NEW! Front Desk Staff Essentials 5-Part Training - Save 15% Now LEARN MORE

Access All Live + All On-Demand Trainings for 1 Year! SAVE $300 NOW

Head Off Costly HIPAA Violations for Patient Voicemail Errors

Share: Share on Facebook Share on Twitter Share on LinkedIn

Head Off Costly HIPAA Violations for Patient Voicemail Errors

Share: Share on Facebook Share on Twitter Share on LinkedIn
HIPAA compliant voicemails

Ensuring your staff leaves HIPAA-compliant voicemails is easier than it sounds. Because of this, HIPAA investigators regularly scrutinize practice voicemail processes closely. Phone messages left with patients’ spouses, co-workers, or answering machines without consent are violations each time they occur. HIPAA compliant voicemails.
It doesn’t matter whether you speak with someone about their 93-year-old mother’s appointment or a spouse’s billing issue. Unless you have written consent from the patient (or another authorized person) that gives you the right to speak to or leave a message with someone other than your patient, you are in violation.

Specifically, watch out for requests from family members and spouses for patient information without confirming formal authorization. Usually, errors related to this are due to familiarity with the family member or spouse. All may be fine for a while, but you could be in big trouble if you release something that the patient doesn’t want their family privy to, and you don’t have the correct release on file.

You can protect practice against costly HIPAA violations by implementing an easy-to-understand policy on exactly how you want voicemail message left.  Then, provide training to your front desk team (or whoever is leaving patient messages). Here are a few of the most common dangers when trying to leave patients a HIPAA compliant voicemail:

1. Patient name: Never use your patient’s name when leaving a voicemail. It also is not recommended to leave any other information that identifies your patient. Here are two examples of acceptable language for voicemail messages:

–      Appointments: “Please call us back regarding your appointment at XXX-XXXX.”

–      Billing: Please call us back regarding your invoice at XXX-XXXX.”

2. Medical Information: It is also essential to NEVER leave test results or other medical information on a patient’s voicemail. Instead, request that they call you back to get the information from you directly. You should never indicate what the particulars of the call are unless your patient has given you specific clearance in writing that it is okay to do so. Here are some examples of wording to use on your authorization form to get your patients’ authorization for leaving detailed messages:

Message Option #1: I give my permission for Dr. Smith’s office to leave specific information about scheduling appointments with his openings on my voicemail at [insert number].”

Message Option #2: “I give my permission for Dr. Smith’s office to leave specific information about billing on my voicemail at [insert number].”

3. Practice-Specific Information: When leaving a patient voicemail message, it isn’t only the patient’s information you need to be cautious of. Identifying your practice specialty in a message can provide a clue to your patient’s health issues if someone else hears it. If you’re a primary care practice, it may not be too much of an issue (although it is still a HIPAA violation). However, if you work in a more sensitive specialty (i.e., infectious disease, mental health, oncologist, etc.), and the patient doesn’t want anyone to know they see you, then you could be in significant hot water.

4. Non-Patient Interactions: On occasion, when calling a patient, someone else may answer the phone (i.e., a family member, co-worker, office assistant, etc.). Most likely, they’ll ask you to leave a message if your patient is not available. Although this seems reasonable, doing so can violate your patient’s rights if you disclose their information to anyone else without their written permission. The proper response in situations like this is to have your team politely say something like:

I’m so sorry, but I can’t provide you with that information. It’s confidential. I’m not allowed to give that out over the phone. I hope you understand.”

This response may make the person on the other end of the phone angry, but it’s better than compromising your patients’ protected health information and getting hit with a HIPAA violation fine.

5. Get Patient’s Consent: Before you ever pick up the phone to call an existing patient, get into the habit of reviewing their consent form on file. Even though this adds another step to your process, it’s the only way to comply with each patient’s wishes.

If you don’t have written consent from the patient, limit yourself to simply asking for a callback, and don’t leave any additional information. Also, never verbally leave lab results or patient medical information on voicemail under any circumstances.

