As of September 23rd 2013, the Department of Health & Human Services Civil Division began enforcing the Omnibus rule which expands the scope and depth of HIPAA / HITECH violations and penalties enacted from April 20th, 2005, as well as the HITECH ACT effective as of November 30th, 2010. These acts carry serious violation penalties that many healthcare organizations as well as their business associates, such as answering services and call centers, may be violating on a daily basis, many without fully understanding the requirements and breach ramifications. takes HIPAA / HITECH compliance seriously.

HIPAA Fines Related to Medical Answering Services

You must ensure that your own internal communications and current answering service or call center is compliant. Here is a quick start to your internal audit.

  • Secure emails & SMS texts
  • Business Associate Agreements in place
  • Documented HIPAA Compliance Officer
  • HIPAA Breach Notification Procedure
  • Storage & Security of all Personal Health Information (PHI)

HIPAA Fines Breakdown

Each violation can introduce fines from $100 per violation up to an annual maximum of $1.5 million dollars. The Department of Health & Human Services has started enforcing HIPAA / HITECH laws by imposing drastic and maximum penalties in order to force global compliance.

See the information below about the plans of the HHS fines and penalty enforcement. From the American Medical Association’s website.

HIPAA ViolationMinimum PenaltyMaximum Penalty
Individual did not know (and by exercising reasonable diligence would not have known) that he/she violated HIPAA$100 per violation, with an annual maximum of $25,000 for repeat violations (Note: maximum that can be imposed by State Attorneys General regardless of the type of violation)$50,000 per violation, with an annual maximum of $1.5 million
HIPAA violation due to reasonable cause and not due to willful neglect$1,000 per violation, with an annual maximum of $100,000 for repeat violations$50,000 per violation, with an annual maximum of $1.5 million
HIPAA violation due to willful neglect but violation is corrected within the required time period$10,000 per violation, with an annual maximum of $250,000 for repeat violations$50,000 per violation, with an annual maximum of $1.5 million
HIPAA violation is due to willful neglect and is not corrected$50,000 per violation, with an annual maximum of $1.5 million$50,000 per violation, with an annual maximum of $1.5 million

Try PatientCalls Today!

Frequently Asked Questions

How Can I Verify that the Phone Answering Services and Messaging Meet Requirements? 

As their client, you can simply phone your current call center and ask. But first, get informed about the regulations relevant to every medical answering service. 

– Who is your HIPAA Compliance Officer? 
– Are customer service agents trained in HIPAA / HITECH / OMNIBUS? 
– When was the last documented training and how often is the training renewed? 
– Is your e-mail and text solution secure with encryption and password protection? 
– Does your medical office use Windows XP or any earlier version of Windows? 
– Does your answering service software have the ability to audit logins in real-time and block unauthorized users to prevent PHI breaches? 
– What physical security measures are in place to protect medical information? 
– Will you sign our Business Associate Agreement? 
– Are you properly storing, transmitting, and destroying all messages as required by the Health Insurance Portability and Accountability Act?   

If your current answering service does not have an immediate answer to the questions above then we suggest looking for a new HIPAA-compliant medical answering service. As the covered entity, you must make sure that the answering service is HIPAA compliant or risk violations, fines, and possible criminal charges.  

What are the consequences if medical professionals do not use a HIPAA-compliant answering service?

Based upon HHS requirements and documented fines from PHI breaches, you are exposing your business to hefty fines and/or criminal charges. Penalties depend on the extent of the breach and if there is evidence of willful neglect. Violations put patient data at risk and there can be other expensive liability issues that result. Of course, news of HIPAA violations damages the reputation of healthcare entities and may negatively impact stakeholders’ and patients’ decisions in the future. 

Is alpha paging and/or numeric paging to medical professionals HIPAA compliant? 

No. Any traditional method like paging is not secure for transmitting PHI, therefore NOT HIPAA compliant. This is due to the lack of encryption and password protection. Any transmitted patient name or phone number – even for the purpose of appointment scheduling – that could be linked with medical relevance is considered PHI and needs the proper protections defined by HIPAA. 

Does an answering service have to be HIPAA compliant?

Yes. Your medical office is defined as the covered entity. A live answering service is a business associate hired to capture protected health information and to store and transmit it digitally, which is defined as ePHI. HIPPA privacy and security rules outline specific requirements for handling and transmitting ePHI.  

Therefore, all medical answering services that store and transmit PHI and ePHI must comply with HIPAA regulations and customer service agents must be trained to follow HIPAA compliance policies.  It is also the responsibility of your organization to perform a risk analysis of your current answering service to identify possible HIPAA violations and vulnerable breach points. 

Scroll to Top