Everything You Need to Know About HIPAA Phone Laws
Imagine having a great visit with a patient, but you forget to show them a copy of their records. You decide to use your phone to take a picture and text it to them.
That sounds great until you consider if you're breaking HIPAA phone laws. Before you use your phone to communicate patient information, you should know how to comply with HIPAA.
Keep reading to learn the basics and get some tips to stay compliant.
Overview of HIPAA Rules
To understand HIPAA phone laws, you should start with the basics. The HIPAA Privacy Rule covers how to protect patient information, from their names to their medical records.
This rule first came out in 2000, and it's had multiple updates over the years. Updates help make the rule better for patients and medical professionals.
You also have to follow the HIPAA Security Rule. This rule specifically focuses on protecting electronic health data, and using phones to communicate with patients or other providers falls under that.
Covered entities refer to the people and organizations that must comply with HIPAA. Examples of covered entities include doctors, nurses, and other medical practitioners.
However, health insurance companies and clearinghouses also must follow HIPAA rules. Business associates are entities that help other covered entities do their jobs, so this could include consultants and independent transcriptionists.
As a covered entity, you can only disclose protected health information (PHI) in certain scenarios. You can only disclose the details when speaking with the patient or other providers who need to know the information.
HIPAA and Phone Calls to Patients
The HIPAA phone laws are similar to general HIPAA rules. However, things can be a bit confusing when it comes to whether or not a patient has given you permission to call them.
It's usually safe for a medical professional to call a patient who has given their phone number. Your phone call can only be for certain things, such as to schedule appointments or to provide lab results.
Sharing pre-op instructions or post-op care details is also okay. Another HIPAA-compliant reason for a phone call is to update a patient on their prescriptions.
Federal and State Laws
Covered entities need to understand how federal and state laws can affect phone calls under HIPAA. For example, you can't make certain robocalls, but you can use automatic messages to remind patients about upcoming appointments.
There are also laws that restrict the type of data you can give over the phone. Without specific permission, can't disclose medical records for patients undergoing substance abuse treatment or other mental health treatment.
You'll also need to be careful if you have patients whose numbers are on do not call lists. Be sure to talk to an expert in your city or state to learn how the laws affect your practice
Do Phone Calls Comply With HIPAA?
Phone calls can comply with HIPAA, but you need to follow certain rules. The most significant restriction is that you must obtain consent from the patient to call them about a specific issue.
These rules apply to landline and cell phone numbers. However, you should be careful when using a cell phone. If you store contact information for patients, that can be a problem if you lose the device.
Before you add patients as contacts in your phone, be sure you protect the data. For example, you might set up the option to disable the device remotely in case you can't find it.
Giving Information Over the Phone
Whether you use a second phone number for HIPAA or not, you can give information over the phone. However, you'll need to confirm you're speaking with the patient or an authorized representative, such as a parent.
Medical providers can ask for the patient's date of birth, for example. You might also need to confirm you're speaking with an interpreter, such as if you have a deaf patient.
If there's any question regarding who you're speaking with, don't be afraid to ask more questions. That way, you can comply with HIPAA phone laws and other rules.
For adult patients, be sure you get their consent regarding who you can talk to about their medical records. Some patients may give the name of a partner or another relative, but some won't.
Covered entities need to set up their own rules regarding the communication of PHI. You can be as strict as you want when it comes to verifying patient identities or other processes.
At the very least, your rules need to follow HIPAA. But that means the rules you follow could differ from the rules of another hospital, and that's okay.
Risks of Using Phones
Using the phone to talk about health data comes with some risks. Landlines are usually pretty secure, assuming you use a HIPAA-compliant phone service.
However, mobile phones come with more potential problems. For example, you might not always encrypt the text messages you send, which means your message is vulnerable to hackers.
Also, you can lose your phone if you leave it somewhere, or someone could steal it. If you use your personal phone, even with a second phone number for HIPAA, you shouldn't share the device with anyone.
Here are a few more risks of using cell phones when it comes to complying with HIPAA.
If a patient or colleague asks for a copy of medical records, you may want to take a picture of them. However, doing so with your standard phone camera isn't very safe.
Any photo on your camera roll with identifying information falls under electronic PHI (ePHI). Those details don't just have to be the patient's name.
If you must take a photo, use an app that won't save the image to your camera roll. Then, you can use an encrypted messaging app to send the photo to whoever needs it.
Sure, you can use your regular camera roll, but consider where that image goes. Many phones automatically upload photos to a cloud storage system, so you'll need to delete any images from there as well.
