliance. Covered entities and business associates who are unsure about how best approach HIPAA compliance for phone calls are advised to seek independent compliance advice.

HIPAA Telephone Rules FAQs

Are Phone Calls HIPAA Compliant?

Phone calls to patients are HIPAA compliant provided the nature of the phone call falls within the reasons for which a patient is considered to have given their consent. If a phone call to a patient relates to any other subject, the covered entity must have consent from the patient before making the call.

Are Cell Phone Calls HIPAA Compliant?

Calls to cell phones are subject to the same HIPAA telephone rules as calls to landline numbers. However, calls from a cell phone could be in breach of HIPAA if the patient’s name and number is recorded in a healthcare professional’s cell phone and there are no safeguards in place to prevent ePHI being disclosed without authorization if the cell phone is lost or stolen.

What Would You Do If a Patient Requested Information Over the Phone?

What you would do if a patient requested information over the phone depends on whether the patient is known to the person answering the call – a common event in smaller practices. If the patient is not known, they should be asked to identify themselves beyond reasonable doubt before any information is disclosed. The call, the identity of the caller, and the information disclosed should be logged by the person answering the call.

Can Nurses Give Patient Information Over the Phone?

Nurses can give patient information over the phone to a patient, a patient’s legal representative, or a patient’s family member subject to the conditions mentioned above – and, in the case of giving information to a family member – subject to the patient’s consent. If a patient is unable to give their consent due to incapacitation, the nurse should get approved third-party consent before disclosing patient information.

Is sharing patient information over the phone with an interpreter a HIPAA violation?

Sharing patient information over the phone with an interpreter is not a HIPAA violation provided the patient does not object. The interpreter can either be an employee of the Covered Entity or a person engaged by the patient to communicate on their behalf. Patient information shared with an interpreter can also be shared with family and friends with patient consent.

Is Verizon a HIPAA-compliant phone service?

Verizon – along with other telecommunication providers – offers some HIPAA-compliant phone services, but it is important for covered entities and business associates to be aware that not every telecommunication service is HIPAA compliant. Furthermore, while the technology may be HIPAA compliant, how the technology is used determines compliance with the HIPAA Privacy and Security Rules.

If a hospital has disclosed my PHI in a phone call, who do I complain to?

If you believe a hospital has disclosed PHI in a phone call impermissibly, in the first instance you should complain to the hospital´s HIPAA Privacy Officer as the disclosure may have been allowed by the HIPAA Privacy Rule or may have been made as the result of “professional judgment”. If you subsequently want to escalate the complaint, you can call your state’s Department of Health & Human Services or file a complaint online via the OCR complaints portal.

Can a hospital have its own rules for HIPAA communications?

A hospital can have its own rules for HIPAA communication because every covered entity is required to develop activity-applicable policies relating to how patient information is communicated, Therefore, it is highly likely that different hospitals will have their own rules for HIPAA communications. What is important is that the rules for HIPAA communications comply with the HIPAA requirements for safeguarding PHI and for allowing patients’ right of access to their information.

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/