Understanding HIPAA Telephone Rules and Phone Calls

We live in a hyper-connected society. Almost everyone we know has a cell phone, tablet, or computer — maybe all and more. These devices are designed to make our day-to-day activities more efficient and enjoyable. While healthcare is rarely an enjoyable experience, there are always means that can be used to make it more comfortable. One of those solutions comes with improved technology that allows patients and providers to communicate and share data with speed and ease. The most common way improved communication occurs between both parties is through personal electronic devices, like smartphones. Although this sounds like a great idea, it has not exactly taken off. This is mainly because HIPAA still applies.

Navigating HIPAA telephone rules can be tricky. That is because there are technically no restrictions directly related to the use of phones. HIPAA is only concerned with the personal health information (PHI) stored or shared via those devices. What holds most providers back from deploying this tech is an overall misunderstanding of what is allowed and what is not — and the subsequent fear of being penalized. Continue reading as we dive into the specifics of using telephone calls as a tool in healthcare settings.

As stated earlier, there is no ban on the use of phones to make calls, or mobile phones to call, text or email patients. What does matter, is the type of information being shared or requested. In fact, and according to an order by the Federal Communications Commission, shared via the HIPAA Journal, "if a patient provides a telephone number to a Covered Entity (either landline or mobile), the provision of the number constitutes consent for the Covered Entity to make calls and send SMS text messages to the patient on that number." For security purposes, HIPAA- compliant phone calls and text messages are only permitted under certain circumstances, for example:

• Appointment reminders
• Prescription refill notifications
• Pre-registration instructions for hospital visits

As you can see from the few examples above, the information that can be shared via mobile devices, like smartphones, is quite generic, and will not reveal specific PHI of a patient.

When healthcare providers need to speak with each other, such as a family physician with a specialist, the information they can share becomes more vast. A couple examples related to telephone calls provided by the U.S. Department of Health & Human Services include:

• "A doctor may discuss a patient's condition over the phone with an emergency room physician who is providing the patient with emergency care"
• A laboratory may communicate a patient's medical test results over the phone, to a physician

When interested in communicating with patients via telephone or smartphone, it is important that providers take reasonable precautions to avoid sharing PHI, and that the phone numbers and devices they are communicating with are indeed that of the intended individual.

HIPAA Compliance: Outbound Calls

Often, a healthcare practitioner will need to call patients in order to share news of a test result, request a follow-up, or simply return a phone call. In each case, maintaining privacy is critical, especially considering the patient is not physically present. As a general rule, outbound calls to patients can usually be made for the following reasons:

• Appointment reminders
• Reporting of test results
• Pre-procedure instructions
• Post-discharge check-up
• Home healthcare monitoring

In terms of best practices and to avoid any issues with HIPAA, a healthcare practitioner and their office colleagues should follow these policies when making outbound calls to patients:

• Calls should be short with a recommendation of 60-seconds or less
• The caller, whether it be a receptionist, provider, or someone else at the practice, should state their name, and provide any relevant contact details before other details of the call purpose are shared
• Calls should be limited to between one and three times per week, unless an urgent situation requires regular follow-up
• The calls made should not cost the client any money outside of their normal telephone plan
• If you leave a voicemail, the patient should be provided a toll-free number to call back to — you can consider this call back line to be your HIPAA-compliant phone number

With more people using instant messaging applications like Apple's iMessage, consider learning more about HIPAA-compliant text messaging.

What About HIPAA Compliance and Automated Calls?

Since late 2013, the Federal Communications Commission has required that healthcare providers obtain written consent from a patient before deploying automated messages — whether by text or phone. Healthcare providers often use these automated messages for low-risk communications like appointment reminders.

A Couple Important Points to Remember:

• Outbound calls to patients are not a HIPAA violation, unless a patient has provided a written request not to be contacted by phone
• Mobile phones, like smartphones, fall under the same provisions as landlines. Refer to the hyperlink above to learn more about having HIPAA-compliant conversations with your patients

Checklist for HIPAA-Compliant Phone Calls

Being able to reach out to your patients via phone call can be a highly efficient practice. It often allows for quicker response times compared to email or regular mail. Quicker responses lead to more efficient coordination, which can be paramount in healthcare. Although it might seem attractive to pick up the phone or better yet, send out automated messages to your patients, there must be a level of care applied by healthcare providers to ensure HIPAA requirements are not violated.

With that said, do not be discouraged. Phoning your patients is permitted in a variety of circumstances. How can you be sure you are not violating HIPAA telephone rules? Use the checklist below for HIPAA phone call verification tips.

• Before deciding to contact patients by phone, ask them if they would like to opt out of phone calls. If a patient has not explicitly opted out, they may be contacted
• Only make calls for a simple purpose, like appointment reminders, scheduling appointments or a test result notification
• Keep calls to 1-minute or less
• Do not plan to call the same patient more than 3 times per week (unless there is a consistent ongoing dialogue between both parties)
• Set-up a toll-free number. Consider this your HIPAA-compliant voicemail system. If you want to leave a voicemail, a patient must be able to reach you back via a toll-free number or other method which will not cost them anything outside of their normal telephone plan
• Be ready to identify yourself and your practice before getting into the purpose of your call
• If you plan to store data from your phone call, such as a recording, or other notes, it must meet the same rigorous standards of other PHI stored at healthcare organizations. This data is not treated any differently