For example she loudly repeats the patient’s name, height, weight, blood pressure, address, age, how many weeks pregnant she is, while everyone in the room hears the conversation.

Do you think it counts as a reception/front desk HIPAA violation?

If so, can it be mitigated?

And how?

In this blog post, we talk about what HIPAA violations are, why front desks are a common place for them to happen, what kinds of violations happen at front desks, how to stop them, and more.

Understanding HIPAA for Front Desk and Reception

The US Department of Health and Human Services (HHS) passed HIPAA, which stands for the Health Insurance Portability and Accountability Act, in 1966. It is a federal law that affects the health care business. It makes the healthcare system work better by setting national standards for keeping a patient’s identifiable health information private and safe when it is used for internet transactions.

The Office of Civil Rights is in charge of HIPAA and handles reports about breaches of privacy and security. OCR is only able to act if:

• In the last six years, the violation took place.
• The group is required by law to follow the HIPAA rules.

Most common violations of HIPAA:

➜ The Department of Health and Human Services (HHS) says that one of the most common HIPAA violations is not having good access controls in place.

➜ Device theft is also a leading cause of the loss of protected health information (PHI) in institutions with lax security and physical device rules.

HIPAA Compliance Act Rules

The HIPAA compliance act has three rules that must be followed to set the national security standards for keeping patient health information safe.

1). The Privacy Rule sets the rules for protecting all health information that can be used to identify a specific person. This includes credit card numbers, social security numbers, and medical records, which includes prescriptions, procedures, conditions, diagnoses, and more.

2). The Security Rule sets standards for safeguarding electronic protected health information (ePHI) and focuses on rules that are unique to protecting digital data.

3). The Breach Notification Rule says that covered entities and business partners must tell the government about any breach of unsecured protected health information (PHI).

What actions at the reception desk could lead to a HIPAA violation?

HIPAA Privacy and Security Rules can be broken in many ways, and even one violation by a member can land you in an audit by the Office of Civil Rights and a fine. We’ve talked about some common violations that happen at the front desk of a healthcare center:

In-sight patient sheet with all their healthcare data

Overheard communication of the receptionist trying to verify the patient details

Unturned or uncovered computer screens at reception desk with patient appointments such as name, age, location, etc

Different passwords of EHR and WiFi on sticky notes glued at the board or screen publicly

Open and unattended files of patients at the desk

Patient sign-in sheet placed publicly

  Patient records thrown in trash without being properly discarded

Names, addresses, and social security numbers of patients saved within patient records

Piled copies of patients’ health insurance cards on the desk

Patient messages for the doctor noted down next to the phone

Printed prescriptions waiting for pick-up

Each of these above mentioned situations is a front desk HIPAA violation that needs to be handled carefully so that private data is not put at risk.

Why are front desks or reception areas prone to HIPAA violations?

You see, front desks and other greeting areas are known for being places where HIPAA violations often happen for a number of reasons. The front desk of an office is most likely to break HIPAA rules because it has all the medical records and data from a patient right there on the table, sometimes in plain sight. Anyone who comes to the front desk with bad motives can cause your office severe penalties.

Many HIPAA breaches happen at front desks or reception areas for the following reasons:

• Uneducated or untrained staff
• Overheard conversations between patient and receptionist, receptionist and doctor, etc
• Unshut computer screens displaying sensitive information
• Uncovered or unattended documents at the front desk
• No barriers between waiting room and reception area

Penalties and Criminal Charges against Front Desk HIPAA Violations

Penalties are based on how bad the violation was and are split into four levels based on things like intent, number of people affected, type of violation, effects, and so on.

HIPAA breaches are punished at the following levels, which are run by the Office of Civil Rights (OCR):

Some of the worst cases of HIPAA violations in history:

In 2015, Anthem Inc. was hit with a $115 million class-action lawsuit for putting the ePHI of about 79 million people at risk. This is thought to be one of the biggest healthcare data breaches ever.

Two workers of Memorial Healthcare System stole the PHI and PII of more than 115,000 patients without permission. They were charged with internal breach and have to pay a $5.5 million penalty.

HIPAA Rules for Clinic Front Desks and Waiting Areas

Protected health information (PHI) must be kept private and safe according to HIPAA rules. Front desk workers are very important for making sure that HIPAA rules are followed because they are often the first point of contact for penalties.

Identifying the patient

• Use the right ways to make sure the patient is who they say they are (photo ID, date of birth, etc.).
• Make sure that the patient’s information in the medical record is correct and up to date.

Keep things secret

• Protect the privacy of all PHI, such as patient names, medical problems, and treatment plans.
• Do not talk about patient information in public or with people who are not allowed to hear it.
• When talking about patients in public places, use code words or names.
• If you write something on paper, put it away or turn it over.

The patient consent

• Get permission from the patient to use and share PHI.
• Give people a copy of the Notice of Privacy Practices and tell them what rights they have under HIPAA.

Controls for access

• Only allow authorized individuals to view PHI.
• Make sure that computers are locked when no one is using them.
• Make your passwords strong and change them often.