WARNING: Don’t be lulled into setting up a “cheat sheet” with each active patient’s name and specific consent guidelines to make it easier for your front desk staff to get it right. This is not a good idea. Remember, your patients have the right to revoke their consent at any time. That means you run the risk of incorrect information if you don’t keep your cheat sheet up to date.

HIPAA Compliant Voicemail Training HIPAA compliant voicemails

The only way to help your front desk team leave HIPAA compliant voicemails is to arm them with very specific responses for a variety of scenarios so they aren’t caught off guard. To good way to do this is with scenario-based training. You can utilize the voicemail scenario below to help your team leave HIPAA compliant voicemails.

Tip: If someone in your office ever doesn’t know how to answer a patient question, be sure they at least know who to ask for assistance.

Voicemail Training Scenario HIPAA compliant voicemails

Your office receives a voicemail from a patient asking about the availability of appointment times for the coming week. She leaves a phone number so you can call her back.

The next day, one of your front desk staff returns the patient’s call. However, instead of reaching the patient, it’s their voicemail. Your team member leaves a message with their name, the name of your practice, and indicates that she is returning her call. Your staff member also includes the patient’s name in the message, she identifies the specialist’s name and specialty, includes available appointment times and asks the patient to call her back.

Provide this training scenario to your staff and ask them to critique it. Then, get your team together and discuss how the scenario could be improved so that a HIPAA compliant voicemail is achieved.

This training scenario is also a great exercise to give to new office staff candidates. Ask them to write down their thoughts on the situation and tell you how they would improve the message to make it a HIPAA compliance voicemail.

IMPORTANT: If you ever are audited by HIPAA, investigators will be looking for your training log. Accordingly, documenting your HIPAA training is essential, but it doesn’t have to be complicated. It can be as easy as creating a spreadsheet with the training date, the topic, and the names of the staff in attendance. Your training log should be easily accessible and include any of the training documents that you used. Also, include the training date on the supporting documents so there is a clear tie between the training materials and your log.

Return Phone Call Dangers HIPAA compliant voicemails

It’s also vital to train your team on how to answer questions when someone calls into your office. For example, let’s say you leave a message for a patient on their voicemail regarding an appointment, asking them to call and confirm. However, instead of the patient calling back, it’s her husband asking why and for who you left the message.

Whether you are leaving a message with an appointment reminder, or because you are returning a patient’s call, the process guidelines should be the same.

Remind your staff that they don’t actually know where or who they are calling when they dial a patient’s number. They have no idea if the patient’s phone number is secure. Is it a cellphone only answered by the patient? Is it a house phone answered by other family members? Is it an office voicemail that an assistant monitors?

Ultimately, to ensure that your staff leaves HIPAA compliant voicemails and that your practice is protected against costly violations, there are several steps you must follow:

  1. Implement an easy-to-understand office policy regarding patient voicemail messages.
  2. Ensure all staff leaving a message (regardless of who’s calling) utilize the policy constantly.
  3. Only include your name and callback number in a voicemail message to avoid revealing any of your patient’s private information.
  4. Avoid identifying specialty-specific information about your practice that might uncover issues with your patient’s health should someone else hear the message.

For more information about how to avoid HIPAA problems at your front desk, check out this immediately availing online training Head Off Front Desk HIPAA Nightmares presented by expert, Tracy Bird, FACMPE, CPC, CPMA, CEMC, CPC-I. This 60-minute training is a perfect training tool for your entire front desk staff (including new hires). It can be accessed again and again. This training will provide you with step-by-step actionable strategies to help keep your patients happy, your office HIPAA compliant, and you out of legal and financial hot water with the Feds. HIPAA compliant voicemails.

Subscribe to Healthcare Practice Advisor
Get actionable advice to help improve your practice’s
reimbursement, compliance, and success in this weekly eNewsletter.
  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden