HIPAA Compliance for Voice Communications, Part 3: Commonly Overlooked Violations

This is Part 3 of a 4-part series on HIPAA compliance for voice communications. Part 1 offered an overview of HIPAA rules. Part 2 discussed what HIPAA means for phone systems. In Part 3, we'll cover commonly overlooked violations. 

We've discussed the need to secure PHI transmitted and stored via voice communications, but other potential HIPAA violations are easy to overlook.  

Third-party software and apps 

Phone systems can integrate with CRMs, helpdesks and other third-party software and apps. Any PHI transmitted to or stored on those platforms is subject to HIPPA. Covered entities typically consider these applications first, but business associates can unwittingly overlook them. If you're a business associate, you need to know what data is stored in your CRM – contacts are OK, but PHI is not. 

Information that is not electronically stored (paper records) 

It's not unusual to jot down information during phone conversations. While taking handwritten notes isn't a HIPAA violation, irresponsible use of those notes could be – especially if a desk is left unattended so unauthorized employees or customers can see them.  

Treat non-electronic data with the same respect as electronically stored information. Paper records must be securely stored or disposed of to avoid violating the privacy rule prohibiting unauthorized PHI disclosure.  

Remote communications 

Even with secure safeguards to protect stored patient records, covered entities and business associates could violate HIPAA laws in remote sessions. During COVID-19, the government established remote communication guidelines to permit healthcare providers to use telehealth services.  

The guidelines call for healthcare providers to use private settings "to the extent feasible." If a private setting isn't available, healthcare providers must implement reasonable safeguards, such as using lowered voices and avoiding speakerphones, to limit incidental uses or disclosure of PHI.  

Other unintended violations 

Other unintentional HIPAA violations can occur when: 

• A device is lost or stolen, potentially granting someone unauthorized access to PHI 

• An employee mistakenly sends PHI to the wrong contact 

• An employee fails to report a potential violation 

• There is a data breach, such as if the network is hacked or infected with malware or ransomware 

Training prevents HIPAA violations 

One of the most effective ways to avoid HIPAA violations is to provide comprehensive employee training. Employees must understand that information shared via voice is protected and should be well-versed in handling PHI.  

Companies and organizations should develop well-defined, easy-to-follow policies that make it easy for employees to maintain compliance. 

Next steps 

Learn how to vet a phone system provider for HIPAA compliance in Part 4 of this guide.