HIPAA Compliance and Your Answering Service

What You Don’t Know Can Hurt You

Medical Office Answering Service HIPAA compliance

[Note: this is not legal advice but a practical overview of HIPAA compliance and how it affects your healthcare facility in relation to your medical office answering service. In this article we address HIPAA and how to move toward compliance with your answering service. Consult with an attorney before taking any HIPAA action.]

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted over a quarter of a century ago. HIPAA compliance was confusing then, with worries and misunderstandings rampant. Even today some healthcare providers still carry misconceptions that could harm them, their patients, and their operations’ ongoing existence.

HIPAA Fundamentals

In basic terms HIPAA protects the privacy and security of personal health information, called PHI.

HIPAA defines you, the healthcare provider, as a covered entity or CE for short. You are legally responsible for your patients’ PHI, with heavy fines—along with the negativity and ensuing ramifications of bad publicity—a very real possibility in case of noncompliance.

From a technical standpoint HIPAA compliance includes what you do with your patients’ information, their PHI. This refers to how you store it and how you transmit it. That is, when it’s at rest and in motion, including how it’s received, handled, transferred, and shared. This applies to communication in all forms: written, printed, verbal, and electronic, which includes email and text messaging.

You’ve no doubt consulted with compliance experts, implemented best practices, and carry insurance just in case. This is a great beginning, but it’s not the end. There’s more to HIPAA compliance than securing patient information in your office.

HIPAA violators—both the medical office answering service and the healthcare provider that hired them—face stiff fines. In addition to the hit of a financial penalty is the hassle of dealing with an inquiry, the associated legal costs, and the resulting negative publicity and loss of patient confidence.

This is why it’s essential to select a HIPAA-compliant medical office answering service.

Relevant Acronyms
HIPAA: Health Insurance Portability and Accountability Act of 1996
CE: Covered Entity (the healthcare provider)
ePHI: Electronic Personal Health Information
PHI: Personal Health Information
BA: Business Associate (your medical office answering service, among many others)
BAA: Business Associate Agreement

Your Business Associates

HIPAA compliance also covers third party vendors who you work with. But don’t think that outsourcing the work to another organization transfers responsibility to them and shelters you from the risk of their noncompliance. It doesn’t. You’re responsible for their HIPAA compliance or lack thereof.

HIPAA refers to these third-party providers as business associates or BAs. As a CE you are legally accountable for what each of your BAs does as it relates to HIPAA.

Though they must follow HIPAA expectations, outsourcing work to them does not protect you from any mistakes they make in the work they do for you. You’re ultimately responsible for them. And you’re liable too.

Though initially BAs received minimal scrutiny, with CEs garnering most of regulator attention, expect BAs to receive increased inspection going forward.

Your Answering Service as a BA

By definition, your medical office answering service is a BA under HIPAA regulations and must meet HIPAA compliance.

As your BA, your answering service is also compelled to meet HIPAA requirements. If they fail in this regard, both they and your organization are in violation of HIPAA.

Some telephone answering services take their HIPAA responsibilities most seriously and others do not. These questionable operations—and there are many—assume they won’t get caught. Yes, they expect their insurance—if they have it—will cover them. But will that cover you too? Don’t count on it.

A Quick Overview

Here’s a synopsis of HIPAA as it relates to telephone answering services. Though HIPAA applies to healthcare providers, called covered entities (CEs). It also addresses companies that provide services to them. They’re called business associates (BAs). As a result, the medical office answering service falls under HIPAA compliance mandates.

Some healthcare organizations, as the CE, may assume that if they’re HIPAA compliant in their practices, clinics, and facilities, that’s what matters. But all CEs will be held responsible for all that their BAs do.

In this case that includes their medical office answering service. If the answering service mishandles PHI, both you (as the CE) and them (as your BA) are subject to civil and criminal penalties, not to mention the hit to your reputation—even if the error isn’t your fault.

In short, a HIPAA compliance failure, by you or your answering service, will result in fines and a loss of standing in the medical community.

Action Steps

Since you are likewise culpable for the HIPAA breaches of those who work on your behalf, including your medical office answering service, you need to make sure they (and each of your BAs) maintain strict HIPAA compliance.

This includes how they store PHI and how they send PHI, both to you and to your patients. In each case they must secure and protect PHI from access by third parties who don’t have a legitimate need to see it. A common weak link is text messaging, which we’ll get to shortly.

Your medical office answering service must properly handle your PHI. This includes both the storage and transmission of the data, that is, at rest and in motion. This means they need secure computer centers, encrypted archives, HIPAA-trained staff, and secure messaging apps. If they don’t have this in place, find another answering service.

Therefore, healthcare providers must use a HIPAA-compliant medical office answering service to protect patient PHI. Be aware that some answering services claim to be HIPAA-compliant but are not. Don’t accept their compliance statement without investigating deeper.

