Not Tied Down, Part 3: HIPAA & Phone Systems
By Andrew Bundy
In the Mission: Impossible movies, Tom Cruise walks into a phone booth or picks up a burner cell phone, calls his bosses at IMF, and says “Go secure.”
There are a series of clicks and beeps, and then the person on the other end confirms that the line is secure. If Cruise can’t get a secure line, he quickly relays his message and then snaps the cell phone (usually a flip phone for convenience’s sake) and throws both pieces in different directions.
So, in the Age of HIPAA, do you have to snap your cell phone in half every time you make a call to a client?
Finding a phone system that works with a busy mental health practice is difficult enough, but making sure the practice maintains HIPAA compliance adds another level of difficulty.
Fortunately, there are programs that are already HIPAA compliant, and some workarounds that keep a practice compliant even if the phone system is not advertised as HIPAA compliant.
A blog post by Dr. David Craig repeated the chilling phrase, “There is no such thing as a HIPAA-compliant phone, just like there is no such thing as a phone that is non-HIPAA-compliant. Everything depends on the processes that you have designed and your policies surrounding them.”
With that in mind, no matter if your program is basically non-HIPAA compliant, having the right processes can protect you. Craig recommends evaluating potential risks, implementing appropriate security measures, and documenting those security measures.
Know the Law
According to the CDC, the main focus of the HIPAA law is the Privacy Rule standards, which “…address the use and disclosure of individuals’ health information by entities subject to the Privacy Rule.
The Privacy Rule also contains standards for individuals’ rights to understand and control how their health information is used.
A major goal of the Privacy Rule is to ensure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high-quality health care and to protect the public’s health and well-being.”
As a therapist in a busy mental health practice, keeping information secure and avoiding that $100-to-$50,000 fine for a breach that “could not have avoided with reasonable care” category (basically, “Stuff happens, and you couldn’t stop it, but you still need to pay for it anyway!”) can be overly stressful.
A recent blog covered the HIPAA compliance issues with email, but phones have some nuances that can’t be covered by the email signature Get-Out-Of-Jail-Free Card.
Phones and HIPAA
There are certain phone calls that are covered under HIPAA. According to The Compliancy Group, the obvious calls of health checkups, appointment scheduling and reminders, lab test results, prescription information, and most healthcare instructions are HIPAA-covered calls. The FCC recommends that calls are kept to 60 seconds and texts stick to 160 characters.
According to Business.com, there are some key factors to HIPAA and phone services. The system needs to control who has access to the information. It needs to be authenticated by the office. It has to be secure both in transmission and the workstation or device used by the healthcare provider. Finally, there has to be a way to audit that information.
If a good policy is in place and passwords are used to access information, then there’s a good chance your phone system is already compliant. Having a “This call may be recorded for quality assurance purposes” warning and system can increase the ability to audit the phones.
So, at a bare minimum, don’t make patient calls from the last payphone left in the city, hoping that saying “Go secure” fixes all your problems. Also, once your practice comes up with a policy, make sure it is well-documented and easily accessible to everyone in your company.
What to do
First, make sure that the program you’re using has encryption technology like a virtual private network (VPN) or Transport Layer Security (TLS).
You could also make sure that the phone systems – and even the phones themselves – have unique user IDs and passwords. It is best to have your phone secured and then the programs that access PHI hidden behind another layer of security. It might also be a good idea to set your phone to wipe its hard drive if someone inputs an incorrect lock code or password too many times.
You also want to keep detailed records of calls and other information going out on your phone system. Documentation to prove you have done everything humanly (and technologically) possible to protect PHI is necessary to protect yourself and your practice.
Finally, as the Hitchhiker’s Guide to the Galaxy said in large, friendly letters, “Don’t panic.” Most phone systems marketed to therapy and medical practices have plans and policies that help protect the user from HIPAA-related infractions. Some phone systems, such as Google Voice, work better as a general number, but more secure information can be sent through the practice’s electronic health management system or another secure program.
A patient already gives you permission to contact them by giving you their phone number, so they are already connected with you. You just have to make sure that everything is clean on your end.
And most of the time, the messages you leave with a patient will be vague enough that an occasional wrong number due to transposing a couple of digits won’t be a problem. Everyone has called the wrong number, and most people know that if the call isn’t for them, they should ignore it.
The main thing that a therapy practice should do when choosing a phone system is to make sure they have reasonable policies in place to cover secure information. As long as everyone knows the policy and follows that policy, there will be few problems. A little vigilance will go a long way, and you won’t have to snap your cell phone like Tom Cruise.
Disclaimer: Products listed in this blog are for example purposes only. This should not be read as an endorsement by Move Forward Virtual Assistants, LLC, or its affiliates.
The Service may contain views and opinions which are those of the authors and do not necessarily reflect the official policy or position of any other author, agency, organization, employer, or company, including the Company.
Comments published by users are their sole responsibility and the users will take full responsibility, liability, and blame for any libel or litigation that results from something written in or as a direct result of something written in a comment. The Company is not liable for any comment published by users and reserves the right to delete any comment for any reason whatsoever.