As a covered entity, your organization is required to perform a risk analysis of your current answering service. It’s necessary to ensure that any third-party answering service – which stores, handles or transmits protected health information – is compliant with HIPAA regulations. 

To help you avoid fines and penalties for non-compliance, we have outlined the most common HIPAA violations currently being overlooked by covered entities. 

Top 5 HIPAA Violations Committed by Non-Compliant Answering Services 

The following violations leave organizations – and, as a consequence, the covered entities they work for – vulnerable to security breaches and at risk for HIPAA fines.  

Unsecured E-mails – Some answering services send unencrypted or non-password-protected emails containing PHI to medical offices or staff members.

Our system sends emails with password-protected PDFs over an encrypted path. 
Unsecure SMS/Texts – Some answering services send text messages / SMS messages which are unencrypted or not password-protected to medical offices and staff members, including doctors, after hours. They are in violation of HIPAA if they contain PHI, such as patient names and telephone numbers.

Our system sends SMS notifications that simply prompt medical staff to view urgent messages over our encrypted and password-protected portal. This also provides accountability data regarding access to PHI and time stamps.

Alphanumeric Paging – Some answering service send PHI, such as patient names or telephone numbers. Alpha paging transmissions are not encrypted, therefore, they violate HIPAA regulations. In addition, alpha devices are not considered HIPAA-compliant storage devices.

Our system prohibits the use of the alpha paging devices and redirects all PHI transmitted electronically to secure e-mail or SMS. This is done via our secure portal or other approved software solutions, such as, but not limited to, Gmail or Office 365.

Absence of Named HIPAA Compliancy Officer (HCO) – Some answering service do not have a defined HCO with the proper credentials and training.

PatientCalls exceeds HIPAA requirements by naming an Operational HCO and a Technical HCO.

Absence of Business Associate Agreement – Some answering services do not have signed Sub-Contractor Business Associate Agreements on file with all software vendors that have access to any PHI being stored or transmitted.

PatientCalls has BAA’s and BAC’s in place with all clients and sub-contractors. We also post our BAA on a secure web link for all clients in their monthly invoices. This acts as our backup and binding agreement between parties in the event a BAA is lost or accidentally destroyed.

Below are a few more potential HIPAA violations that your organization should discuss with your current medical answering service

Message Archiving – Some answering services are not properly securing, storing, and destroying PHI as required by HIPAA guidelines.

Our system stores and destroys PHI in accordance with HIPAA guidelines. We do not allow any PHI to be stored or retrieved within our voicemail system.

Agent Training – Some answering services have not provided adequate and frequent training of their staff and management.

PatientCalls starts with the basics and tests our staff periodically. We also implement daily training procedures that are fully integrated into our CRM application requiring agents’ acknowledgment prior to logging off of their work shift.
PHI Access Auditing – Some answering services do not properly audit or log all events of accessing PHI due to employee logins and/or customer access from a verbal or electronic perspective.

Our system provides detailed access event logs and reports to support periodic auditing. We have created cybersecurity features that block or prevent any user (employee, customer, hacker) from accessing any PHI after multiple and repeated authentication failures. 

Cybersecurity – Some answering services are not properly deploying firewalls or necessary means to track and warn of cyber threats.

PatientCalls has developed a unique firewall that monitors all SMS/WEB portal traffic for malicious activity with the ability to block IPs’ attention. 

How Can We Help You?

Your company can avoid these compliance violations, and their related fines and penalties, by trusting an answering service which is HIPAA compliant. 

PatientCalls has taken the proper steps to ensure compliance with all HIPAA regulations and security protocols. Using our exclusive PatientNote service, you can rest assured that all data transmissions to and from PatientCalls meet or exceeds all HIPAA, HITECH, and Omnibus laws and regulations. For more information, call us directly at 866-330-5481.


Frequently Asked Questions

How do I know if my current answering service is HIPAA compliant?

This answer is simple, just call your current answering service and ask them. But first, please make sure that you educate yourself about a few simple HIPAA requirements, shown below, that every answering service should understand. 

– Who is your HIPAA Compliance Officer?
– Have your agents been trained in HIPAA / HITECH / OMNIBUS?
– When was the last documented training and how often is the training refreshed?
– Is your e-mail and text solution secure with encryption and/or password protection?
– Does your office use Windows XP or any earlier version of Windows?
– Auditing logins – Does your answering service software have the ability to audit logins in real-time and prevent unauthorized users which would result in PHI breaches?
– What prevents one of your employees from stealing a PC that stores PHI information on it?
– Are you willing to sign our Business Associate Agreement?
– Are you properly storing, transmitting, and destroying all messages within the system which – contain PHI as required by HIPAA guidelines?

If your current answering service does not have an immediate answer to the questions above then we suggest looking for a new HIPAA-compliant medical answering service. 

The requirements of HIPAA are incredibly more detailed than the above eight questions. If your current answering service does not have clear or immediate answers, then there is a high probability that they are currently not HIPAA compliant. 

As the covered entity, you must ask yourself if you are prepared to give your answering service more time to become HIPAA compliant and risk violations, fines, and possible criminal charges. 

Are their consequences if a covered entity does not use a HIPAA-compliant answering service?

Based upon HHS requirements and documented fines from PHI breaches, you are exposing your business and personal wellbeing to hefty fines and/or criminal charges due to the severity of the breach and if those violations are deemed the result of willful neglect. 

Is alpha paging and/or numeric paging HIPAA compliant?

No. Any traditional transmitting method like alphanumeric paging is not considered secure, therefore NOT HIPAA compliant. This is due to the absence of encryption and password protection of PHI being electronically transported.

Some answering services and medical offices in fear of losing this antiquated technology have revised their policies to only allow for the transmitting patient name and telephone number. The argument is that a patient’s name and telephone number are not considered PHI since that information can be found in public listings.

Initially, we agree with the assessment that information obtained in public locations would not be deemed PHI. HOWEVER, once a name and phone number can be linked with any medical relevance, then any information obtained publicly being transmitted in its simplest form would be considered PHI and would require proper security and protection as defined by HIPAA. 

Does an answering service have to be HIPAA compliant?

Yes. Your organization, defined as the covered entity, hires the answering service to capture PHI verbally and to store and transmit PHI in an electronic form, defined as ePHI. The Final Omnibus Ruling provides specific requirements for handling and transmitting ePHI. 

Therefore, all medical answering services that store and transmit protected health information (PHI/ePHI) must maintain HIPAA compliance at all times. 

It is also the responsibility of your organization, defined as the covered entity, to perform a risk analysis of your current answering service in order to determine possible PHI breach points of storing and transmitting PHI. 

Scroll to Top