Is Voicemail HIPAA Compliant? What You Can and Cannot Say

Yes. HIPAA does not prohibit leaving voicemails for patients. HHS has explicitly stated that healthcare providers may leave voicemail messages for patients, including on answering machines and cell phones. This is not a gray area — the Department of Health and Human Services addressed it directly in guidance on the Privacy Rule.

What HIPAA does require is that you apply the minimum necessary standard. The message should contain only the information needed for its purpose — typically, getting the patient to call you back. The voicemail itself is not the problem. What you say in it, and how your voicemail system stores it, is where compliance risk lives.

What You Can Say in a Voicemail

The minimum necessary standard is practical, not restrictive. A compliant voicemail can include:

• Your name and practice name. "This is Sarah from Lakeview Dental."
• A callback number.
• A generic reason for calling. "I'm calling about your upcoming appointment" or "regarding your recent visit."
• Appointment reminders. Date, time, and location are acceptable — appointment reminders are part of treatment operations under the Privacy Rule.
• A request to call back.

This covers the vast majority of reasons a practice leaves a voicemail. You can accomplish the goal — getting the patient to return your call — without disclosing clinical details.

What You Should Not Say in a Voicemail

Do not include clinical specifics that go beyond what is necessary:

• Diagnosis or condition names. "We're calling about your diabetes management" discloses a condition to anyone who hears the message.
• Test results. Do not confirm or deny results. "Your lab work came back positive" is a HIPAA violation if someone other than the patient hears it.
• Treatment details. "We need to discuss your chemotherapy schedule" reveals protected information.
• Prescription information. Medication names can reveal conditions.
• Billing amounts or insurance details. Financial information tied to healthcare services is PHI.
• Anything beyond what is necessary to get the patient to call back. This is the test. If the information is not required for the voicemail to serve its purpose, leave it out.

The risk is not theoretical. A voicemail left on a shared family phone, a wrong number, or a device that plays messages on speaker can expose PHI to unauthorized individuals.

Voicemail System Requirements

This is where most practices miss the compliance picture. They train staff on what to say but never evaluate whether their voicemail system itself meets HIPAA requirements.

Cloud and VoIP Phone Systems

If your phone system stores voicemails digitally — which includes virtually every modern cloud or VoIP system — the provider handling those recordings has access to PHI. That makes them a business associate under HIPAA. You need a Business Associate Agreement (BAA).

This applies to providers like RingCentral, 8x8, Vonage, Nextiva, and similar services. Most offer HIPAA-compliant tiers with BAAs available, but you have to request them. The default small-business plan often does not include one.

Voicemail-to-Email Transcription

Voicemail-to-email services are a particularly high-risk area. When a voicemail is transcribed to text and sent via email, two things happen:

1. A text record of PHI is created — one that is often more searchable and shareable than the original audio.
2. That text record is transmitted via email, which may not be encrypted.

If your phone system automatically transcribes voicemails and sends them to staff email, confirm that both the transcription service and the email system meet HIPAA security requirements. Most practices never think to evaluate this.

Traditional Landline Answering Machines

A physical answering machine on a traditional landline is generally lower risk because no third party stores the recording. However, the device should be in a secure area where unauthorized individuals cannot access it. A shared waiting room or open front desk where messages play aloud is not a compliant setup.

Common Mistakes

Five voicemail-related compliance failures appear repeatedly:

1. Staff leaving detailed clinical information. Without training, front desk staff default to being helpful — which means leaving specific details about why the patient needs to call back. Helpful intent does not prevent a HIPAA violation.

2. No BAA with the phone provider. The practice signs BAAs with the EHR vendor and the billing company but never considers the phone system that records and stores voicemails containing PHI.

3. Voicemail-to-email sending PHI to unencrypted inboxes. The transcription feature is turned on by default. No one evaluated whether the email destination meets security requirements.

4. Shared voicemail boxes without access controls. A single voicemail box accessed by all staff, with no audit trail of who listened to which messages, fails the access control and audit requirements of the Security Rule.

5. Not verifying phone numbers before leaving messages. A voicemail left at a wrong number is an unauthorized disclosure of PHI. Staff should verify the number on file before leaving any message.

Best Practices for HIPAA-Compliant Voicemails

Compliance here is not complicated. It requires a policy, a script, and the right vendor agreements.

• Create a standard voicemail script. Give staff exact language to use. Remove the guesswork. A compliant script is short: practice name, callback number, generic reason, request to call back.
• Train staff and document the training. The script only works if staff know to use it. Include voicemail policy in onboarding and annual HIPAA refreshers.
• Verify phone numbers before leaving messages. If the number on file has not been confirmed recently, confirm it before leaving a voicemail.
• Get a BAA from your phone provider. If your VoIP or cloud phone system stores voicemail recordings, request a BAA. If the provider will not sign one, switch to one that will.
• Evaluate voicemail-to-email. If this feature is active, confirm that the email system uses encryption and that the transcription service is covered by a BAA. If you cannot confirm both, disable the feature.
• Document your voicemail policy. Your HIPAA policies and procedures should include a section on voicemail — OCR will look for it if a complaint is filed.

Frequently Asked Questions

Can I leave a voicemail about a patient's appointment?

Yes. Appointment reminders — including date, time, and location — are permitted under HIPAA as part of treatment operations. Keep the message to logistics. Do not include the reason for the appointment or any clinical details.

Do I need a BAA with my phone provider?

If your phone provider stores voicemail recordings digitally — which includes all cloud-based and VoIP systems — they are a business associate and a BAA is required. This applies to any service that records, stores, or transmits voicemails containing PHI on your behalf.

Is voicemail-to-email HIPAA compliant?

It can be, but only if the transcription service is covered by a BAA and the email system uses encryption that meets HIPAA security requirements. In practice, most default voicemail-to-email setups do not meet these standards. Evaluate yours before assuming it is compliant.

Can I leave voicemails on a patient's cell phone?

Yes. HIPAA does not distinguish between landlines and cell phones for voicemail purposes. The same rules apply: limit the message to the minimum necessary information. Be aware that cell phone voicemails may be played on speaker, displayed as visual transcriptions, or accessible to others with access to the device.

---

Voicemail compliance is not about avoiding phone calls. It is about applying the same discipline to voice messages that you apply to email, fax, and electronic records. Keep the message minimal, secure the system that stores it, and train your staff.