As of September 23rd 2013, the Department of Health & Human Services Civil Division began enforcing the Omnibus rule which expands the scope and depth of HIPAA / HITECH violations and penalties enacted from April 20th, 2005, as well as the HITECH ACT effective as of November 30th, 2010. These acts carry serious violation penalties that many healthcare organizations as well as their business associates, such as answering services and call centers, may be violating on a daily basis, many without fully understanding the requirements and breach ramifications. PatientCalls.com takes HIPAA / HITECH compliance seriously.

HIPAA Fines Related to Medical Answering Services

You must ensure that your own internal communications and current answering service or call center is compliant. Here is a quick start to your internal audit.

  • Secure emails & SMS texts
  • Business Associate Agreements in place
  • Documented HIPAA Compliance Officer
  • HIPAA Breach Notification Procedure
  • Storage & Security of all Personal Health Information (PHI)

HIPAA Fines Breakdown

Each violation can introduce fines from $100 per violation up to an annual maximum of $1.5 million dollars. The Department of Health & Human Services has started enforcing HIPAA / HITECH laws by imposing drastic and maximum penalties in order to force global compliance.

See the information below about the plans of the HHS fines and penalty enforcement. From the American Medical Association’s website.

HIPAA ViolationMinimum PenaltyMaximum Penalty
Individual did not know (and by exercising reasonable diligence would not have known) that he/she violated HIPAA$100 per violation, with an annual maximum of $25,000 for repeat violations (Note: maximum that can be imposed by State Attorneys General regardless of the type of violation)$50,000 per violation, with an annual maximum of $1.5 million
HIPAA violation due to reasonable cause and not due to willful neglect$1,000 per violation, with an annual maximum of $100,000 for repeat violations$50,000 per violation, with an annual maximum of $1.5 million
HIPAA violation due to willful neglect but violation is corrected within the required time period$10,000 per violation, with an annual maximum of $250,000 for repeat violations$50,000 per violation, with an annual maximum of $1.5 million
HIPAA violation is due to willful neglect and is not corrected$50,000 per violation, with an annual maximum of $1.5 million$50,000 per violation, with an annual maximum of $1.5 million

Try PatientCalls Today!

Frequently Asked Questions

How do I know if my current answering service is HIPAA compliant?

This answer is simple, just call your current answering service and ask them. But first, please make sure that you educate yourself about a few simple HIPAA requirements, shown below, that every answering service should understand. 

– Who is your HIPAA Compliance Officer?
– Have your agents been trained in HIPAA / HITECH / OMNIBUS?
– When was the last documented training and how often is the training refreshed?
– Is your e-mail and text solution secure with encryption and/or password protection?
– Does your office use Windows XP or any earlier version of Windows?
– Auditing logins – Does your answering service software have the ability to audit logins in real-time and prevent unauthorized users which would result in PHI breaches?
– What prevents one of your employees from stealing a PC that stores PHI information on it?
– Are you willing to sign our Business Associate Agreement?
– Are you properly storing, transmitting, and destroying all messages within the system which – contain PHI as required by HIPAA guidelines?

If your current answering service does not have an immediate answer to the questions above then we suggest looking for a new HIPAA-compliant medical answering service. 

The requirements of HIPAA are incredibly more detailed than the above eight questions. If your current answering service does not have clear or immediate answers, then there is a high probability that they are currently not HIPAA compliant. 

As the covered entity, you must ask yourself if you are prepared to give your answering service more time to become HIPAA compliant and risk violations, fines, and possible criminal charges. 

Are their consequences if a covered entity does not use a HIPAA-compliant answering service?

Based upon HHS requirements and documented fines from PHI breaches, you are exposing your business and personal wellbeing to hefty fines and/or criminal charges due to the severity of the breach and if those violations are deemed the result of willful neglect. 

Is alpha paging and/or numeric paging HIPAA compliant?

No. Any traditional transmitting method like alphanumeric paging is not considered secure, therefore NOT HIPAA compliant. This is due to the absence of encryption and password protection of PHI being electronically transported.

Some answering services and medical offices in fear of losing this antiquated technology have revised their policies to only allow for the transmitting patient name and telephone number. The argument is that a patient’s name and telephone number are not considered PHI since that information can be found in public listings.

Initially, we agree with the assessment that information obtained in public locations would not be deemed PHI. HOWEVER, once a name and phone number can be linked with any medical relevance, then any information obtained publicly being transmitted in its simplest form would be considered PHI and would require proper security and protection as defined by HIPAA. 

Does an answering service have to be HIPAA compliant?

Yes. Your organization, defined as the covered entity, hires the answering service to capture PHI verbally and to store and transmit PHI in an electronic form, defined as ePHI. The Final Omnibus Ruling provides specific requirements for handling and transmitting ePHI. 

Therefore, all medical answering services that store and transmit protected health information (PHI/ePHI) must maintain HIPAA compliance at all times. 

It is also the responsibility of your organization, defined as the covered entity, to perform a risk analysis of your current answering service in order to determine possible PHI breach points of storing and transmitting PHI. 

Scroll to Top