Leaving Messages - How Much is Too Much?
Lisa Oswald, M.Ed., CHPC
University of Missouri’s Health System’s Compliance Corner
In a HIPAA Q & A published by the Department of Health and Human Services (HHS), a question was asked about leaving messages for patients at their homes, either on an answering machine or with a family member. We are often in a position to leave a message, but how much information is safe to leave without risking a privacy violation?
This is HHS’s response:
The HIPAA Privacy Rule permits health care providers to communicate with patients regarding their health care. This includes communicating with patients at their homes, whether through the mail or by phone or in some other manner. In addition, the Rule does not prohibit covered entities from leaving messages for patients on their answering machines. Covered entities are outlined at:
However, to reasonably safeguard the individual’s privacy, covered entities should take care to limit the amount of information disclosed on the answering machine. For example, a covered entity might want to consider leaving only its name and number and other information necessary to confirm an appointment, or ask the individual to call back. A covered entity also may leave a message with a family member or other person who answers the phone when the patient is not home. The Privacy Rule permits covered entities to disclose limited information to family members, friends, or other persons regarding an individual’s care, even when the individual is not present. However, covered entities should use professional judgment to assure that such disclosures are in the best interest of the individual and limit the information disclosed. See 45 CFR 164.510(b)(3).
In situations where a patient has requested that the covered entity communicate with him in a confidential manner, such as by alternative means or at an alternative location, the covered entity must accommodate that request, if reasonable. For example, the Department considers a request to receive mailings from the covered entity in a closed envelope rather than by postcard to be a reasonable request that should be accommodated. Similarly, a request to receive mail from the covered entity at a post office box rather than at home, or to receive calls at the office rather than at home are also considered to be reasonable requests, absent extenuating circumstances. See 45 CFR 164.522(b).
While HIPAA does not prohibit leaving messages on answering machines or with someone who answers the phone, we must always be mindful of the patient’s privacy and seriously consider the consequences of the message we may leave.
HIPAA says “a covered entity may disclose to a family member, other relative, or a close personal friend of the individual, or any other person identified by the individual, the protected health information directly relevant to such a person’s involvement with the individual’s care or payment related to the individual’s care”. See 45 CFR 164.510(b)(1)(i). Note the rule says “the protected health information directly relevant to such a person’s involvement with the individual’s care or payment related to the individual’s care”.
So how do we know the extent of involvement of a person who answers the phone or picks up the message? Chances are, we don’t.
Our patients are more educated on their rights under HIPAA than ever before and they will and do call us on it when they believe we’ve overstepped. That doesn’t mean we have, but a wise man once told me “perception is reality”. If our patient’s perceive we have violated their privacy, in their mind we have.
What’s the solution? If you need to leave a message for a patient, limit the amount of information you leave. If it is not an emergency situation, try leaving your name and a phone number and ask for a call back.