Are text messages and phone calls HIPAA-compliant?
Learn about how HIPAA regulates phone calls at Healthie. Make sure you're following HIPAA compliance for text messaging and phone calls.
Remaining HIPAA-compliant as a healthcare provider takes a large amount of effort and requires proper execution of a compliance strategy. HIPAA has provided an exorbitant amount of information on how to remain compliant when using electronic health records, telehealth calls, mobile health apps, email, and other common tools for healthcare providers. And, thankfully, with the growth of HIPAA-compliant EHR and telehealth software, it is becoming increasingly easy for providers to maintain compliance without spending excessive amounts of time manually protecting patient health information.
However, practitioners often struggle to understand how to remain HIPAA-compliant when simply calling clients over the phone. Many providers leverage phone calls to remind clients of appointments, follow-up on a healthcare protocol, and even notify of a prescription refill. Here, we’ve explained the legal regulations on healthcare-related phone calls, and laid out the best way for you to remain compliant when calling your clients. Healthie’s all-in-one practice management software reduces the administrative time of telehealth practices by over 40%.
Are phone calls HIPAA-compliant?
Phone calls made by healthcare providers are regulated under multiple acts and governing bodies. The overarching act is the Telephone Consumer Protection Act, which was enacted in 1991 and set regulations on telemarketing calls, pre-recorded messages, and the use of automatic dialing systems. Technically, healthcare providers do fall under the jurisdiction of the TCPA, but the Federal Communications Commission has recently ruled that healthcare providers are exempt from TCPA standards, under certain circumstances. Generally, TCPA does not apply for healthcare-related phone calls and texts. However, the TCPA applies to any finance-related calls, such as payment notifications and accounting problems.
HIPAA does not prohibit the use of mobile devices in healthcare. However, there are no individual Security or Privacy Rules within HIPAA to govern cell phone usage. Providers should attempt to follow the overarching guidelines HIPAA has laid out to keep personal health information safe when communicating over the phone. For example, be sure that you are in a secure environment where people who are unauthorized to receive PHI are out of listening range.
{{free-trial-signup}}
How to keep phone calls HIPAA-compliant & secure
In order to stay HIPAA-compliant, there are a few things providers need to do when calling or leaving messages for their clients. It’s important to note first, according to the FCC, when a client gives their healthcare provider their phone number, they are giving that provider consent to contact them via phone, using only the number provided. However, patients reserve the right to revoke this consent at any time, and must be given an option for opting out of communications. It’s likely that your clients give you your phone number when filling out initial client paperwork; however, it might be helpful to include a phone policy or disclaimer in your intake packet as well, that states this policy and the ways that you would be contacting your clients over the phone.
When you call your client, you must state your name and contact information, and then state the purpose of the call. The FCC has recommended that you keep phone calls to 60 seconds and text messages to 160 characters, to prevent sharing too much information or a security breach. They have also set parameters for the frequency of calling and texting: clients are not to be contacted more than three times a week by phone and no more than one text message per day. Patients should not be charged for any calls or text messages to their phone.
HIPAA has defined a set list of reasons for calling and texting that are compliant. They include:
- Appointments and reminders
- Health checkups
- The provision of medical treatment
- Lab test results
- Notifications about prescriptions
- Pre-operative instructions
- Post-discharge follow up calls
- Home health care instructions
- Hospital pre-registration instructions
This means HIPAA compliant phone calls to clients should only include administrative topics; healthcare providers should not be hosting appointments in which a large amount of personal health information is being disclosed over the phone.
As for automated calls and texts, HIPAA has not defined clear regulations on maintaining compliance. Unlike obtaining compliance for a regular phone call, you must obtain explicit consent from your clients to call them using an automatic dialing service. However, third-party texting services are allowed to send automated appointment reminders without explicit consent.
You may not leave a message that contains personal health information in your client’s voicemail box. Providers are only allowed to state the patient’s name, appointment time, and the provider’s contact information in their voicemail box; no information more personal than that may be left. The same rule applies if a family member or someone else picks up the phone: providers may leave a message with them that includes basic information regarding the appointment or purpose of the call. HIPAA also requires that, in the case of leaving a voicemail, the return contact information contains a toll-free number that patients can call.
Using Healthie to remain HIPAA-compliant
When looking for HIPAA-compliance in an EHR & telehealth tool, there is no need to search for an add-on to what you already use to run your business. Choosing an EHR and telehealth platform, like Healthie, which is fully HIPAA compliant, ensures that your client’s private health information is protected every step of the way. With Healthie, clients receive access to their secure client portal, which enables them to complete forms, sign policies, upload health information, message their wellness provider, and more, all within the same HIPAA compliant tool.
As the provider, you have access to all of your clients’ information in one place. You can bill clients, fill out chart notes, store personal health information, and send HIPAA-compliant text and email messages to clients for check-ins. Additionally, with Healthie’s Video Call feature, you can hold virtual appointments through the platform.
Both you and your clients can access the appointment from phone or computer, making virtual appointments both flexible and secure. Healthie’s integration with Zoom allows you to expand your offerings to include webinars and virtual group sessions as well. Healthie’s platform also provides secure ways to send messages, emails, documents, forms, and faxes virtually, to support your practice.
At Healthie, we maintain our HIPAA compliance while being hosted through Microsoft’s servers through a similar BAA. We additionally encrypt the private data collected on our platform to prevent information theft or security attacks. All data within our system is tightly controlled. All entries are logged and all information is kept so that it may be audited. Healthie receives an A+ rating in security from the external tester SSL Labs.
Here are additional resources to help you learn how Healthie keeps your business HIPAA-compliant.
