HIPAA call tracking checklist: Best practices for maintaining compliance

From appointment scheduling to patient education, billing, referrals, and prescription refills, tons of doctor-to-patient communication happens over the phone. These phone calls are protected under the Health Insurance Portability and Accountability Act (HIPAA) and if you’re a healthcare provider or an agency that services one, you need to ensure you’re keeping this data secure.

You not only need to ensure you’re utilizing HIPAA-compliant call tracking technology like CallRail but also that you don’t fall prey to one of the most overlooked security risks: human error.

Agency Marketer's Guide to Client Retention

HIPAA compliance and call tracking: a history

HIPAA, originally known as the Kennedy-Kassebaum Bill, is a set of regulations that became law in 1996. These laws help people carry their health insurance and medical records from one health care institution to the next. In addition, HIPAA has also created a system to recognize and enforce the rights of patients to protect the privacy of their medical records.

But what does this have to do with call tracking?

In 2009, HIPAA was expanded by the Health Information Technology for Economic and Clinical Health Act (HITECH) to cover all business associates with access to health information, which includes call tracking providers. The law now requires that all patient health information be protected from disclosure and misuse by the practitioner and any business associates that have access to that information, such as CallRail.

This personal health information is known as Protected Health Information (PHI) according to HIPAA. Two different types of PHI are stored in CallRail:

  1. Call recording:s While recording phone calls between doctors and patients can help with analyzing lead quality and training staff members, their contents clearly contain personal health information. Phone calls between health providers and their patients frequently involve the discussion of personal issues and medical history.
  2. Caller ID information: Even if you’re not recording these calls, the fact that the call even happened at all creates a paper trail that links an individual to a medical practice and the types of services they provide. CallRail stores the patient’s phone number, the Caller ID Name (CNAM), and potentially specific marketing campaign identifiers depending on the type of call tracking you’re using.

CallRail’s HIPAA-compliant call tracking features

To ensure that all healthcare providers utilizing CallRail, as well as the agencies that service them, maintain HIPAA and HITECH compliance, CallRail has created specialized Healthcare Accounts.  CallRail’s end-to-end technological safeguards ensure that your call data is fully encrypted and protected so long as it is stored and managed in CallRail with features such as:

  • Encrypted data in transit and at rest.
  • Secure user access and full audit histories.
  • Dedicated, single-tenant equipment.
  • Firewalls and private network gaps for all machines containing PHI.

You can learn more about CallRail’s built-in precautions to give our customers access to HIPAA compliant call tracking in our HIPAA Security Whitepaper.

But while these precautions can protect you from HIPAA violations, there is still a security risk that is often overlooked: human error.

Whether you’re using HIPAA-compliant call tracking to understand where your best leads are coming from or to take advantage of call recording for lead qualification purposes, it’s important to understand where a tool like CallRail has you protected, but also what additional precautions are needed on your end.

Compliance tip 1: Check compliance with all integrations

Whenever you enable a call tracking integration, you are sharing data, potentially including PHI, with any additional business associate.

Under HIPAA, it is acceptable for PHI to be shared with CallRail so long as a Business Associate Agreement (BAA) is in place (which is required for access to all CallRail Healthcare Accounts). If a marketing agency is assisting a healthcare provider and utilizing CallRail then two cascading BAAs are required – one between the provider and the agency, and one between the marketing agency and CallRail.

These same precautions must be in place with any other third-party providers you are sharing PHI from CallRail with, whether they are one of our pre-built integrations or you’re utilizing CallRail’s open API.

Never connect CallRail to any third party software unless you’re confident the platform is HIPAA compliant. If you’re using a CallRail Healthcare Account, we’ll always issue a warning prior to activating any integrations to ensure you’re maintaining compliance from all sides.

Compliance tip 2: Never share user credentials

It seems innocent enough: instead of creating a new user for each and every member of your team that needs access to CallRail, you all decide to share the same email address and password for login purposes. Well what seems innocent at first, can be detrimental to your HIPAA compliance.

HIPAA requires logging for all access and modification to PHI. This is to ensure that in the event of any sort of data breach, the proper authorities have access to any user-level errors that may have lead to the compromised data.

All CallRail Healthcare Accounts log access to the application by user, timestamp, and IP address; playback of any call recordings, as well as all changes made to calls, tags, or configurations, are similarly logged. But if there is only one user being used to access an Account or Company, there is no way for us to create a fully accurate audit log.

Therefore, it is in your best interest to create individual user logins for everyone who needs access to your CallRail account. All CallRail Healthcare Accounts come with unlimited users, in different tiers of access. For extra security, we also recommend activating two-factor authentication.

Compliance tip 3: Export with caution

Similar to integrations, CallRail can only maintain HIPAA compliance so long as your call data resides within your CallRail account. Once you use our export option within either the Call Log or Reports or download an individual call recording, all PHI is leaving the safe and secure home of your CallRail Healthcare Account.

Exporting data is ok, and here at CallRail we definitely understand why you would need to do that. It is important, however, to ensure the environment you’re exporting the PHI to is both secure and compliant. Check out these 10 steps to ensure HIPAA security compliance on your local network.

If any exported information is going to be shared with another company or client, it is important you determine whether or not a BAA needs to be in place. If you are going to interact with, track, store, manage or share any health-related information, be sure that it is stored and transmitted in a way that meets the security and privacy guidelines outlined by HIPAA.

Note: CallRail is not offering legal counsel here, but we do strive to help our customers with all HIPAA-compliant call tracking quandaries. The advice outlined in this post is not a substitute for the advice or services of an attorney, and if you have any specific HIPAA compliance questions for your business, we recommend you contact the appropriate parties.