Although there are no specific HIPAA telephone rules, Covered Entities and Business Associates are required to comply with provisions of the Privacy and Security Rules when communicating by telephone as well as state and federal laws such as the Telephone Consumer Protection Act, the Telemarketing and Consumer Fraud and Abuse Prevention Act, and the TRACED Act.
The variety of rules and regulations covering how Covered Entities and Business Associates can use the telephone to communicate can be confusing. Different HIPAA telephone rules can apply if a Covered Entity is communicating with another Covered Entity, if a Covered Entity is communicating with a Business Associate (or vice versa), or if a Covered Entity is communicating with a patient.
Where the HIPAA Privacy and Security Rules Apply
It is also the case that Covered Entities in one state may be subject to different telephone rules than Covered Entities in another state. This can happen when one state has passed legislation with more stringent privacy requirements than the HIPAA Privacy Rule. HIPAA does not preempt state law when the privacy requirements of the state are more protective than those of HIPAA itself.
One further issue that can lead to confusion about the HIPAA telephone rules is whether or not PHI exchanged during a telephone call is subject to the HIPAA Security Rule. According to §160.103 of the HIPAA Privacy Rule, PHI exchanged during a telephone call is not considered to be subject to the HIPAA Security Rule “if the information being exchanged did not exist in electronic form immediately before the transmission”. However, if the PHI is subsequently recorded on electronic media, the stored PHI (now ePHI) becomes subject to the provisions of the HIPAA Security Rule.
Covered Entity and Business Associate HIPAA Telephone Rules
The HIPAA telephone rules for communications between Covered Entities – or between Covered Entities and Business Associates – are the same as the permissible disclosures of PHI under the HIPAA Privacy Rule. PHI can only be disclosed for treatment, payment, and healthcare operations; and, when a communication involves a Business Associate, a Business Associate Agreement must be in place before any PHI is disclosed for any reason.
An exception exists in the event of a data breach. The Breach Notification Rule allows PHI to be disclosed when a Business Associate reports a data breach to a Covered Entity, if the risk exists that unsecured PHI may be misused imminently. As with disclosures of PHI during other allowable telephone communications, the Minimum Necessary Standard applies, and the information disclosed to the Covered Entity must only be the minimum necessary amount to achieve the purpose for which it is disclosed.
The Situation Regarding HIPAA and Patient Telephone Calls
The situation regarding HIPAA and patient telephone calls is more complicated because the nature of phone calls to patients may be conditional upon whether or not the patient has given their consent to be contacted by the Covered Entity by phone. Generally, a patient is considered to have given their consent to receive healthcare-related phone calls and texts if they have provided the Covered Entity with a telephone number. However, allowable reasons for patient telephone calls are limited to:
- Appointments and reminders
- Health checkups
- The provision of medical treatment
- Lab test results
- Notifications about prescriptions
- Pre-operative instructions
- Post-discharge follow-up calls
- Home healthcare instructions
- Hospital pre-registration instructions
Even when consent is considered to have been given, further HIPAA telephone rules apply to patient telephone calls. For example, calls to patients should start with the Covered Entity stating their name and the reason for the call, calls should last no longer than sixty seconds, and Covered Entities should not contact patients for “allowable” reasons more than three times per week. Any other form of contact – either by voice call or text – requires the patient’s express consent.
Covered Entities may also need to get a patient´s consent to leave a message if the patient is unavailable when a Covered Entity calls. Many patients will be happy to give their consent for a voice message to be left with a family member or other person involved in their care but might not consent for a voice message to be left on an answering machine if the machine is accessible to individuals who share the patient´s home or workplace.
How State and Federal Laws Impact HIPAA Telephone Rules
As mentioned previously, state laws can have an impact on HIPAA telephone rules inasmuch as they may govern the nature of calls Covered Entities can make to patients. Federal laws are mostly designed to prevent unsolicited telemarketing calls and automated “robocalls”. Consequently, Covered Entities have to be careful how they use automated dialers that transmit prerecorded messages for appointment reminders and home healthcare instructions.
Some federal and state laws govern what type of health date can – and cannot – be communicated by phone. For example, under Section 543 of the Public Health Service Act, the medical records of patients receiving treatment for substance use disorders cannot be disclosed without specific authorization. In Texas, HB300 extends this requirement to most mental health records and records or tests relating to AIDS or genetic diseases.
Some automated calls are allowed under the Federal Communication Commission Rule of the Telemarketing and Consumer Fraud and Abuse Prevention Act, but these may also be subject to state or local laws – especially if the patient’s telephone number is on a state or federal do not call registry. Consequently, Covered Entities and Business Associates should seek professional compliance advice about how the HIPAA telephone rules apply in their jurisdiction.
HIPAA Telephone Rules FAQs
Are Phone Calls HIPAA Compliant?
Phone calls to patients are HIPAA compliant provided the nature of the phone call falls within the reasons for which a patient is considered to have given their consent. If a phone call to a patient relates to any other subject, the Covered Entity must have consent from the patient before making the call.
Are Cell Phone Calls HIPAA Compliant?
Calls to cell phones are subject to the same HIPAA telephone rules as calls to landline numbers. However, calls from a cell phone could be in breach of HIPAA if the patient’s name and number is recorded in a healthcare professional’s cell phone and there are no safeguards in place to prevent ePHI being disclosed without authorization if the cell phone is lost or stolen.
What Would You Do If a Patient Requested Information Over the Phone?
This depends on whether the patient is known to the person answering the call – a common event in smaller practices. If the patient is not known, they should be asked to identify themselves beyond reasonable doubt before any information is disclosed. The call, the identity of the caller, and the information disclosed should be logged by the person answering the call.
Can Nurses Give Patient Information Over the Phone?
Nurses can give patient information over the phone to a patient, a patient’s legal representative, or a patient’s family member subject to the conditions mentioned above – and, in the case of giving information to a family member – subject to the patient’s consent. If a patient is unable to give their consent due to incapacitation, the nurse should get approved third-party consent before disclosing patient information.