Posted October 28, 2025

In many healthcare settings, patient phone calls are automatically routed through third-party systems for recording, transcription, or tracking purposes. These recordings often capture a patient’s name, medical condition, treatment details, or contact information—all of which qualify as Protected Health Information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA).

When a healthcare agency allows a third-party vendor to record or store these messages without the patient’s knowledge or consent, it may be violating HIPAA’s Privacy and Security Rules.

‎

HI‎PAA Framework: Privacy and Security Rules

Under 45 C.F.R. § 164.502(a), HIPAA strictly prohibits the use or disclosure of PHI without the patient’s authorization, except as expressly permitted for treatment, payment, or healthcare operations.

Furthermore, 45 C.F.R. § 164.308(b) and § 164.502(e) require a Business Associate Agreement (BAA) whenever a covered entity shares PHI with a vendor that performs services involving PHI—such as call recording, voicemail hosting, or analytics.

If a healthcare agency allows recordings to be handled by a third-party platform without a valid BAA and without informing the patient, both the agency and the vendor may be liable for non-compliance.

‎

Key Compliance Points

• Consent for recording: Recording conversations that include PHI requires patient consent. Recording without this consent is a violation.
• Tracking without consent: Tracking calls and related patient data without authorization constitutes unauthorized use and disclosure of PHI.
• PHI protection: Audio recordings of patients are PHI and must be safeguarded to ensure confidentiality, integrity, and availability.
• Business Associate Agreements: If a third-party vendor is used for call recording or tracking, a BAA is mandatory under HIPAA to ensure the vendor also protects the PHI.
• State laws: In addition to HIPAA, states may impose stricter “two-party” or “all-party” consent laws. In these states (e.g., California), every person on the call must consent to the recording.
• Non-PHI exception: Health data is not PHI if it lacks all 18 HIPAA identifiers—for example, an isolated heart rate reading or calorie count from a fitness tracker. Employment-related health records and student health information covered under FERPA are also excluded.
• Patient consent should be obtained prior to recording a patient through telemedicine technology. Recordings made during a telemedicine encounter may be used and disclosed for treatment, payment, or healthcare operations without a patient’s authorization. However, any use of a telemedicine recording outside of these HIPAA-permitted uses requires the patient’s authorization if the image is identifiable or if state law requires authorization for such use (e.g., if the recording is related to mental health).

‎

Why This Matters

Patients reasonably expect privacy when leaving a voicemail for their provider. Recording and storing those messages through a third-party system without explicit notice undermines trust, violates federal standards, and may expose the organization to civil penalties under 42 U.S.C. § 1320d-5 for wrongful disclosure of individually identifiable health information.

Failing to inform patients or execute a BAA creates:

• Legal exposure under HIPAA and state privacy laws
• Possible fines ranging from $100 to $50,000 per violation, up to $1.5 million annually
  ‎

Compliance Takeaway

Before enabling any call-recording or voicemail-storage feature, healthcare organizations should:

1. Disclose and obtain consent from patients before recording any communications that may include PHI.
2. Execute a Business Associate Agreement with the vendor managing recordings or analytics.
3. Evaluate state-specific laws on call recording.
4. Regularly audit vendor systems for compliance with HIPAA’s Privacy and Security Rules.
5. Healthcare providers must protect the stored data with security measures like encryption and access controls.

‎

Who We Are

At DLH-Enterprises 5150, we help healthcare organizations safeguard patient privacy through customized HIPAA training, vendor-risk assessments, and compliance audits.
If your agency records or stores patient communications, now is the time to verify your compliance structure before a costly violation occurs.

‎

Protecting Licenses. Preserving Trust. Preventing Violations.
📍 HIPAA | Law & Ethics | Compliance Training | CEU Provider