Hey answering services: You, too, are ruled by HIPAA compliance

Answering services and HIPAA compliance

Answering services are frequently used by doctors’ offices and practices to take down patient messages and send them over to the doctor at a later time. Often, this set up leads the answering service to either text back the doctor with the patient’s name and phone number. So, you might wonder, does this exchange between answering service and doctor breach the requirements for HIPAA compliance?

Do answering services have to follow HIPAA rules when they send doctors the names and phone numbers of patients? Does it matter if the doctor tells the answering service to just forward the information via text? Turns out, answering services are under the same obligation as the doctor’s office to exchange healthcare messages in a HIPAA compliant manner.

HIPAA compliance and the business associate

It’s a curious thing, but why do answering services have to comply with the demands of HIPAA compliant messaging? In theory, you could say that since the answering service is hired by the doctor’s office the service isn’t under any regulations. However, this is not the case. Since the answering service is hired by the hospital, the answering service is considered a “business associates” (BA) under HIPAA and must follow HIPAA mandates.

The department of Health and Human Services (HHS) defines a “business associate” as a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of a covered entity.

According to the Omnibus Role filed in 2013 by the Office for Civil Rights (OCR), the protection of PHI is also the responsibility of the business associate. The OCR also noted at the time of the bill’s filing that many of the most significant breaches reported to HHS involve BAs.

The result is that answering services cannot send text messages containing PHI to the doctor’s office which hired them.

The anatomy of a HIPAA violation

So what parts of the message that an answering service sends need to follow HIPAA? According to HIPAA lawyer and scholar Matt Fisher:

The name and phone number [sent by the answering service to the physician] are PHI. Especially since it’s an answering service transferring the information to a physician, it’s assumed to be patient information. I wouldn’t it send over iMessage. That’s inappropriate… Even if it’s just a phone number, it’s still PHI.

Since both the patient’s name and phone number are considered PHI [protected health information] under HIPAA, answering services have to be very careful how they choose to get the patient information over to the doctor. Straight text messaging or Facebook messaging won’t do. Answering services have to be very careful what methods they choose to get the information to the doctor.

Taking a gamble

The physician’s office is taking a gamble when they ask the answering service to text over patient information. The physician’s office could be found liable of violating HIPAA law and face criminal as well as civil penalties as a result of their request to the answering service. Since the doctor’s office is the covered entity in the breach, their office would be first in line for any penalties.

However, there is also a potential impact on answering service if messages are intercepted. The OCR could also file charges against the answering service as well as the doctor’s office for their violation of patient privacy. The answering service should know they have a responsibility to maintain patient privacy as well.

Indeed, anyone in the chain that exchanges non-secured PHI can be hit. Everyone in the chain is taking a gamble by using regular text messaging to exchange sensitive patient information.

Conclusion

The case of the answering service shows that texting of PHI is not permissible under any circumstances. If a physician is asking to be sent a text with the patient’s name and phone number, they are asking for something they shouldn’t. Moreover, their request is a definite violation of HIPAA.

Covered entities and BAs are liable if either is found to exchange patient information in an unsecured manner. As such, they need to make sure they use secure messaging methods for exchanging patient information like those provided by OnPage.