Does a medical answering service have to be HIPAA compliant?

Very simply, the answer is YES!

Your organization, defined as the covered entity, hires the answering service to capture PHI verbally and to store and transmit PHI in an electronic form, defined as ePHI. The Final Omnibus Ruling provides specific requirements for handling and transmitting ePHI.

Therefore, all medical answering services that store and transmit protected health information (PHI/ePHI) must maintain HIPAA compliance at all times.

It is also the responsibility of your organization, defined as the covered entity, to perform a risk analysis of your current answering service in order to determine possible PHI breach points of storing and transmitting PHI. Below are five of the most probable HIPAA violations currently being overlooked by covered entities.

Top 5 HIPAA violations currently being committed by other answering services

These security breaches not only put themselves at risk for HIPAA fines but also their clients, considered covered entities. If you currently use another answering service or call center, you may be at risk. PatientCalls is already compliant in all HIPAA regulations and security protocols. For more information, call us directly at 866-333-7922 or go here to get more information on our 14-day free answering service trial.


Unsecured Emails – If your answering service is sending unencrypted or non-password-protected emails containing PHI to your office or staff members.


Sends emails with password-protected PDFs over an encrypted path.
Unsecure SMS/Texts – If your answering service is transmitting text messages / SMS messages which are unencrypted or not password-protected and contain PHI, such as, patient name and telephone number to your office and staff members, including doctors after hours.


Sends SMS notification to view urgent messages over our encrypted and password-protected portal with the accountability of PHI being viewed with dates and time.

Alphanumeric paging – If your answering service is sending any PHI, such as patient name or telephone number. Alpha paging transmissions are not encrypted, therefore, they violate HIPAA regulations. In addition, alpha devices are not considered HIPAA-compliant storage devices.

Prohibits the use of the alpha paging devices and redirects all PHI information being transmitted electronically to secure email or SMS via our secure portal or other approved software solutions, such as, but not limited to, Gmail or Office 365.

Absence of Named HIPAA Compliancy Officer (HCO) – If your answering service does not have a defined HCO with the proper credentials and training.



Exceeds HIPAA Requirements by naming an Operational HCO and a Technical HCO.

Absence of Business Associate Agreement – If your answering service does not have signed Sub-Contractor Business Associate Agreements on file with all software vendors who have access to any personal health information being stored or transmitted.



Has BAA’s and BAC’s in place with all clients and sub-contractors as well as posts our BAA on a secure web link to all clients on their monthly invoice which acts as our backup and default and binding agreement between parties in the event a BAA is lost or accidentally destroyed.

Below are a few more potential HIPAA violations that your organization should discuss with your current medical answering service.


Message archiving – If your answering service is not properly securing, storing, and destroying PHI Information as required by HIPAA guidelines.

Stores and destroys PHI appropriately under HIPAA guidelines. We do not allow any PHI to be stored or retrieved within our voicemail system.

Agent training – If your answering service has not provided adequate and frequent training of their staff and management.




We start with the basics and test our staff periodically. PatientCalls also created daily training procedures that are fully integrated into our CRM application and of which agents must acknowledge prior to logging off of their work shift.
PHI access auditing – If your answering service is not properly auditing or logging all events of accessing PHI due to employee logins and/or customer access from a verbal or electronic perspective.


Developed detailed access event logs and reports to support periodic auditing and created cybersecurity features that block or prevent any user (employee, customer, hacker) from accessing any PHI after multiple and repeated authentication failures.

Cyber security – If your answering service is not properly deploying firewalls or necessary means to track and warn of cyber threats.



Developed a unique firewall that monitors all SMS/WEB portal traffic for malicious activity with the ability to block IPs’ attention.

With PatientCalls you no longer have to worry about your answering service is a part of these shocking statistics. Using our exclusive PatientNote service, you can rest assured that all data transmissions to and from PatientCalls meet or exceeds all HIPAA, HITECH, and Omnibus laws and regulations.

Do you already have an answering service handling your calls? Ask them if they have all HIPAA communication regulations covered by the technologies they use as well as organizational practices. If you are not satisfied with the answers you receive, contact PatientCalls right away and protect your business immediately.

Scroll to Top