Does an answering service have to be HIPAA compliant?
Yes. Your medical office is defined as the covered entity. A live answering service is a business associate hired to capture protected health information and to store and transmit it digitally, which is defined as ePHI. HIPPA privacy and security rules outline specific requirements for handling and transmitting ePHI.
Therefore, all medical answering services that store and transmit PHI and ePHI must comply with HIPAA regulations and customer service agents must be trained to follow HIPAA compliance policies. It is also the responsibility of your organization to perform a risk analysis of your current answering service to identify possible HIPAA violations and vulnerable breach points.