Whether they involve photos or not, you might need to text another medical professional or covered entity. As mentioned, it's not always easy to remember to encrypt messages on your phone.
To make sure your texts comply with HIPAA, use a special app. The right app will encrypt your data, and it won't store the message on servers that hackers can get to.
In this day and age, texting is common and convenient for a lot of people. However, you need to follow some extra steps when texting about patients to keep from breaking the law.
Of course, you can avoid all of this by not texting. At the very least use HIPAA phone numbers specifically for work so that you don't mix up the messages with your personal texts.
If you're ever out and about, you might want to check your work messages or email. However, doing so poses a risk when it comes to staying HIPAA compliant.
Public WiFi networks are a common place for hackers to see what you're viewing. You should only access patient information when you're on a secure network.
At the very least, you'll want to make sure the information is secure with encryption. If it's not, anyone on the same network could hack into your messages and take the information.
Then, you'd be violating HIPAA, even though you thought you were the only one reading those messages.
Cloud storage offers a lot of benefits, such as the ability to access information from any device. However, that can also make it risky for covered entities to use.
If you store any PHI in the cloud, anyone with access to the server could get to the data. This includes photos that your phone uploads to the cloud or documents you store there.
Cloud storage is particularly nice for mobile phones because you can access the data out of the office. Unfortunately, that means anyone who can get into your account can view those documents.
When setting up a second phone line for HIPAA compliance, avoid using the cloud. It comes in handy, but it's not always worth the risk of a data breach.
How to Comply With HIPAA Phone Laws
Complying with HIPAA phone laws doesn't have to be an inconvenience. But you do need to take some extra steps to protect the data that you store or access on your device.
Consider the following tips to protect yourself, your coworkers, and your patients.
Use Secure Apps
You can use virtual phone numbers to text or call your patients or coworkers. Look for virtual numbers that work in a secure app that the developer designed to comply with HIPAA.
Using a separate app can reduce the chance of you accidentally texting the wrong person about a patient's data. You can also use secure apps to automatically delete photos after you take them.
The right apps will also encrypt your text messages so that you stay in compliance with the law. Be sure to test a few apps to see which meet your needs.
Create Strong Passwords
You should choose a strong password for your device and any accounts on the device. If you have an iPhone, the default option for passwords is a six-digit code, but you can create a longer one.
Having a strong password for your device can help keep others from getting into it. The same is true of specific apps you use to communicate with patients or colleagues.
To help keep your device secure, change the password every few months. That can be annoying, but it can reduce the chances of a hacker learning your password.
Update the Software Regularly
Another thing to do is to update your phone's operating system whenever there's a new update. Don't wait too long to update because the older version could lose support.
Also, some updates happen due to security risks. Using the most up-to-date version of your phone's software can help you protect the data on your phone.
You should also update the apps you use for HIPAA compliance whenever they have updates. Check the app store regularly or set up automatic updates on your device.
Don't Share Devices
It sounds simple, but don't let anyone else use a device that you use to communicate at work. This includes your partner, kids, and coworkers.
If you let someone use your phone, they could get into the apps you use to message patients. Then, someone could see the patient's PHI, either intentionally or on accident.
Either way, that would be a HIPAA violation, and it's not worth it. If you know your kids like to use your phone, consider using a second device for work to protect yourself and your patients.
Store Devices Smartly
When you're not using a device, you should store it somewhere safe. If you have a second phone that you only use for work, consider locking it up somewhere in your office.
If you use a phone that you take home, you may want to store it in a safe or something similar at home. Then, you can still use it outside of work, but you can keep people from taking it when you're sleeping.
Wipe Old Phones
Before you upgrade to a new phone, wipe the phone of any data you can. Delete any images and messages you don't need, and send the info you do need to your new phone.
Then, reset the phone to its original settings and make sure all of the data is gone. That way, you can make sure you won't accidentally give the new owner access to your patient documents.
Even if you'll toss or recycle a device, you never know who may try to use it. It's better to be safe than sorry and to spend a few extra minutes deleting confidential information.
Comply With HIPPA Phone Laws Today
HIPAA phone laws aren't their own thing, but the law does have rules that affect how covered entities use their phones. If you want to text coworkers or patients, you can.
However, you'll need to use a secure app that encrypts those messages. Keep that and other restrictions in mind to keep from violating HIPAA.
Do you want a new number for communicating with others at work? View our pricing and choose the plan for you.