Everything call centers should know about HIPAA

Does your healthcare practice use a cloud telephony software solution to communicate with patients, forward or answer calls? Or does your call center cater to the healthcare vertical? In either case, HIPAA awareness is critical for you.

We’ve compiled an exhaustive blog on everything you need to know about HIPAA compliance for your call center or phone communications.

What is HIPAA?

HIPAA or Health Insurance Portability and Accountability Act of 1996 is a United States legislation. It offers data privacy and security for the safe upkeep of the medical information.

This act came into being after a series of health data breaches that were caused by ransomware attacks and cyberattacks on various healthcare providers and insurers. 

What does HIPAA do?

HIPAA safeguards patients’ medical records and other personal information. 

  • It protects patients’ privacy and gives them more control over their health information.
  • It holds violators accountable. With civil and criminal penalties if they violate patients’ privacy rights.
  • It sets boundaries on the use and release of health records.
  • Establishes safeguards for the confidential handling of health information

Who needs to be HIPAA compliant?

If you are a US-based healthcare provider, healthcare clearinghouse or health plan, your business, and everyone who handles your data, needs to be HIPAA compliant. This includes your call centers too—wherever they may be located.

HIPAA & Patient Telephone Calls

HIPAA changes the way you answer customer calls, store their information, and communicate key data. Your call center needs to encrypt and secure all customer data. 

HIPAA & Outbound Calls

If the patient has given you their telephone number as contact detail,  then as per FCC, this can be considered express consent for telephone calls to be made. But you can make these outbound calls only for the following reasons: 

  • Provision of treatment.
  • Health checkup.
  • Appointments and reminders.
  • Test reports.
  • Pre-operative instructions.
  • Post-discharge follow-up calls.
  • Intimations on prescriptions.
  • Home healthcare instructions.
  • Hospital pre-registration instructions.

During these calls, you need to ensure that:

  • Your call center agent should provide their name and contact details to the customer. 
  • Every call should be short and precise. 
  • Test messages should not exceed 160 characters.
  • Call Centers cannot call patients more than two to three times a week.
  • Text messages can be sent just once in a day
  • The calls and text messages cannot be charged to the client.
  • The calls and messages must adhere to the plan limits.
  • When you leave messages on answering machines, provide patients with a toll-free number to contact again.

HIPAA & Automated calls

You will need written consent from the patient to make outbound calls to them via an auto-dialing device. 


Physicians and pharmacists can continue to remind patients about appointments or medicine refills via SMS. Texts that fall under minimum necessary standards” are allowed. You need to follow some technical safeguards

  • The text must not contain any personal identifiers. 
  • Patient health information should be accessible only to authorized users. Ensure that whatever software you use to send SMS can only be accessed by a secure login. 
  • Data transmission should be encrypted so that it is unusable if intercepted.

HIPAA and Caller Verification

HIPAA ensures that maximum caution is followed while releasing patient information over a phone call. We need to identify if the person on the other end is truly the patient. For this, it has outlined some pointers:

  • Request full name and at least two other identifiers such as date of birth, address, or contact number.
  • Request most recent date of service or invoice number for billing questions
  • If doubt persists, call the patient back on their authorized number.

Requests to give information to someone other than the patient should be made in writing on a letterhead.

HIPAA and Call Recordings

Most businesses record calls using a hosted VoIP system. Under HIPAA, all patient voice recordings qualify as PHI, or Protected Health Information, and are subject to protection. If the patient does not consent to the call recording, it must not be made. We suggest you choose a call center or telephony solution that does not record calls by default but allows you to switch off call recordings if needed. This will help with both HIPAA and GDPR compliance. 

HIPAA Call Center Requirements 

 So, what does this mean for your call center? We’ve summarized it here: 

  • Ensure Data Encryption: You need to secure all your data stored via encryption so that it is unreadable if intercepted by a public Wi-Fi. Or in case the device or mobile phone used to make the calls is misplaced or lost.
  • Pin lock: Administrators should lock their device using a pin lock.
  • Automatic log out: Users should automatically logout from the system following inactivity for a stipulated period.
  • Ensure that information cannot be copied and pasted from an external network to any external device. 
  • Ensure secure texting solutions with access to only authorized personnel.
  • Call recordings should be 100% secure and optional. 
  • Agents should be trained to ensure consent and caller verification.

We suggest you use cloud-based “Software-as-a-Service” platform as it requires no new servers, hardware, or any special software. It can be implemented within twenty-four hours for availing the secure texting and call services.


Remember customers on the other side of the call consider your call center executive as an extension of your office. Adherence to HIPAA requires you take a few extra steps while setting up a call center for your own or a client’s healthcare practice. But the hard work pays off with some unexpected benefits too.
By adhering to the HIPAA, you can expect to cut down on your costs and witness a surge in your business by safeguarding the data and offering secure customer service. Call centers adhering to HIPAA have found it easier to streamline their workflow and offer better service to their customers.

HIPAA compliance can be worthwhile. It could give your business an edge above your competitors because customers and clients would consider their data more secure with HIPAA compliant call center. And, it also helps in offering better services to your customers by preventing a data breach.


Who needs to be HIPAA complaint? https://theblog.adobe.com/are-all-of-your-cloud-service-providers-hipaa-compliant/ 
What is HIPAA: http://www.onlinetech.com/compliant-hosting/hipaa-compliant-hosting/resources/what-is-hipaa-compliance
HIPAA & outbound calls: https://www.hipaajournal.com/fcc-confirms-rules-regarding-hipaa-and-patient-telephone-calls-8048/
HIPAA & CALL RECORDINGS: https://www.hipaaguide.net/hipaa-law/
HIPAA & TEXTING: https://www.hipaaguide.net/hipaa-rules-regarding-text-messaging/
HIPAA & Caller verification: https://hipaa.yale.edu/sites/default/files/files/Guidance%20on%20Identity%20Verification.pdf
CONCLUSION: https://www.allcovered.com/blog/the-advantages-of-hipaa-compliance/?red20190805trans

About the Author:

Prashanth is VP, International Business at Ozonetel Communications. He is focused on delivering impactful business benefits through our contact center solutions.

Leave A Comment