How to leave and receive HIPAA-compliant voicemails (with script)

Estimated reading time: 8 minutes

Knowing exactly how much information to leave on a voicemail can be tricky. You need enough detail to convey the message without compromising your client’s privacy. And what about messages your clients leave for you? Should they be handled in a special way?

In this article, we’ll cover the Health Insurance Portability and Accountability Act (HIPAA) rules on voicemail and how to comply with them.

But first, a pop quiz! Which of these voicemails could violate HIPAA?

(Hint — it’s the one on the right. Keep reading to find out why.)

What is HIPAA-compliant voicemail?

HIPAA-compliant voicemail consists of voice messages sent or received with security measures in place to protect your clients’ personal health information (PHI) according to HIPAA regulations.

PHI can include names, geographical identifiers, a desire to use your services, and more.

“PHI is individually identifiable information plus health info – where health info is any info about past, present, or future healthcare treatment, diagnosis, or payment for those services,” said Liath Dalton, deputy director and co-owner of Person Centered Tech.

HIPAA guidelines for sending voicemails

According to the HIPAA Privacy Rule, covered entities (including healthcare providers) are allowed to leave voicemails for clients. In some circumstances, this may include leaving a message with another person, but only if a healthcare professional decides it’s in the client’s best interest.

The Privacy Rule also states you must comply with a client’s request to have confidential information communicated in a specific way as long as it is reasonable. For example, if a client prefers to be contacted by email only, you must respect those wishes.

A key best practice is to ask clients how they would like to be contacted before you pick up the phone. “A covered entity should do its best to determine a client’s communication preferences during the onboarding process,” said Steven Youngman, VP of Finance and Legal for Hushmail. 

Want to leave detailed voice messages? Get your clients’ consent up-front with this Request for Non-Secure Communication form.

HIPAA guidelines for receiving voicemails

When clients leave you voice messages, you must take steps to safeguard them from being accessed by a third party, as you would with any other sensitive information.

With voicemail, the rules can vary depending on the type of service. If you use a landline with voicemail or a physical answering machine, you must only follow the HIPAA Privacy Rule and take steps to protect the messages in your office. You would not need to use a HIPAA-compliant telecommunications company with a business associate agreement (BAA).

This is because landline services fall under the HIPAA Conduit Exception. This rule allows businesses that only transmit electronic health information (e-PHI), but do not process it or store it on a long-term basis to operate without a BAA.

“The provider does not have access to the actual contents of the voicemail, and the voicemail access is transient in nature. Also, the storage is on a temporary basis incidental to the transmission itself,” said Youngman.

If your voicemail is on a mobile phone or provided through an internet-based service such as Skype, then you must also follow the HIPAA Security Rule, which deals with electronic protected health information (e-PHI).

The “How to receive a HIPAA-compliant voicemail” section covers specific best practices and HIPAA-compliant providers in more detail.

How to leave a HIPAA-compliant voicemail

So, how exactly do you leave a HIPAA-compliant voicemail? Be as brief as possible to get the message across.

In the quiz at the beginning of this article, the answer on the right is incorrect because it includes the client’s name and details about a required intake form, which could both be considered PHI. The answer on the left does not give away any of those details.

It’s also important to consider your location when leaving voice messages for clients. Finding a private place where you can’t be overheard is best. This can help prevent incidental disclosures.

When leaving a voicemail:

• Use the practitioner’s name, not the office name (e.g., “Raymond Rogers’ office” rather than “Raymond Rogers Family Therapy”)
• Use the minimum amount of information required to get the message across
• Avoid using client names
• Ask clients to call back to discuss further details

Voicemail script

Since information such as names, appointment times, and even the indication of a relationship between you and your client could be considered PHI, one voicemail script is ideal for all situations.

“Hi, this is [NAME]’s office. Please call us back at your earliest convenience.”

Although this script doesn’t include many details, it could help protect you and your practice from a HIPAA violation.

If clients prefer to receive more detailed information by voicemail, you could ask them to sign a form requesting non-secure communication. This form is also useful if clients would like to receive text messages through an app that isn’t HIPAA compliant. For a free template, fill out your information below.

How to receive voicemail and stay HIPAA compliant

To stay HIPAA compliant when receiving voicemails, it’s important to prevent messages from being accessed by a third party. This involves putting protective policies and procedures in place and following them. If you use mobile or internet-based voicemail, you must also use a HIPAA-compliant provider offering a BAA.

First, no matter what type of voicemail you use, assess the risk of voicemail being accessed by a third party in your office. These questions might be a helpful starting point:

Based on your answers to these questions, create policies to prevent any risks you identify, and if you have staff, be sure to train them on the policies.

Some best practices include ensuring messages are listened to in a private place where no one can overhear and saving voicemail notes or transcripts in a secure location.

The FCC also offers several recommendations to protect voicemail:

• Always change default passwords for all voicemail inboxes at work, home, and mobile.
• Choose a complex voicemail password of at least six digits.
• Change your voicemail password frequently.
• Don’t use obvious passwords such as an address, birth date, phone number, repeating numbers, such as 000000, or successive numbers, such as 123456.
• Check your recorded announcement regularly to ensure the greeting is indeed yours.
• Consider blocking international calls.
• Disable remote notification, auto-attendant, call-forwarding, and out-paging features if you don’t use them.
• Consult your voicemail service provider about additional security precautions.

Protecting voicemail with mobile or internet-based services

If your voicemail is provided by your mobile phone company or an internet-based app, you must also use a HIPAA-compliant company that offers a BAA.

Here are some examples of possible scenarios that would require you to use a HIPAA-compliant provider:

• You use a business cell phone with voicemail
• You have a second business line with voicemail using an app on your mobile phone
• You use an internet-based telehealth service that also includes phone and voicemail service (similar to Skype) *Note: Skype is not HIPAA-compliant out of the box.*

It can be difficult to know what to look for in a good provider. According to the HIPAA Administrative Simplification Regulations, important technical safeguards are:

• Unique user identification: each user is assigned a specific name or number and can be tracked.
• Emergency access procedures: policies are in place to protect data in case of an emergency.
• Automatic logoff: If you're not using the service, it will automatically close or lock to prevent others from accessing your information.
• Encryption: Your information is scrambled so that only the intended recipient can read it.
• Audit controls: These track and record who has accessed or interacted with your messages, so you know exactly who has seen or handled them.
• Authentication: A way to confirm that the person trying to access the messages is who they say they are, often by requiring a password.
• Transmission security: There are protective measures in place to stop information from being accessed by a third party

Many companies offer a wide range of communications services that include calling and voicemail, texting, faxing, and more. Here are some HIPAA-compliant providers recommended by Person Centered Tech:

• iPlum: offers a mobile business phone line, voicemail, text, fax, and voicemail transcription services
• RingRx: offers a desk and mobile phone line, voicemail, text, fax, and voicemail transcription services

HIPAA-compliant alternatives to voicemail

Since the HIPAA rules do limit the information you can leave on a client’s voicemail, it can be worthwhile to consider other alternatives to get your messages across.

Secure email can be an excellent way to pass information to your clients without compromising their privacy. At Hushmail, we store correspondence on a secure webpage, ensuring that only your clients can access it.

If you need information from your clients, secure forms housed on your website or added to an email can be a very convenient way to get it.

Ready to find out what secure email can do for you?