No, it is not necessarily against HIPAA to give results over the phone. Still, it requires careful adherence to specific guidelines. Healthcare providers must ensure they have patient consent, verify the patient's identity, maintain privacy during the call, and document the conversation. Additionally, sensitive information may warrant more secure communication methods, and state laws or patient preferences should also be considered to ensure full compliance.
HIPAA was enacted to protect patient information, and its rules apply to all forms of communication, including phone calls. According to the HHS, "The Security Rule's confidentiality requirements support the Privacy Rule's prohibitions against improper uses and disclosures of PHI."
When providing results over the phone, healthcare providers must take specific steps to protect patient privacy and comply with HIPAA regulations.
Healthcare organizations must have the patient’s explicit or implied consent before sharing results over the phone. Explicit consent is straightforward, where a patient has directly given permission. Implied consent can be inferred in routine follow-ups where the patient expects a phone call. If there’s any uncertainty, it's safer to obtain explicit consent, especially for sensitive results.
Related: Patient consent: What you need to know
One of the steps in ensuring HIPAA compliance is verifying the identity of the person on the other end of the call. That can be done by asking for personal identifiers such as the patient’s date of birth, patient ID number, or the last four digits of their Social Security number.
The environment from which the call is made should be private to prevent unauthorized individuals from overhearing the conversation. Avoid public spaces, use private offices, and be mindful of who might be nearby. The caller and the patient should be in environments where their conversation cannot be overheard.
Healthcare providers should document the details of the phone call, including the date, time, who was involved, and the information shared. This record is needed for accountability and can serve as evidence that proper protocols were followed if there’s a question about the conversation.
Related: Navigating HIPAA for covered entities
Only if the patient has provided prior authorization or if the family member is listed as an authorized representative. Verify the identity of the family member and ensure this authorization is documented.
Scheduling a follow-up appointment is permissible and can be done during the same call, as long as patient privacy is maintained and no unnecessary information is shared during the scheduling process.
No, discussing results for multiple patients in a single call is not HIPAA compliant. Each patient's information must be handled in separate, private conversations to ensure confidentiality.