Is it against HIPAA to give results over the phone?

No, it is not necessarily against HIPAA to give results over the phone. Still, it requires careful adherence to specific guidelines. Healthcare providers must ensure they have patient consent, verify the patient's identity, maintain privacy during the call, and document the conversation. Additionally, sensitive information may warrant more secure communication methods, and state laws or patient preferences should also be considered to ensure full compliance.

Understanding HIPAA and phone communication

HIPAA was enacted to protect patient information, and its rules apply to all forms of communication, including phone calls. According to the HHS, "The Security Rule's confidentiality requirements support the Privacy Rule's prohibitions against improper uses and disclosures of PHI."

When providing results over the phone, healthcare providers must take specific steps to protect patient privacy and comply with HIPAA regulations.

Guidelines for giving results over the phone

Patient consent

Healthcare organizations must have the patient’s explicit or implied consent before sharing results over the phone. Explicit consent is straightforward, where a patient has directly given permission. Implied consent can be inferred in routine follow-ups where the patient expects a phone call. If there’s any uncertainty, it's safer to obtain explicit consent, especially for sensitive results.

Related: Patient consent: What you need to know

Verification of identity

One of the steps in ensuring HIPAA compliance is verifying the identity of the person on the other end of the call. That can be done by asking for personal identifiers such as the patient’s date of birth, patient ID number, or the last four digits of their Social Security number. 

Maintaining privacy

The environment from which the call is made should be private to prevent unauthorized individuals from overhearing the conversation. Avoid public spaces, use private offices, and be mindful of who might be nearby. The caller and the patient should be in environments where their conversation cannot be overheard.

Documenting the call

Healthcare providers should document the details of the phone call, including the date, time, who was involved, and the information shared. This record is needed for accountability and can serve as evidence that proper protocols were followed if there’s a question about the conversation.

Additional considerations

• Sensitive information: Not all results are the same. For highly sensitive results, such as those involving mental health, HIV status, or genetic information, alternative communication methods might be more appropriate. If there is any concern about the sensitivity of the information, it might be better to arrange for the patient to come in person or use a secure messaging platform.
• State laws: HIPAA sets a federal standard, but state laws can impose stricter regulations on the communication of medical information. Healthcare providers should be familiar with the laws in their state and ensure they comply with federal and state regulations.
• Patient preferences: Patients can request how they receive their medical information. Some may prefer to receive results in writing or in person, while others may be comfortable with phone communication. 
• Risks and potential violations: Common mistakes that can lead to HIPAA violations include failing to verify the identity of the person on the phone, discussing results in a non-private setting, or not obtaining proper consent. These oversights can result in breaches of patient privacy and lead to serious consequences, including fines and damage to the healthcare provider’s reputation.

Related: Navigating HIPAA for covered entities

FAQs

Can family members receive medical results over the phone on behalf of a patient?

Only if the patient has provided prior authorization or if the family member is listed as an authorized representative. Verify the identity of the family member and ensure this authorization is documented.

Is it permissible to schedule a follow-up appointment while giving results over the phone?

Scheduling a follow-up appointment is permissible and can be done during the same call, as long as patient privacy is maintained and no unnecessary information is shared during the scheduling process.

Can I discuss multiple patients’ results in a single phone call?

No, discussing results for multiple patients in a single call is not HIPAA compliant. Each patient's information must be handled in separate, private conversations to ensure confidentiality.