In the first month of 2021, HHS hit a health insurance company with a $5.1 million fine. Why? The company violated HIPAA.
HIPAA violations are a big deal. If an organization works with private health information, they have a legal responsibility to protect that data.
Yet, many reasonable actions, like calling patients, put that data at risk. What’s the best way to stay compliant while getting work done?
One option is HIPAA voicemail security. HIPAA compliant voicemail, text, and email services empower medical offices to send messages. At the same time, they mitigate the risk of a security breach—and the fines that come with them.
Learn the ins and outs of HIPAA. Then, discover HIPAA-compliant messaging options. How might they work for your office?
What is HIPAA?
HIPAA is the Health Insurance Portability and Accountability Act. This 1996 law regulates healthcare organizations. Any healthcare group that works with protected health information (PHI) must comply with HIPAA mandates.
The Department of Health and Human Services (HHS) enforces HIPAA. The HHS’ Office for Civil Rights (OCR) may impose fines against organizations that break HIPAA rules.
HIPAA has many parts. But, when it comes to PHI, one subset of the law matters. HIPAA sets three key PHI rules. These are:
- The Privacy Rule
- The Security Rule
- Breach Notification Rule
The privacy rule limits disclosure of PHI without the patient’s explicit consent. No organization can share a patient’s health data without their knowledge. The only exceptions are extreme emergencies.
The security rule sets security standards. Healthcare organizations must meet or exceed security standards to protect PHI.
Hackers or thieves access an organization’s PHI due to weak security. OCR holds the organization responsible in those cases.
The breach notification rule requires covered organizations to report a security breach. The organization must report a breach to HHS within sixty days. They must also disclose the breach to impact patients within that time frame.
HHS added the HITECH Act in 2009. This act encourages organizations to use secure healthcare technology. It also increased the penalties for insecure data.
To comply with HITECH, businesses sign Business Associate Agreements (BAA). For more on these agreements, see the subheading under, “HIPAA Voicemail: What Makes It Safe?”
Can Voicemails Violate HIPAA?
The HHS allows healthcare providers to leave voicemails for patients. They may also leave voicemails for other departments.
But, security rules are still in play. And, the HHS has recommendations about voicemail content.
The HHS encourages providers to refrain from disclosing private information on a voicemail. Instead, simply leave patients the provider’s name and a number they can call back.
Second, do not leave a message with someone else in the patient’s household. Only leave a message on the patient’s phone itself.
Third, organizations must comply with patient requests for confidentiality measures. If a patient requests communication solely to a secure number or password-protected inbox, organizations must use this option.
Poor security and inappropriate disclosures violate HIPAA. Organizations must keep these rules in mind to stay compliant.
HIPAA Voicemail: What Makes It Safe?
HIPAA voicemail services use high-end security measures. These measures comply with the HITECH Act and the HIPAA security rule.
With security measures, no hackers can steal information sent to a voicemail service. The measures also protect transmissions from voicemail to email.
If voice records or transcribed recordings are secure, it’s easier to use a range of message formats. Five security measures make iPlum’s voicemail service compliant. These are:
- Separate business lines
- Access codes
- Automatic call forwarding
- Business Associate Agreements
These tools comply with HIPAA’s security rule. They empower providers and patients to prevent wrongful disclosure.
Encryption is a critical security tool. Encryption disguises the contents of a message while it’s in transit.
The Internet Engineering Task Force (IETF) developed protocols to keep message files safe.
This standard protects any files that use internet networks for transmission.
Encryption protects contained messages as they flow through wireless frequencies. Without this protection, third parties could read the messages’ contents. They could even do this accidentally.
In contrast, only the intended recipient can read encrypted messages. The receiving device can decrypt the message.
Some secure message technologies use Transport Layer Security (TLS). This is a second encryption protocol. IETF designed TLS to replace the outdated SSL protocol.
TLS maintains a high degree of privacy. It also prevents the message in transit from losing data.
TLS’s advantage is in how it creates a full, private encryption layer. Only devices utilizing a digitally certified public key can network with this layer.
Access Code Options
Decryption happens automatically. Encryption and decryption procedures are coded into software.
