What are the HIPAA Telephone Rules?

The HIPAA telephone rules are based on the standards of the HIPAA General Provisions, the HIPAA Privacy Rule, and the HIPAA Security Rule – notwithstanding that covered entities and business associates are also required to comply with state and federal telephone rules.

Due to there being different standards that apply depending on the nature of a call and the nature of an organization’s operations, each covered entity and business associate is required to develop their own HIPAA phone call rules for using the telephone in compliance with HIPAA.

This article provides general guidance on developing HIPAA telephone rules that cover the most common healthcare scenarios. If you require further advice on making HIPAA compliant phone calls or using a HIPAA compliant phone service, you should seek professional compliance advice.

The Variety of HIPAA Phone Call Rules

The variety of rules and regulations covering how covered entities and business associates can use the telephone to communicate Protected Health Information (PHI) can be confusing. Different HIPAA telephone rules can apply depending on:

• If a covered entity is communicating PHI to another covered entity with whom the patient has a direct treatment relationship,
• If a covered entity is communicating PHI to another covered entity with whom the patient does not have a direct treatment relationship,
• If a member of a covered entity’s workforce is communicating PHI to a colleague for treatment, payment, or healthcare operations,
• If a member of a covered entity’s workforce is communicating PHI to a colleague for any other purpose,
• If a covered entity is communicating PHI to a business associate (or vice versa), or
• If a Covered Entity is communicating PHI with a patient or receiving PHI from a patient.

The rules relating to sharing patient information with family over the phone can also be confusing. For example, sharing patient information over the phone with family is permitted when a healthcare provider believes it is in the patient´s best interests – unless the patient has stated they want the information withheld.

However, it is not permitted to disclose information to family over the phone about a past medical problem that is unrelated to the patient´s current condition, and it may be necessary for a healthcare organization to develop procedures for HIPAA compliant phones calls so the identity of a caller enquiring about an individual’s wellbeing can be verified.

Where the HIPAA Privacy and Security Rules Apply

It is also the case that covered entities in one state may be subject to different telephone rules than covered entities in another state. This can happen when one state has passed legislation with more stringent privacy requirements than the HIPAA Privacy Rule. HIPAA does not preempt state law when the privacy requirements of the state are more protective than those of the HIPAA law itself.

One example of state law having more stringent privacy requirements than HIPAA is in Texas; where all organizations (including many not covered by HIPAA) are required to comply with the Texas Medical Records Privacy Act. With regards to HIPAA compliant phone calls and the Telephone Consumer Protection Act, several states (i.e., Florida and Oklahoma) have introduced their own legislation with more stringent requirements than the federal Telephone Consumer Protection Act.

A further issue that can lead to confusion about the HIPAA telephone rules is whether or not PHI exchanged during a telephone call is subject to the HIPAA Security Rule. According to §160.103 of the HIPAA Privacy Rule, PHI exchanged during a telephone call is not considered to be subject to the HIPAA Security Rule “if the information being exchanged did not exist in electronic form immediately before the transmission”. However, if the PHI is subsequently recorded on electronic media, the stored PHI (now ePHI) becomes subject to the provisions of the HIPAA Security Rule.

With regards to the above standard, it is important to be aware it was published in 2002 and relates to telephone calls conducted via a traditional landline telephone that uses a circuit-switched voice communication service through the Public Switched Telephone Network. If a telephone call is made via a HIPAA compliant VoiP or UCaaS voice communication service (i.e., Skype, Teams, RingCentral, etc.), the phone call is considered electronic and HIPAA applies to both the content of the call and the technology it is made on.

Covered Entity and Business Associate HIPAA Telephone Rules

The HIPAA telephone rules for communications between covered entities – or between covered entities and business associates – are the same as the permissible disclosures of PHI under the HIPAA Privacy Rule. PHI can only be disclosed for treatment, payment, and healthcare operations; and, when a communication involves a business associate, a Business Associate Agreement must be in place before PHI is disclosed for any reason.

An exception exists in the event of a data breach. The Breach Notification Rule allows PHI to be disclosed when a business associate reports a data breach to a covered entity, if the risk exists that unsecured PHI may be misused imminently. As with disclosures of PHI during other allowable telephone communications, the Minimum Necessary Standard applies, and the information disclosed to the covered entity must only be the minimum necessary amount to achieve the purpose for which it is disclosed.

It is important for covered entities and business associates to be aware that, if they communicate voice messages via a VoIP or UCaaS service, the telecommunications provider must comply with the HIPAA telephone rules, ensure a HIPAA compliant phone service, and sign a Business Associate Agreement. This is because the telecommunications provider may store voice messages containing PHI on their servers which could be exposed in the event of a data breach.

The Situation Regarding HIPAA and Patient Telephone Calls

The situation regarding HIPAA and patient telephone calls is more complicated because the nature of phone calls to patients may be conditional upon whether or not the patient has given their consent to be contacted by the covered entity by phone. Generally, a patient is considered to have given their consent to receive healthcare-related phone calls and texts if they have provided the covered entity with a telephone number. However, allowable reasons for patient telephone calls are limited to:

• Appointments and reminders
• Health checkups
• The provision of medical treatment
• Lab test results
• Notifications about prescriptions
• Pre-operative instructions
• Post-discharge follow-up calls
• Home healthcare instructions
• Hospital pre-registration instructions

Even when consent is considered to have been given, further HIPAA telephone rules apply to patient telephone calls. For example, calls to patients should start with the covered entity stating their name and the reason for the call, calls should last no longer than sixty seconds, and covered entities should not contact patients for “allowable” reasons more than three times per week. Any other form of contact – either by voice call or text – requires the patient’s express consent.

Patient consent should also be obtained before leaving messages with family members or voicemail messages. It may the case that the patient does not want members of their family to know about a health condition, or that the telephone number given by the patient is their work number – in which case there may be no way of controlling who PHI is disclosed to. The failure to obtain patient consent in these circumstances is likely to be viewed as a HIPAA violation if the patient subsequently complains to HHS´ Office for Civil Rights.

How State and Federal Laws Impact HIPAA Telephone Rules

As mentioned previously, state laws can have an impact on HIPAA telephone rules inasmuch as they may govern the nature of calls covered entities can make to patients. Federal laws are mostly designed to prevent unsolicited telemarketing calls and automated “robocalls”. Covered entities have to be careful how they use automated dialers that transmit prerecorded messages for appointment reminders and home healthcare instructions.

Some federal and state laws govern what type of health date can – and cannot – be communicated by phone. For example, under Section 543 of the Public Health Service Act, the medical records of patients receiving treatment for substance use disorders cannot be disclosed without specific authorization. In Texas, the Texas Medical Records Privacy Act extends this requirement to most mental health records and records or tests relating to AIDS or genetic diseases.

Some automated calls are allowed under the Federal Communication Commission´s rules relating to telemarketing and the Consumer Fraud and Abuse Prevention Act, but these may also be subject to state or local laws – especially if the patient’s telephone number is on a state or federal do not call registry. In some cases, it will be necessary for covered entities and business associates to seek professional compliance advice about how the HIPAA telephone rules apply in their jurisdiction.

It is important for covered entities and business associates to comply with state and federal laws in addition to the HIPAA telephone rules. Organizations subject to HIPAA should sign a Business Associate Agreement with their telecommunications provider if calls are made via VoIP or UCaaS to ensure a HIPAA compliant phone system is being used, and train members of the workforce to only leave HIPAA compliant voicemail messages when consent has been obtained from the patient.

HIPAA Telephone Rules FAQs