The Critical Importance of Using a HIPAA Compliant Answering Service

Most doctors answering services say they are HIPAA compliant. Though they may have a basic comprehension of HIPAA, many don’t understand how to correctly apply it to their operation. Ignorance, however, fails to stand as a sound defense under the threat of HIPAA violations. These include database breaches and employee disclosures of private healthcare information (PHI). Compliance failure carries fines, as well as public embarrassment.
First a quick review. HIPAA stands for the Health Insurance Portability and Accountability Act. The United States Congress passed this law way back in 1996. It covers a wide array of healthcare matters.
As far as medical office answering services go, HIPAA requires them to keep PHI confidential. This includes when it’s stored (at rest) and when it’s moved (in motion; that is, during transmission).
It’s critical that your telephone answering service adheres to HIPAA regulations. Don’t assume every doctor’s answering service is HIPAA compliant. They should be, but not all are.

Complying with HIPAA regulations is essential—for both them and you.
HIPAA defines you, the healthcare provider, as a covered entity (CE). Your answering service functions as your business associate (BA). This means you are both responsible—and liable—for keeping PHI secure. Therefore, both you (as the CE) and your answering service (as your BA) must fully comply with all relevant HIPAA regulations.
Some healthcare organizations (CEs) wrongly assume that their internal compliance at their practice or clinic is all that matters. But CEs are also responsible for what their doctors answering service does. Your telephone answering service functions as your BA. If they expose PHI, you are subject to fines and penalties. This puts your reputation at stake, even if it’s your answering service’s fault.

Secure Apps
The most common failure among non-compliant answering services is transmitting PHI over unprotected networks or to non-secure devices. This includes most email and text messaging services, which are used widely and accepted across all industries and by most people.
To address this, doctors answering services use a HIPAA compliant messaging app to ensure the security of PHI when communicating critical information with clients and their on-call staff.
If an answering service doesn’t have a secure messaging app, don’t use them. They are not in compliance with HIPAA.

Agent Training
The next area to address is to ensure that your answering service conducts HIPAA-compliant training with all staff. This should be part of their new-agent education process. They also must conduct periodic refresher training with all staff. They need to document when and how each training session, for each employee, took place.

Safe Storage
While serving their clients, medical office answering services gather and store a lot of information, much of which is PHI. They must secure their data storage, server rooms, access points, and remote storage to make sure that all PHI is always protected.

Restricted Access
Facility access and, more importantly, datacenter access must be restricted at all times. This includes everyone who doesn’t have a legitimate need for access, both those who work at the answering service, as well as third parties.

More Than HIPAA Compliant
Many of the leading doctors answering services go beyond the essential requirements of HIPAA compliance. They take additional steps to further safeguard patient information, secure data, and train staff.

Business Continuity and Data Backup

One often overlooked aspect when considering HIPAA compliance in answering services is the importance of business continuity and data backup plans. A professional answering service should not only store data securely but also have robust mechanisms for data recovery in the event of system failures, natural disasters, or other disruptions. This is crucial for maintaining the integrity of PHI and ensuring that you can continue to provide seamless healthcare services to your patients even in unforeseen circumstances. As someone running a medical practice as a business, downtimes can seriously affect your bottom line. Ensuring your answering service has strong business continuity plans directly impacts your practice’s operational efficiency.

Due Diligence and Vendor Management

Running a medical practice is not just about healthcare; it’s also about effective business management. This includes vetting all third-party vendors, including your answering service. Doctors should conduct due diligence by evaluating multiple answering services, scrutinizing their security protocols, and perhaps even conducting site visits. The Business Associate Agreement (BAA) should be comprehensive, leaving no room for ambiguity about responsibilities related to HIPAA compliance. It would be wise to consult with legal experts to ensure the contract protects your interests effectively.

Cost Implications

Compliance isn’t just a legal necessity; it has financial implications as well. While a HIPAA-compliant answering service might cost more upfront, think of it as an investment rather than an expense. The cost of a single HIPAA violation can range from $100 to $50,000 per record breached, with an annual maximum of $1.5 million. Additionally, your practice could also face lawsuits, which can be both costly and damaging to your reputation. From a business perspective, the higher cost of a compliant answering service could very well be offset by the financial and reputational risks of a HIPAA violation.

Streamlined Operations and Workflow

Besides ensuring data security and compliance, a professional HIPAA-compliant answering service can streamline your medical practice’s operations. They can handle appointment scheduling, prescription renewals, and emergency call routing among other things, allowing your staff to focus on patient care. This operational efficiency is a key element in running a successful and profitable medical practice.


Q: Is it enough for an answering service to just claim they are HIPAA compliant?

A: No, simply claiming compliance is not sufficient. You should ask for proof, such as certification from an accredited organization or documentation of their security measures and training programs.

Q: How often should I review the HIPAA compliance status of my answering service?

A: Regularly reviewing your answering service’s compliance is a good business practice. The frequency can depend on your internal policies, but at least an annual review is recommended. Always update your Business Associate Agreement accordingly.

Q: What should I do if my answering service experiences a data breach?

A: You should follow the protocol outlined in your Business Associate Agreement and consult legal experts for further steps. You may also need to notify the affected patients and authorities depending on the nature and extent of the breach.

Conclusion and Call to Action

While it’s easy to get bogged down with the complexities of healthcare, remember that running a medical practice is a business venture with its own set of requirements and risks. Among these, HIPAA compliance stands as a critical factor that has both legal and financial repercussions. The answering service you choose plays a crucial role in ensuring this compliance. Don’t leave it to chance. Do your due diligence, understand the cost implications, and opt for a service that not only claims to be HIPAA compliant but proves it. Take action today—reach out to us to discuss how our certified HIPAA-compliant answering service can help secure your medical practice while boosting its efficiency and reputation.

The Next Step
Contact us to learn more about our HIPAA compliance processes and discover how we can provide your medical operation with professional, HIPAA compliant medical telephone answering service.

Frequently Asked Questions

We do not currently recommend any texting app like TigerConnect or OhMD because there is no way for us to send messages directly to a recipient through our current answering service software. Messages would need to be transcribed from our system into a secure web portal potentially causing errors and delays.  Secure encrypted email is recommended.

TigerConnect –

OhMD –

We do not provide the pagers but we can recommend American Messaging who offer encrypted alpha pagers and secure phone app –

Spok is another option that offers encrypted alpha pagers and a secure phone app. –


Unfortunately, no.  SMS/Text messages that contain PHI ( Personal Health Information ) are never HIPAA compliant.

Only encrypted secure email, encrypted alphanumeric pagers or HIPAA compliant Apps such as TigerConnect ( formerly TigerText ) can be used to securely transmit PHI.

Apps like Signal, Telegram and Whatsapp while encrypted and secure do not provide a signed BAA which is necessary to remain HIPAA compliant.

We recommend ProtonMail a secure email service based in Switzerland.  When used as a stand alone app it can almost replicate the SMS experience with the security of encrypted email.

Alternate HIPAA compliant email providers that provide a signed BAA.   We recommend choosing 1 provider and using it solely for answering service use.  Doing so allows unique notifications and sounds to be setup so you know when its an answering service email.  Alternatively by only using one email provider solely for answering service messages will help to ensure interruptions from spam or other sources.

Hushmail –

Egress –

Mail Hippo –

Secure My Email –

Virtru –

Paubox –

Google Workspace ( email ) ,

Outlook / Office 365 –

Zoho Mail – ****Please note we do not currently recommend Zoho for any of their products.  Their support is atrocious and their products never work without support.


June 3, 2021|HIPAA|
Go to Top