PhoneSteward
Back to Blog
Healthcare2 min readDecember 2025

HIPAA Compliance: What Your Answering Service Must Have

Not all answering services are HIPAA compliant. Here is your checklist of non-negotiable security features to protect patient information.

If your healthcare practice uses an answering service, HIPAA compliance is not optional — it is a legal requirement. A single breach can result in fines ranging from £10,000 to £1.5 million, not to mention the devastating impact on patient trust. Here is your non-negotiable checklist.

What HIPAA Requires From Your Answering Service

The Health Insurance Portability and Accountability Act sets strict standards for how Protected Health Information (PHI) is handled. Any third party that handles patient information on your behalf — including your answering service — must comply fully.

Business Associate Agreement (BAA)

This is the foundation. Your answering service must sign a BAA before handling any patient calls. This legally binding document establishes their obligations regarding PHI and makes them directly liable for breaches.

Red flag: If a provider hesitates to sign a BAA or claims they do not need one, walk away immediately.

Essential Security Features

Encrypted Communications

All messages containing patient information must be encrypted in transit and at rest. This means:

  • TLS 1.2 or higher for all data transmission
  • AES-256 encryption for stored messages
  • Encrypted email delivery (not standard email)
  • Secure messaging apps for mobile delivery

Access Controls

Not every operator at the answering service should have access to your patient data. Look for:

  • Role-based access controls
  • Unique login credentials for each operator
  • Automatic session timeouts
  • Multi-factor authentication

Audit Trails

Every access to patient information must be logged. Your answering service should provide:

  • Complete call logs with timestamps
  • Records of who accessed what information
  • Message delivery confirmation
  • Audit reports available on demand

Operator Training Requirements

Technology alone is not enough. The people answering your phones must understand HIPAA requirements:

Initial Training

  • HIPAA Privacy Rule fundamentals
  • What constitutes PHI
  • Minimum necessary standard
  • Proper verification procedures for callers

Ongoing Training

  • Annual HIPAA refresher courses
  • Updates on regulatory changes
  • Incident response procedures
  • Social engineering awareness

Physical Security

The answering service’s physical environment matters too:

  • Secure facilities with restricted access
  • Clean desk policies
  • No personal mobile phones at workstations
  • Monitored disposal of any printed materials

Incident Response Plan

Ask your answering service about their breach notification process. Under HIPAA, you must be notified of any breach within 60 days — but a good provider will notify you within 24 hours.

Your Compliance Checklist

Before signing with any answering service, verify all of the following:

  • Signed Business Associate Agreement
  • End-to-end encryption for all PHI
  • Role-based access controls with audit trails
  • Documented HIPAA training programme
  • Physical security measures in place
  • Written incident response and breach notification plan
  • Regular third-party security assessments
  • Data retention and destruction policies

The Bottom Line

Choosing a HIPAA-compliant answering service is not just about avoiding fines — it is about protecting your patients and your practice. Do not compromise on any of the items above. Your patients trust you with their most sensitive information, and that trust extends to everyone who handles their calls.