It's not uncommon for doctors, nurses and receptionists to leave voicemail messages for their patients. Whether it's to remind them of an upcoming appointment, relay test results, or to see how a new medication or treatment is working. Before you call and patient and leave sensitive medical information on his or her voicemail, however, there are a few things you should know.
The Health Insurance Portability and Accountability Act (HIPAA) first took effect back in 1996, with the primary purpose of protecting the privacy of healthcare patients. It consists of several Rules that covered entities must follow to remain compliant. Among them is the HIPAA Privacy Rile, which outlines the way in which a covered entity is allowed to communicate Protected Health Information (PHI) with their patients.
Generally speaking, covered entities are prohibited from disclosing PHI without the patient's consent. If a doctor learns about a patient's illnesses and shares that information with a friend, the doctor could be found in violation of the HIPAA Privacy Rule, even if there was no ill intent behind this disclosure.
But what happens when a doctor leaves a voicemail to a patient? According to the Department of Health and Human Services (HHS), the HIPAA Privacy Rule allows covered entities to communicate to patients through phone calls, mail, email, and even voicemails. However, the HHS adds that covered entities should limit the amount of personally identifiable information that's left on patient's answering machine.
“...the Rule does not prohibit covered entities from leaving messages for patients on their answering machines. However, to reasonably safeguard the individual’s privacy, covered entities should take care to limit the amount of information disclosed on the answering machine,” wrote the Department of Health and Human Services (HHS) on its website.
In other words, if you're going to leave a message on a patient's answering machine, make sure it contains only general information. It's perfectly acceptable to remind a patient of an upcoming appointment, for instance, but it's not a good idea to mention specific conditions, medicine and other sensitive information.
Also, keep in mind that covered entities are required by law to accommodate a patient's preference regarding method of communication when reasonable. If a patient asks to receive notifications via mail instead of email, for instance, the covered entity must oblige.