How Call Handling Errors Lead to HIPAA Violations (and How to Prevent Them)

The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996. The Privacy Rule, its most talked-about component, was finalized in 2000. Its goal? To safeguard protected health information (PHI).

PHI must meet two criteria:

1. It can identify an individual, which would require personal information such as a name, date of birth, phone number, or Social Security number.
2. It’s health-related and may include information about the treatment someone received, their physical condition, or their payment.

The problem for many medical practices, and where HIPAA violations in healthcare commonly occur, is in the front office when staff are talking on the phone. There’s no paper to shred and no person standing in front of them, making it easier than usual to forget to verify a person’s identity or to discuss their physical condition where others can hear.

And, just like that, a HIPAA violation has occurred. Here, we’ll explore common HIPAA violation examples and how to avoid them.

Why Call Handling Errors Can Be a HIPAA Threat

HIPAA violations that occur during phone calls most commonly involve the unauthorized disclosure of PHI. It may involve not obtaining someone’s identity before speaking with them or disclosing PHI in a crowded waiting room.

The Most Common Call Handling Mistakes That Violate HIPAA

1. Failing to Verify Caller Identity Before Disclosing PHI

HIPAA violation example 1: Your receptionist has spoken with Mr. Smith on the phone more times than she can remember. They’ve discussed his family and the vacation they took, scheduled appointments, and answered numerous questions. When she calls him about his latest lab results, she immediately recognizes his voice and begins to share the good news.

And, in the process, she failed to verify who she was speaking with.

2. Discussing Patient Information in Public or Non-Private Areas

HIPAA violation example 2: For patient ease and workflow, front medical offices are usually located near the waiting room. Before calling a patient, your staff has learned to be keenly aware of who is close enough to hear the conversation. Today, however, is unusual, and the waiting room is empty. Your receptionist decides this is the perfect time to call Mrs. Jones and schedule her biopsy.

A patient didn’t overhear the conversation, but another staff member did. While HIPAA permits incidental disclosures, it applies only when reasonable safeguards are in place, such as speaking softly so no one else can hear or talking in a private room.

3. Leaving Detailed PHI in Voicemail Messages

HIPAA violation example 3: You’ve asked your medical assistant to schedule a follow-up with John Smith. They leave a voicemail. “Hi John, this is Dr. Peterson’s office calling about your positive echocardiogram. We need to schedule a cardiac MRI ASAP to determine if there are blockages.”

This message violates the minimum necessary rule and confidentiality, as anyone can hear it, including details of test results and a possible diagnosis.

4. Unauthorized Disclosure to Family Members or Third Parties

HIPAA violation example 4: A staff member calls Mrs. Jones to let her know her biopsy results. Her daughter, another patient, picks up the phone. Because the tissue sample was benign, she shares the good news with her.

To prevent this HIPAA violation, medical practices obtain patient consent. They determine any restrictions, such as what their patient does not want shared, and if there are family members who should not receive personal health information. If the patient is incapacitated, a health provider may share information with a family member if they feel it is in the patient’s best interests.

5. Using Non-Encrypted Communication Channels

HIPAA violation example 5: Office staff sends a quick text message to a patient to remind them of an upcoming procedure. To comply with HIPAA, encryption and access control measures must be implemented to prevent unauthorized access.

To create a secure channel for telephone communications, use systems that support Encrypted Telecommunication for VoIP.

6. Inadequate Staff Training on HIPAA Phone Protocols

Federal law requires that medical staff be adequately trained on how to protect patient data. If it is determined that failure to train was partially responsible for unauthorized disclosure of PHI or a data breach, you may face fines, mandatory corrective actions, and lawsuits.

Best practices for training focus on verifying identification, privacy, consent, secure voicemail practices, and minimum necessary disclosure.

7. Poor Documentation and Audit Trail Management

It’s essential to keep records and details of phone calls. Information should include who called, when they called, and why. An audit trail for phone systems enables logging of call data and access activity. Without logs, you have no proof and cannot verify compliance.

Financial, Legal & Reputation Consequences

The penalties for HIPAA violations can be severe and may include fines or jail time. Fines may range from $100 to $50,000 per violation, depending on whether the person unknowingly violated the law or if it involved willful neglect. If the violation is deemed willful neglect and is not corrected as requested, the fine can reach a maximum of $1.5 million annually.

People who knowingly obtain and disclose PHI may face up to 1 year in prison. For those who intend malicious harm, the maximum term increases to 10 years.

If a breach is made public, providers suffer reputational damage and diminished patient trust. The result is often loss of patients and referrals, as well as operational burdens from investigations and the implementation of corrective action plans.

Best Practices for HIPAA-Compliant Call Handling

One of the most essential practices when providing patient information over the phone is to disclose only what is necessary. If possible, obtain patient consent and ask whether they want to place any restrictions on phone conversations or family members.

Always verify the identity of the person on the other end of the phone and make any calls that may include PHI in a private setting. Only disclose information consistent with a patient’s consent. If a family member requests more than the patient permitted, explain why you cannot provide it. If possible, let the patient know about the call.

Checklist: Is Your Call Handling HIPAA Safe?

Essentials for your call-handling HIPAA checklist include addressing proactive measures to avoid common HIPAA violations. The basics include:

• The Minimum Necessary Rule

• Patent Consent & Authorization

• HIPAA Protocol for Voicemail & Messages

• Encryption, Access Control, & Secure Storage

• Identification & Verification

• Reasonable Privacy Safeguards

At notifyMD®, we take our clients’ HIPAA compliance seriously. As the first medical answering service to gain HITRUST certification, the gold standard for data security and risk management in the healthcare industry, medical providers count on our stringent security measures to keep their patients’ PHI safe and protected during every call and communication. To learn more about our medical answering service, contact notifyMD® today.