Corporate Compliance

HIPAA Q&A: Leaving PHI on voicemail

Compliance Monitor, January 4, 2012

Q. A health plan representative told our clinic that she could not include PHI in a voicemail message because our greeting does not state that voicemail is confidential. Must covered entities include a confidentiality disclaimer in their voicemail greetings?

A. A voicemail greeting does not need to include a confidentiality disclaimer. However, remember that the HIPAA Privacy and Security Rules represent the floor for privacy and security. A covered entity or business associate can elect to require more stringent privacy and security measures. This means the health plan can require a confidentiality disclaimer as part of the voicemail greeting before its representatives leave messages that contain PHI.

Editor’s note: Chris Apgar, CISSP originally answered this question in the August 2011 Strategies for Health Care Compliance. Apgar is president of Apgar & Associates, LLC, in Portland, OR. He has more than 17 IT experience and specializes in security compliance, assessments, training, and strategic planning. Apgar is a board member of the Workgroup for Electronic Data Interchange and chair of the Oregon and Southwest Washington Healthcare, Privacy and Security Forum.

Most Popular