Pay attention to content of phone messages

Honor patient requests for phone privacy

Calling to remind patients of their appointments, instructions on how to prepare the night before a procedure, or to see if patients have questions prior to surgery are important ways to keep your outpatient surgery or diagnostic testing departments' schedules on track. With the renewed focus on privacy and security of patient information, how much information can you leave on a voice mail service that may be accessed by people other than the patient?

According to a FAQ on the Office of Civil Rights website, you can leave information for patients on answering machines or voice mail systems, but to safeguard their privacy, you should limit information to only what is needed to confirm an appointment. If more information is needed, ask the patient to return the call.

Although you can leave a message, pay attention to some diagnoses that are covered by more stringent privacy laws, says Vicki Hohner, MBA, senior HIPAA consultant, Fox Systems, a Scottsdale, AZ-based consulting firm specializing in health information technology implementation in health care. "Some diagnoses, conditions and services, such as HIV/AIDS, reproductive health, and mental health or drug and alcohol diagnoses and treatment are covered under more stringent state and federal privacy laws and may restrict what, if anything, can be communicated by phone," she says. "Other considerations such as domestic violence and protective orders may also restrict what communications can be made via phone," she adds.

It is not a bad idea to ask your patients how they want you to handle messages, either on voice mail or with another family member who answers the phone. Although the privacy rule allows providers to disclose limited information to family or friends not involved in the patient's care, it is up to the provider to use professional judgment to determine what is best for the patient.

"If other persons living in the household are involved in the patient's care and treatment, the provider may provide additional details subject to professional judgment," says Hohner. "The patient can also specifically authorize access to other persons who would potentially answer the calls," she says. Of course, if the person who would potentially receive the calls is a personal representative of the patient, through power of health care attorney or power of attorney, that person has the legal authority to access any of the patient's information as if he or she were the patient for as long as they hold that legal power, she adds.

Permissions to give information or messages to other people are not normally needed for each individual visit, but are not necessarily permanent either, says Hohner. "Time limits on each approach can be set independently and as determined by the physician and/or patient," she explains. "However, the patient has the right to revoke any of these permissions for any reason at any time," she says.

"Verification of the individual who answers the telephone is not necessarily required under HIPAA, but many providers have instituted verification practices, at least in the office setting, to avoid medical identity theft and other potential inappropriate disclosures such as those related to domestic violence or child abuse," says Hohner. "It is at the discretion of the provider to obtain further verification if desired or required by other law or professional practice," she says. Some providers only leave messages when the patient is identified by name on the voice mail or answering machine.

[For more information about HIPAA privacy rules, contact:

Vicki Hohner, MBA, Senior Consultant, FOX Systems, 6263 N. Scottsdale Rd. Ste. 200, Scottsdale, AZ 85250. Phone: (480) 423-8184. Fax (480) 423-8108. E-mail:]


To see answers to frequently asked questions related to HIPAA privacy and security, go to, and enter keywords to search for answers.


• National Institute of Standards and Tech nology's free Special Publication 800-30, Risk Management Guide for Information Technology, can be accessed at

• A list of Department of Health and Hu man Services' Regional Extension Centers can be found at, selecting "HITECH Programs" on the left navigation bar and choosing "Health Information Technology Extension \ Program."

• A list of certification rules and programs for electronic health records can be found at Select "Regula tions and Guidance," then "Standards and Certification," and "Certification Programs."

• The health information technology association, Healthcare Information Management and Systems Society (HIMSS) offers the Meaningful Use OneSource, a compilation of documents, tools, and links to other resources related to Meaningful Use and Certification Criteria and Standards. Go to, and choose from the left navigation bar.

• Free tools to help health care organizations track the requirements for EHR incentive payments can be found at Select "Free EHR Tools" at the bottom of the page.