Secure Messaging

Unsecured text messaging is at much risk to interception by others who have no reason to access it. This can occur on public Wi-Fi networks and unsecured Wi-Fi systems. To properly encrypt PHI—which is especially vulnerable in text messaging and email—it must be unreadable, undecipherable, and unusable by anyone who intercepts the message or any non-authorized person.

Though HIPAA-conscious medical office answering services use secure messaging apps to ensure the safe transmission of PHI, too many healthcare providers are not as careful with their own communications. It’s a violation of HIPAA requirements to send unencrypted emails or text messages that include PHI. Don’t ever do that.

Business Associate Agreement

A HIPAA compliance best practice is to execute a business associate agreement or contract. It’s a legal document that satisfies HIPAA regulations. Not only does it address the obligations and responsibilities of both the CE and the BA, but it also legally specifies the steps the medical office answering service will do to ensure they’re HIPAA compliant.

Therefore, don’t have an answering service take a single call for you until you have an executed a business associate agreement or BAA. With fines as high as $50,000 per violation or record breach, it’s simply too big of a risk to take without a signed BAA.

Having an executed HIPAA business associate agreement in place also offers healthcare providers, as the CE, a degree of legal protection for any HIPAA compliance errors that may occur with their answering service.

Only the best medical office answering services have the confidence to commit in writing what they will do to adhere to HIPAA regulations and meet HIPAA compliance mandates. This proves they have the best interest of you and your patients in mind.

Three Key HIPAA Rules Protecting PHI

From a practical standpoint there are three main rules that must be adhered to when it comes to protecting patient PHI. They are the HIPAA breach notification rule, the HIPAA security rule, and the HIPAA privacy rule.

Here’s a brief, non-technical summary of each rule:

HIPAA Breach Notification Rule

In the unfortunate event of a security breach at either the CE or a BA facility, the HIPAA breach notification rule comes into play. This includes a breach at your medical answering service, which is why HIPAA-compliant answering services place a premium focus on data security and protection.

The breach notification rule applies when PHI has been exposed. Notification must be made within sixty days of the breach’s discovery. If the breach is a large-scale incursion that reveals the PHI of five hundred or more patients, the media must also be notified.

A data breach that has not compromised PHI does not require notification. However, the breach could still violate the security rules and privacy rules.

HIPAA Security Rule

Next is the data security rule. It establishes minimum standards for protecting patient ePHI (electronic personal health information).

Any CE or BA who can access, edit, transmit, or create ePHI must follow the HIPAA security rule. Again, this involves your medical answering service.

HIPAA security rules have a technical component, administrative safeguards, and physical precautions, such as to prevent unintentional exposure to nonessential personnel.

The main provisions of the HIPAA security rule include:

∙ Train employees so they can comply with the security rule.
∙ Implement procedures to protect against improper PHI disclosure.
∙ Maintain the confidentiality, integrity, and availability of all PHI.
∙ Take steps to protect and safeguard medical records that include PHI.
∙ Institute policies to conform to the security rule. 

Every CE must meet the HIPAA security rule, as well as each one of their BAs.

HIPAA Privacy Rule

The third component is the HIPAA security rule. Though HIPAA first went into law in 1996, it has not remained stagnant but has continued to evolve.

Seven years after its inception, in 2003, the HIPAA privacy rule was first implemented. It covered all CEs. Ten years after that, in 2013, the HIPAA privacy rule was further expanded to include BAs, such as your medical answering service.

The principal component to the privacy rule governs the extent to which PHI can be shared without explicit patient consent.

In short, the HIPAA privacy rule protects patient rights to access their PHI. This allows patients, or their representatives, access to their personal information, while maintaining the restrictions of its usage by other entities.

Health Information Technology for Economic and Clinical Health Act

“HITECH” refers to the Health Information Technology for Economic and Clinical Health Act. HITECH is a part of the American Recovery and Reinvestment Act of 2009 and was enacted to promote the adoption and meaningful use of health information technology, including electronic health records (EHRs), while also strengthening the privacy and security provisions established by HIPAA.