Access codes are manual. An access code is a four-digit PIN.
One type of access code protection is the calling party access code. Only callers with the access code can leave a message in a protected inbox.
This access code option prevents attempts to violate HIPAA with shortcuts. A patient must explicitly consent to receive PHI transmission from specific parties. The patient can then authorize those parties with the PIN.
Conversely, there are recipient access codes. This prevents unauthorized access to a voicemail box.
This lets doctors and staff protect their voicemails. Nobody can access messages in the voicemail inbox without a PIN. The PIN functions as a password to enter the inbox.
Second Business Line
A second business line is safer than using one phone line for everything. A doctor may receive calls from many sources. These include pharmacies, patients, and hospital administrators.
A second line on one phone can keep these separate. This lets the phone user know who is calling, and when. They can choose to answer calls that may contain PHI in secure locations.
Automatic Forwarding to Voicemail
Automatic forwarding is also called “ringless voicemail.” This sends specific calls straight to voicemail. This lets the caller transmit a voice message in a way that doesn’t cause the recipient’s phone to ring.
This ensures calls containing PHI stay secure. Nobody will inadvertently answer this call in an insecure location.
And, a physician can stay HIPAA compliant with this option. The doctor can forward a message from a pharmacy to a secure voicemail inbox.
This bypasses front desk staff. Bypassing is essential if the patient has not consented to PHI disclosure to staff.
Business Associate Agreements (BAA)
HIPAA regulates all organizations that interface with PHI. But, not all of these organizations are medical facilities.
Healthcare business partners must also comply with HIPAA. Fortunately, healthcare providers can set Business Associate Agreements (BAAs) with partners.
The BAA is a contract. It outlines what types of PHI the business partner will interface with. And, it describes how the partner may disclose PHI.
It also notes which PHI uses are forbidden.
The BAA also details mandatory security measures. Finally, the business partner must agree to the provider’s breach notification policy.
The HITECH Act mandates BAAs for all partnerships. A business that provides secure voicemail service must sign a BAA. This is a key way to make sure you’re using voicemail within HIPAA’s boundaries.
HIPAA Compliant Voicemail: Features and Options
HIPAA-compliant voicemail may include other features and services. These, too, can empower compliance.
They can also improve patient satisfaction. Voicemail service features include:
- Audit controls
- HIPAA-compliant texting
Each of these features meets HIPAA regulations.
Transcription turns voice messages into text. This lets you send messages to a secure, text-based medium. This may be within a secure, local area network.
A patient might not authorize PHI disclosure for transcription. But, automated transcription is fine.
Audit controls trace every interaction with a message. This lets systems identify who disclosed PHI unlawfully. It also checks message transfers to ensure information gets to the right place.
HIPAA Compliant Texting
Some patients prefer texts. For them, it’s faster to read than listen to a recording.
HIPAA compliant texting uses the same security protocols and voicemail. Make sure to text to secure devices.
HIPAA Voicemail Tips
The right technology is the first step to staying HIPAA-compliant. But, it’s wise to take additional measures.
One measure is to only leave minimal messages.
Leave a Callback Number
If you call a patient, simply state who’s calling. Summarize the purpose of your message. Then, leave a call-back number.
The patient can call back when they are able. At that point, you can talk to them directly about their health information.
This prevents nosy housemates from listening to PHI on the patient’s voicemail.
It also protects the patient’s PHI from hackers. End-to-end encryption protects messages in transit. But, a hacker can still try to steal information from the endpoint.
If a hacker steals information from a patient’s phone with a virus, that’s not great. But, if there’s no useable information in the voicemail, the patient’s PHI is still protected.
Listen to Messages in Private
A second security measure changes how providers listen to voicemails. Playing a voice message on a speakerphone can accidentally disclose PHI. If other people in the officer overhear the PHI, that’s a HIPAA violation.
Instead, only listen to messages in private. Use headphones or a cell phone to hear voicemails intended solely for you.
HIPAA compliant voice and text is easy through iPlum. Explore our low-cost services on our products page.
Want to learn more about HIPAA voicemail options? Talk to us. We’re happy to answer any questions.
We also offer free online tutorials.