The sharing of PHI

• Only give PHI to people who are allowed to see it, as HIPAA rules say.
• Get the patient’s permission or agreement before disclosing information that isn’t allowed by law.
• Destroy PHI papers properly to stop people from getting to them without permission.

Rule of Minimum Necessity

• Only give out the bare minimum of information needed to get the job done.
• Do not share too much private patient health information

Safety for electronic PHI

• Protect electronic data with encryption and firewalls. Put in place technology safeguards to keep electronic PHI safe from people who shouldn’t have access to it.
• Update and patch software often to fix security issues and holes

Notification of Breach

• Report any breaches of PHI to the appropriate authorities and the people who were impacted.
• Follow the HIPAA rules for reporting a breach.

The infrastructure

• The reception room needs to be separated by opaque glass so that no one else can hear or see what is being said.
• To follow HIPAA’s rules for privacy, security, and breach notification, the front desk and the waiting room must be separate or an acceptable distance apart.

Training and education

• Front desk workers should be trained on HIPAA rules and best practices on a regular basis.
• Make sure that your team knows how important privacy is and what will happen if they break HIPAA.
• Make employees responsible for following HIPAA rules.

Does my healthcare facility need to follow the HIPAA front desk policies?

Compliance with HIPAA rules is required for any company or healthcare facility that handles electronic Protected Health Information (ePHI). Protected Health Information (PHI) that is saved, sent, received, or put together electronically is called ePHI. This ePHI is covered under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.

Now, the groups that have to follow HIPAA rules are covered entities (anyone offering treatment, payment, or operations in healthcare) and business associates (anyone who has access to patient information and helps with treatment, payment, or operations). These include:

• Healthcare providers (hospitals, doctors, dentists, etc.)
• Health insurance providers
• Healthcare clearinghouses
• Business associates of covered entities (e.g., billing companies and document storage companies)
• Pharmacies
• Long-term care facilities
• Research institutions
• Public health authorities
• Employers
• Schools and universities

If the compliance requirements are not fulfilled and you operate one of these above-mentioned businesses, it is likely that you may be held liable for HIPAA violations.

The article is about communication with patients in a proper way to deliver your message and keep their privacy protected.

Voicemail is a good option for safe communication, particularly in the medical field. Voicemail that complies with HIPAA regulations protects patient privacy, which makes it superior to phone conversations or emails.

We will discuss in detail how to transcript HIPAA compliant voicemails and leave them for your patients. HHS (the Department of Health and Human Services) directs covered entities i.e. healthcare providers to leave voicemails or information about healthcare with strictly adhering to HIPAA regulations.

A covered entity is defined as anyone or any group that has to comply with the rules of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

HIPAA Compliant Voicemails: Here’s What You Need To Know?

HIPAA (Health Insurance Portability and Accountability Act) is US legislation that imposes regulations for data privacy and safeguarding medical information i.e. PHI (Protected Health Information).

According to the HIPAA privacy rules, as HHS states, providers can communicate with a patient regarding their health but in limited pieces of information that should not reveal the patient’s health conditions to other members of their family without the consent of the patient.

Leaving detailed and informational voicemails about the health of patients can lead to violation of HIPAA privacy rules, therefore the U.S. Department of Health and Human Services (HHS) restricts covered entities to limit information on voicemail.

As a healthcare provider, you can deliver patients their health updates at their homes over phone calls, mail or via some other medium. The privacy rules do not restrict you from leaving messages for your patients on their answering machines. However, as a provider you should only disclose limited information, as discussed above, so receivers other than patients should not get the purpose of the voicemail.

For example, you should only leave your name and phone number to ask the person who receives the voicemail to call you back. Leaving additional information i.e. patient health conditions on the answering machine can expose it to unauthorized persons, and lead to HIPAA violation.

How to Leave a HIPAA Compliant Voicemail: Explained with Examples

Leaving a HIPAA compliant voicemail is not as complicated as it seems. Simple, leave a message contacting limited details which only the intended receiver can understand, or the person who is authorized. A written consent from your patient gives you rights to share information with someone else. However, according to the HIPAA rules, you are in violation if you do it without the permission of your patient. For more details you can read about HIPAA Compliance Checklist for Medical Practices.

Examples of HIPAA Compliant Voicemails

Informing your patients while leaving a voicemail is no more a complicated process. Simple, you have to keep in mind the HIPAA privacy rules for voicemail.

Example 1 – The first example here is related to informing them about their next appointment schedule.

Hello Mr. ABC. This is Dr. JJJ from XYZ healthcare. I am trying to reach you but it looks like you are not available at the moment. Please give me a call at 000444333 as you hear my voicemail. Thank you.

The voicemail looks suitable but it may still lead you to breach HIPAA privacy rule as your patient might not want to disclose his name. Therefore, it is recommended to not mention your name, patient name, and your practice name. It should be:

Hello. I wanted to reach you to inform you about your next appointment schedule but it looks like you are not available right now. Please, access me via phone call whenever you hear my voicemail. Thank you.

Example 2 – The second example here is giving an appointment reminder to a patient who is seeing various other doctors as well.