Here’s how HITECH relates to HIPAA and answering services:

  1. HIPAA and Protected Health Information (PHI): HIPAA is a federal law that governs the privacy and security of certain health information, known as Protected Health Information (PHI). PHI includes individually identifiable health information that is transmitted or maintained by a covered entity (such as healthcare providers, health plans, and healthcare clearinghouses) or their business associates. HIPAA establishes rules and standards for safeguarding PHI.
  2. HITECH Act and HIPAA Enforcement: The HITECH Act enhances and strengthens certain aspects of HIPAA, particularly its enforcement and penalties for non-compliance. It introduced provisions to encourage the adoption of electronic health records (EHRs) and the secure exchange of health information. HITECH also introduced stricter penalties for HIPAA violations and extended liability for breaches to business associates, such as answering services, that handle PHI on behalf of covered entities.
  3. Business Associates and Answering Services: A business associate is a third-party entity that performs certain functions or activities on behalf of a covered entity that involve the use or disclosure of PHI. Answering services that handle appointment scheduling, message taking, or other communication tasks for healthcare providers may qualify as business associates under HIPAA. As such, they are required to comply with HIPAA regulations, including the security and privacy provisions outlined in the HITECH Act.
  4. Security and Privacy Requirements: Answering services that handle PHI must implement appropriate safeguards to protect the confidentiality, integrity, and availability of the health information. This includes measures such as encryption, access controls, staff training, and risk assessments. HITECH’s provisions emphasize the importance of these safeguards and impose penalties for breaches or unauthorized disclosures of PHI.

In summary, HITECH is an important extension of HIPAA that specifically addresses the use of health information technology and strengthens the security and privacy protections for PHI. Answering services that handle PHI on behalf of healthcare providers are considered business associates under HIPAA and must comply with both HIPAA and HITECH requirements to ensure the proper handling and protection of sensitive health information.

HITRUST (Health Information Trust Alliance) is an organization that focuses on the development and implementation of cybersecurity frameworks and standards within the healthcare industry. Its framework, called the HITRUST CSF (Common Security Framework), provides a comprehensive set of controls and requirements designed to safeguard sensitive healthcare information and manage risk.

HIPAA (Health Insurance Portability and Accountability Act) is a US federal law that establishes data privacy and security provisions for safeguarding medical information. It sets the standards for protecting patient data and ensuring its confidentiality, integrity, and availability.

When it comes to an answering service in the context of healthcare, such as a medical call center or a service that handles patient communications, it’s essential to ensure compliance with both HIPAA and HITRUST, if applicable. Here’s how they relate:

  1. HIPAA Compliance: Any entity that handles protected health information (PHI) must comply with HIPAA regulations. This includes healthcare providers, health plans, and their business associates. An answering service that deals with patient information, appointments, medical inquiries, etc., is considered a business associate under HIPAA. As a result, it must adhere to the privacy and security requirements outlined in HIPAA to protect patient data.
  2. HITRUST CSF: HITRUST CSF is a more comprehensive framework that integrates various standards and regulations, including HIPAA, NIST (National Institute of Standards and Technology), and others. It provides a more robust and detailed approach to cybersecurity and risk management in the healthcare sector. Organizations that adopt the HITRUST CSF often do so to ensure a higher level of data protection beyond just HIPAA requirements. Achieving HITRUST certification demonstrates a commitment to comprehensive security practices.

An answering service that wants to ensure the highest level of security and compliance may choose to pursue HITRUST certification in addition to adhering to HIPAA regulations. This can help build trust with healthcare clients and partners by demonstrating a strong commitment to safeguarding sensitive patient information.

HIPAA Compliance and Your Answering Service

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a crucial piece of legislation that protects the privacy and security of personal health information (PHI). As a healthcare provider, it is your legal responsibility to ensure HIPAA compliance, as heavy fines and negative publicity can result from noncompliance. HIPAA compliance extends beyond securing patient information within your office; it also includes the actions of your business associates, such as your medical office answering service. Therefore, it is essential to select a HIPAA-compliant answering service to avoid potential fines and reputational damage.

HIPAA compliance also covers third-party vendors, known as business associates (BAs), who work with healthcare providers. However, outsourcing work to a BA does not transfer responsibility to them; you are still legally accountable for their HIPAA compliance. This includes your medical office answering service, which is considered a BA under HIPAA regulations. If your answering service fails to meet HIPAA requirements, both they and your organization are in violation of HIPAA. Therefore, it is crucial to ensure that your answering service maintains strict HIPAA compliance, including secure storage and transmission of PHI.

To protect patient PHI, your medical office answering service must properly handle and secure the data. This includes implementing secure computer centers, encrypted archives, HIPAA-trained staff, and secure messaging apps. It is important to note that not all answering services claiming to be HIPAA-compliant actually meet the necessary requirements. Therefore, it is essential to thoroughly investigate an answering service’s compliance before entrusting them with your patients’ sensitive information. By selecting a HIPAA-compliant medical office answering service, you can ensure the protection of patient PHI and avoid potential fines and reputational damage.

In addition to HIPAA, healthcare providers should also be aware of the Health Information Technology for Economic and Clinical Health Act (HITECH). HITECH enhances and strengthens certain aspects of HIPAA, particularly its enforcement and penalties for non-compliance. It also extends liability for breaches to business associates, such as answering services, that handle PHI on behalf of covered entities. Therefore, it is important for healthcare providers to ensure that their medical office answering service complies with both HIPAA and HITECH requirements to protect sensitive health information effectively.

