What if a family member calls to ask about a patient?

If a family member calls to ask about a patient, hospitals can disclose PHI over the phone unless the patient has objected to information being shared. The identity of the family member should be verified, and the information disclosed to the family member should only relate to the patient´s current condition. Hospitals are not allowed to disclose unrelated past medical histories to family members without the patient´s consent.

Are cell phone calls HIPAA-compliant?

Calls to patients´ cell phones are subject to the same HIPAA Privacy rules as calls to patients´ landline telephones – although if made over a VoIP service, Covered Entities are required to have a Business Associate Agreement with the telecommunications provider. However, calls from a patient to a healthcare provider´s cell phone could be in violation of HIPAA if the patient´s name and number is recorded in a healthcare professional´s cell phone and there are no safeguards in place to prevent the patient´s information being disclosed without authorization if the cell phone is lost or stolen.

If a hospital discloses my health information in a phone call, who do I complain to?

In the first instance, you should contact the hospital and request an accounting of disclosures. This will tell you who the information was disclosed to and for what reason. If the disclosure is not allowable, you should complain in the first instance to the hospital´s HIPAA Privacy Officer. If you then decide to escalate the complaint, you can call your state´s Department of Health & Human Services or file a complaint online via the OCR complaints portal .

Is a phone call HIPAA compliant?

This depends on who the call is being made by, what the content of the call concerns, and whether or not the recipient has exercised their right to restrict phone calls. If a phone call is made by a Covered Entity and involves a permissible use or disclosure of PHI to which the intended recipient has not objected (limited to the minimum necessary), it is a HIPAA compliant phone call.

Is a landline HIPAA compliant?

This is a difficult question to answer because no technology is HIPAA-compliant – how it is used determines compliance. Therefore, if the question is “are calls to landlines HIPAA compliant?”, the answer is yes provided that the recipient of the phone call has not objected to being contacted via their landline and the content of the call complies with the Minimum Necessary Standard.

Is giving out a phone number a HIPAA violation?

This depends on the circumstances in which the phone number was given out and who to. Giving out a phone number is not a HIPAA violation if that is all that is given out or if it is given out for a permissible disclosure of PHI. If the phone number is given out with other individually identifiable health information for a non-permissible use or disclosure, the event could be a HIPAA violation if a patient or plan member has not authorized the disclosure.

Can nurses give patient information over the phone?

There are several circumstances in which nurses can give patient information over the phone. The first is for any permissible use or disclosure as allowed by the Privacy Rule, the second is to notify family or friends of the patient's admission into hospital (provided the patient has not previously objected), and the third is for any purpose the patient has authorized.

Are phone calls a HIPAA violation?

Q: Are phone calls a HIPAA violation?

Phone calls from healthcare providers to patients are not HIPAA violations unless the patient has expressed in writing that they do not want to receive phone calls. If phone calls containing health information are made to a family member or friend, the patient should be given the opportunity to object to the call being made unless they are incapable of giving/withdrawing consent, in which case a healthcare professional can use their judgement on the best source of action.

Phone calls are not a HIPAA violation by themselves, but a call violates the HIPAA Privacy Rule when it discloses protected health information without a permitted purpose or without reasonable safeguards, and it can trigger obligations under the HIPAA Breach Notification Rule when an impermissible disclosure of unsecured protected health information occurs.

The HIPAA Privacy Rule allows covered entities and business associates to use and disclose protected health information for treatment, payment, and health care operations, and it permits communications with patients by telephone. Compliance depends on whether the caller has authority to receive the information, whether the content is limited to what the recipient needs, and whether the organization applies reasonable safeguards to reduce incidental disclosures. Verification steps include confirming the recipient’s identity, using approved callback numbers, and applying internal authentication procedures for inbound calls.

Calls in clinical and administrative settings require location and workflow controls. Leaving detailed voicemail messages, speaking where others can overhear, and discussing a patient’s information with a family member or friend without a valid basis for disclosure can create impermissible disclosures. When a disclosure is not for treatment, the HIPAA Minimum Necessary Rule applies, and the caller must limit the information to the minimum needed to accomplish the purpose of the call.

Telephone communications can also involve the HIPAA Security Rule when electronic systems support calling workflows, such as call recording, voicemail storage, softphone applications, call center platforms, or transcripts. When those systems create, receive, maintain, or transmit electronic protected health information, the organization must apply administrative, physical, and technical safeguards aligned with its risk analysis, such as access controls, audit controls, and transmission security when applicable.

An incident associated with a phone call can require breach evaluation. Examples include leaving a message with protected health information on the wrong person’s voicemail, disclosing information to an impostor, or discussing protected health information with an unintended recipient due to a misdialed number. Under the HIPAA Breach Notification Rule, an impermissible disclosure of unsecured protected health information is presumed to be a breach unless a documented risk assessment supports a low probability that the information has been compromised.

Are phone calls a HIPAA violation?

James Keogh