If you are at all concerned about the security of your information or have any additional questions, you can learn more about Healthie’s high-security standards here or reach out to us at any time at hello@gethealthie.com.
Remaining HIPAA-compliant as a healthcare provider takes a large amount of effort and requires proper execution of a compliance strategy. HIPAA has provided an exorbitant amount of information on how to remain compliant when using electronic health records, telehealth calls, mobile health apps, email, and other common tools for healthcare providers. And, thankfully, with the growth of HIPAA-compliant EHR and telehealth software, it is becoming increasingly easy for providers to maintain compliance without spending excessive amounts of time manually protecting patient health information.
However, practitioners often struggle to understand how to remain HIPAA-compliant when simply calling clients over the phone. Many providers leverage phone calls to remind clients of appointments, follow-up on a healthcare protocol, and even notify of a prescription refill. Here, we’ve explained the legal regulations on healthcare-related phone calls, and laid out the best way for you to remain compliant when calling your clients. Healthie’s all-in-one practice management software reduces the administrative time of telehealth practices by over 40%.
Are phone calls HIPAA-compliant?
Phone calls made by healthcare providers are regulated under multiple acts and governing bodies. The overarching act is the Telephone Consumer Protection Act, which was enacted in 1991 and set regulations on telemarketing calls, pre-recorded messages, and the use of automatic dialing systems. Technically, healthcare providers do fall under the jurisdiction of the TCPA, but the Federal Communications Commission has recently ruled that healthcare providers are exempt from TCPA standards, under certain circumstances. Generally, TCPA does not apply for healthcare-related phone calls and texts. However, the TCPA applies to any finance-related calls, such as payment notifications and accounting problems.
HIPAA does not prohibit the use of mobile devices in healthcare. However, there are no individual Security or Privacy Rules within HIPAA to govern cell phone usage. Providers should attempt to follow the overarching guidelines HIPAA has laid out to keep personal health information safe when communicating over the phone. For example, be sure that you are in a secure environment where people who are unauthorized to receive PHI are out of listening range.
{{free-trial-signup}}
How to keep phone calls HIPAA-compliant & secure
In order to stay HIPAA-compliant, there are a few things providers need to do when calling or leaving messages for their clients. It’s important to note first, according to the FCC, when a client gives their healthcare provider their phone number, they are giving that provider consent to contact them via phone, using only the number provided. However, patients reserve the right to revoke this consent at any time, and must be given an option for opting out of communications. It’s likely that your clients give you your phone number when filling out initial client paperwork; however, it might be helpful to include a phone policy or disclaimer in your intake packet as well, that states this policy and the ways that you would be contacting your clients over the phone.
When you call your client, you must state your name and contact information, and then state the purpose of the call. The FCC has recommended that you keep phone calls to 60 seconds and text messages to 160 characters, to prevent sharing too much information or a security breach. They have also set parameters for the frequency of calling and texting: clients are not to be contacted more than three times a week by phone and no more than one text message per day. Patients should not be charged for any calls or text messages to their phone.
HIPAA has defined a set list of reasons for calling and texting that are compliant. They include:
- Appointments and reminders
- Health checkups
- The provision of medical treatment
- Lab test results
- Notifications about prescriptions
- Pre-operative instructions
- Post-discharge follow up calls
- Home health care instructions
- Hospital pre-registration instructions
This means HIPAA compliant phone calls to clients should only include administrative topics; healthcare providers should not be hosting appointments in which a large amount of personal health information is being disclosed over the phone.
As for automated calls and texts, HIPAA has not defined clear regulations on maintaining compliance. Unlike obtaining compliance for a regular phone call, you must obtain explicit consent from your clients to call them using an automatic dialing service. However, third-party texting services are allowed to send automated appointment reminders without explicit consent.
You may not leave a message that contains personal health information in your client’s voicemail box. Providers are only allowed to state the patient’s name, appointment time, and the provider’s contact information in their voicemail box; no information more personal than that may be left. The same rule applies if a family member or someone else picks up the phone: providers may leave a message with them that includes basic information regarding the appointment or purpose of the call. HIPAA also requires that, in the case of leaving a voicemail, the return contact information contains a toll-free number that patients can call.
Using Healthie to remain HIPAA-compliant
When looking for HIPAA-compliance in an EHR & telehealth tool, there is no need to search for an add-on to what you already use to run your business. Choosing an EHR and telehealth platform, like Healthie, which is fully HIPAA compliant, ensures that your client’s private health information is protected every step of the way. With Healthie, clients receive access to their secure client portal, which enables them to complete forms, sign policies, upload health information, message their wellness provider, and more, all within the same HIPAA compliant tool.
As the provider, you have access to all of your clients’ information in one place. You can bill clients, fill out chart notes, store personal health information, and send HIPAA-compliant text and email messages to clients for check-ins. Additionally, with Healthie’s Video Call feature, you can hold virtual appointments through the platform.
Both you and your clients can access the appointment from phone or computer, making virtual appointments both flexible and secure. Healthie’s integration with Zoom allows you to expand your offerings to include webinars and virtual group sessions as well. Healthie’s platform also provides secure ways to send messages, emails, documents, forms, and faxes virtually, to support your practice.
At Healthie, we maintain our HIPAA compliance while being hosted through Microsoft’s servers through a similar BAA. We additionally encrypt the private data collected on our platform to prevent information theft or security attacks. All data within our system is tightly controlled. All entries are logged and all information is kept so that it may be audited. Healthie receives an A+ rating in security from the external tester SSL Labs.
Here are additional resources to help you learn how Healthie keeps your business HIPAA-compliant.
If you are at all concerned about the security of your information or have any additional questions, you can learn more about Healthie’s high-security standards here or reach out to us at any time at hello@gethealthie.com.