Mentioning just your name or asking them to call you back while leaving only your number will not work every time, however, that is the safest route for communication.

Sometimes, a patient may be receiving treatment from more than one doctor at various facilities. Therefore, if you are calling, you should inform them about their next appointment with you in a way that only the patient can understand.

Hello. Mr. DD here. I am just reaching you to remind you of your upcoming appointment tomorrow. Please call me back at 99889999 whenever you listen to my voicemail for further discussion. Thank you. 

Do not mention specific details about your practice or service. Discuss when the patient calls you back.

Example 3 – The third example here is related to reminding patients of their medicine prescriptions.

When you want to remind your patient about taking prescribed medicine accordingly, or to provide updates regarding the next prescription you will need to communicate through a phone call or voicemail.

Leaving voicemails regarding patient prescriptions may open the door for HIPAA violation, but doing it in a controlled way will protect PHI. Use these words while leaving a voicemail.

Hello. I am here to inform you about your next prescription. Call me back when you can. Thank you. 

In your voicemail, don’t use a prescription number or medication name.

Example 4 – The fourth example here is informing a patient of his/her medical bills.

Communicating with your patient about billing is a sensitive case. You have to be more careful as the patient would never want to be exposed that they owe you a billing amount. 

However, it may not be possible for you to avoid the payment for a longer time. Therefore, you should inform them leaving a HIPAA compliant voicemail in this way:

Hello. I am Mr. YYY intending to remind you to review your account if there are any outstanding payments. Please give me a call whenever you are available to discuss it further, or pay a visit. Thank you. 

Do not include any details of the services for which the bills were charged.

HIPAA Compliant Voicemail Tips: That Every Provider Must Be Aware Of!

Here are some tips you should act upon for securing your practice while following HIPAA regulatory rules. These tips will also help you to transcript HIPAA compliant voicemails exactly according to the guidelines of HHS for securing PHI (Protected Health Information).

1). Leave a Callback Number Only

No need to tell all the details and purpose of your contact over a phone call or voicemail. Simple, leave a message for your patients to call you back at the provided number. It is the best way to follow HIPAA rules.

After receiving your message, the patients can call you back and you can directly talk to them about their health issues.

Doing so will restrict the other family members of the patient to know about PHI.

2). Do not Mention Your Practice Name

It is also recommended to not mention your name or practice detail. For example, your healthcare facility is about treating some serious kinds of diseases i.e. Cancer, HIV, etc.

If the patients don’t want to let family members know about their health condition, it will make you in trouble to mention your practice name.

If your practice is just a primary care facility, you can mention that but you are in hot water if it was without the consent of the patients.

3). Listen to the Message in Private

This is about how you as a provider secure your patient information when they leave a voicemail for you mentioning their health condition.

For the security purpose, it is necessary for you to listen to the voicemail privately so even your staff should not come to know about PHI. In case, the accidently overhear the message, still it is violation of HIPAA rules.

You can provide more information in a voicemail but with the written consent of your patient. Sign a consent form from your patient showing the statement:

“I give my consent for YYY Healthcare Facility and its staff to leave specific information regarding my health (appointment scheduling, billing issues, etc.) on my voicemail at phone number 88997744.”

After this signed consent form provided by your patient, if you provide more specific information regarding their health, you are not violating the HIPAA regulations.

FAQs

What is a HIPAA Compliant Voicemail Message?

Voicemail message that is left by a provider without disclosing PHI and following guidelines issued by the HHS is called a HIPAA compliant voicemail. For example, leaving a voicemail having a limited amount of information disclosing to only a patient or a person authorized by the patient.

What is exempt from HIPAA?

Here are some exceptions:

• Patients requesting for copies of their own medical records
• Requests for PHI (Protected Health Information) when there is a valid authorization
• Requests for disclosure of PHI to HHS for complaint investigation, compliance review, or enforcement of procedures
• Requests for PHI that are required by law

How to leave a HIPAA compliant voicemail?

Make sure your voicemail is HIPAA compliant by keeping it short and not referencing any specific protected health information (PHI). Just include your name, the name of the healthcare facility you are phoning from, your phone number, and a request for the patient to call you back. Don’t include any information that could be used to identify the patient, such as their illness or course of treatment.

That is to say, if any of the following applies, you should remove your name and the name of the healthcare facility:

Certain details about the patient’s health are disclosed by the name or nature of your healthcare facility. For example, if you are phoning from a mental health facility or a substance addiction therapy center, disclosing this information could risk patient anonymity.

The patient has asked you not to leave any personal information on their voicemail. In this situation, you need to honor your client’s requests and just leave a standard message requesting a callback. In these situations, you can simply say something like, “This is a message for [patient’s name]. Please call back at [phone number].”

Keep in mind that maintaining patient privacy is the main objective. If you’re unsure whether to add identifying information, it’s usually best to be safe and leave it out.

Conclusion

Leaving HIPAA compliant voicemail for your patient can increase your patients’ trust in you and your facility. Most importantly, doing so can prevent you from facing high penalties charged by HHS. We have discussed in detail how to communicate with your patients according to HIPAA regulation, and also provided you with some useful examples.