Frequently Asked Questions

What does HIPAA compliance mean for my medical office answering service? HIPAA compliance ensures that any personal health information (PHI) is handled, stored, transmitted, and shared with utmost privacy and security. This extends to your medical office answering service, which is considered a “Business Associate” (BA) under HIPAA. Therefore, it’s crucial to choose a HIPAA-compliant answering service to avoid noncompliance penalties, potential financial losses, and reputational damage. Both the healthcare provider (covered entity or CE) and the answering service (BA) are liable for any HIPAA violations.

How do I ensure that my answering service is genuinely HIPAA compliant? Though some answering services may claim to be HIPAA compliant, it’s essential to carry out a deeper investigation. Ensuring HIPAA compliance requires that the answering service:

  • Uses secure messaging apps for the safe transmission of PHI.
  • Maintains secure computer centers and encrypted archives.
  • Has HIPAA-trained staff.
  • Can produce a signed Business Associate Agreement (BAA) that addresses the obligations and responsibilities of both the CE and the BA. It is always recommended to consult with a legal expert and evaluate the service before moving forward.

What risks are associated with unsecured messaging and how can they be mitigated? Unsecured text messaging is susceptible to interception, especially on public or unsecured Wi-Fi networks. This poses a significant risk as unauthorized individuals can access and misuse the PHI. HIPAA mandates that any PHI transmitted via email or text should be encrypted, making it unreadable and undecipherable to unauthorized individuals. Healthcare providers and their answering services should use secure messaging apps to ensure PHI’s safe transmission and never send unencrypted emails or text messages containing PHI.

Additional Resources

Health and Human Services – https://www.hhs.gov/hipaa/for-professionals/privacy/index.html

Centers for Disease Control – https://www.cdc.gov/nhsn/hipaa/index.html

PDF Guide to Privacy and Security of Electronic Health Information – privacy-and-security-guide.pdf

Table of Contents
HIPAA related Blog Posts

We do not currently recommend any texting app like TigerConnect or OhMD because there is no way for us to send messages directly to a recipient through our current answering service software. Messages would need to be transcribed from our system into a secure web portal potentially causing errors and delays.  Secure encrypted email is recommended.

TigerConnect – https://tigerconnect.com/products/clinical-collaboration/

OhMD – https://www.ohmd.com/

We do not provide the pagers but we can recommend American Messaging who offer encrypted alpha pagers and secure phone app – https://americanmessaging.net/

Spok is another option that offers encrypted alpha pagers and a secure phone app. – https://www.spok.com/solutions/paging-services/paging-devices/


Unfortunately, no.  SMS/Text messages that contain PHI ( Personal Health Information ) are never HIPAA compliant.

Only encrypted secure email, encrypted alphanumeric pagers or HIPAA compliant Apps such as TigerConnect ( formerly TigerText ) can be used to securely transmit PHI.

Apps like Signal, Telegram and Whatsapp while encrypted and secure do not provide a signed BAA which is necessary to remain HIPAA compliant.

We recommend ProtonMail a secure email service based in Switzerland.  When used as a stand alone app it can almost replicate the SMS experience with the security of encrypted email.


Alternate HIPAA compliant email providers that provide a signed BAA.   We recommend choosing 1 provider and using it solely for answering service use.  Doing so allows unique notifications and sounds to be setup so you know when its an answering service email.  Alternatively by only using one email provider solely for answering service messages will help to ensure interruptions from spam or other sources.

Hushmail – https://www.hushmail.com/plans/healthcare-hipaa-compliant-email/

Egress – https://www.egress.com/blog/compliance/how-we-help-you-comply-hipaa

Mail Hippo – https://www.mailhippo.com/

Secure My Email – https://www.securemyemail.com/hipaa-compliant-email

Virtru – https://www.virtru.com/hipaa-compliant-email/

Paubox – https://www.paubox.com/

Google Workspace ( email ) https://support.google.com/a/answer/3407054?hl=en , https://workspace.google.com/products/gmail/

Outlook / Office 365 – https://www.microsoft.com/en-us/industry/health/microsoft-cloud-for-healthcare

Zoho Mail – ****Please note we do not currently recommend Zoho for any of their products.  Their support is atrocious and their products never work without support.  https://www.zoho.com/mail/hipaa.html


Fill out the following form.  An unsigned copy will be emailed to you.  Print, sign and email it back for it to be signed.  We will then email a fully signed BAA.



Yes, agent training, restricted access facilities and secure encrypted email are just a few ways we maintain a fully HIPPA compliant answering service solution.

Sign up today or call 800-450-9045 to discover how we at Doctors Answering Service can provide your practice and your patients with a full-featured, flexible, and cost-effective answering service for doctor’s office solution.

Go to Top