HIPAA Compliance for Communication: Phone Calls, Voicemails, and In-Person Conversations

Verbal communication is one of the fastest ways to deliver care—and one of the easiest ways to accidentally disclose information to someone who is not authorized to receive it. HIPAA compliance for communication means building repeatable habits that reduce misdirected disclosures during phone calls, voicemails, and in-person conversations, especially in busy, semi-public environments.

1) Identity verification steps for callers

Before you share any patient-specific information over the phone, confirm you are speaking to the right person and that the person is allowed to receive the information they are requesting. Treat inbound calls as untrusted until verified.

Step-by-step: inbound caller verification

• Step 1: Identify the caller’s role and purpose. Ask: name, role/title, organization, and reason for the call.
• Step 2: Verify the caller’s contact details. Ask for a call-back number and extension; compare to approved sources (directory, credentialing list, on-call roster, EHR header, facility directory).
• Step 3: Verify patient identifiers (without leading the caller). Ask the caller to provide at least two patient identifiers (e.g., full name and date of birth). Do not supply the identifiers first.
• Step 4: Verify authorization/relationship when relevant. If the caller claims to be a clinician involved in care, verify affiliation and involvement (unit, attending service, consult team). If the caller is a family member, follow your organization’s process for verifying the patient-designated contact or code word (if used).
• Step 5: If anything feels off, stop and switch to a safer method. Use call-back procedures, route to the unit clerk/supervisor, or request written verification through approved channels.

Caller verification checklist (quick)

• Caller name + role/title
• Organization/facility + department/unit
• Call-back number from an approved source (not only what they provide)
• Patient identifiers provided by caller (not prompted)
• Reason for request is clear and appropriate
• Any red flags addressed (urgency pressure, refusal to verify, inconsistent details)

Sample phrases (inbound calls)

• To start verification: “Can I get your full name, role, and the department you’re calling from?”
• To avoid leading: “Please tell me the patient’s full name and date of birth.”
• To pause disclosure: “I’m not able to discuss details until I verify your identity and connection to the patient.”
• To handle pressure: “I understand it’s urgent. I still need to verify you first—let’s do a quick call-back through the main number.”

2) Use call-back procedures and approved contact numbers

Call-back procedures reduce the risk of imposters and misdirected disclosures. The core idea: do not rely solely on the phone number that appears on caller ID or the number the caller provides.

Step-by-step: safe call-back workflow

• Step 1: End the initial call politely. Explain you will call back using an approved number.
• Step 2: Locate an approved number. Use your facility directory, the hospital operator, an on-call schedule, credentialing resources, or a known internal extension list.
• Step 3: Call back and re-verify. Confirm the person’s identity again and confirm they are the intended recipient.
• Step 4: Share information only after verification. Keep the discussion limited to what is needed for the stated purpose and document per your policy when required (e.g., critical results reporting workflows).

Approved numbers: what counts

• Hospital main line/operator transfer to a verified extension
• Published clinic/hospital directory number
• Internal secure directory (on-call roster, staff directory)
• Numbers stored in the EHR for the provider/clinic (if your organization treats these as verified)

What to avoid

• Calling back the number the caller gives you without independent verification
• Relying on caller ID alone
• Sharing details “just this once” because the caller sounds confident or urgent

3) Handling voicemails: what to say and what to avoid

Voicemail is inherently risky because you cannot control who hears it, whether it is transcribed, or whether it is played on speaker. Use the least revealing message that still accomplishes the goal: prompting a call back through an approved channel.

Practical rules for leaving voicemails

• Prefer a call-back request over clinical details. Leave your name, department, and a call-back number.
• Do not include sensitive clinical details. Avoid diagnoses, test results, procedures, medications, or anything that could reveal the reason for care.
• Avoid confirming the patient is receiving care at your facility unless your policy explicitly allows it and the patient has agreed to that contact method.
• Be cautious with names. If your policy permits using the patient’s name, keep the rest of the message minimal. If not, use a generic message without the patient’s name.
• Follow patient communication preferences. If the patient has specified “no voicemail” or specific numbers only, comply.

Safe voicemail templates (examples)

• Generic call-back: “Hello, this is [First Name] from [Clinic/Department]. Please call us back at [number] between [hours].”
• Appointment-related (minimal): “This is [Name] calling from [Clinic]. We’re calling about your upcoming appointment. Please call [number].”
• For a family contact when permitted by policy: “This is [Name] from [Unit/Clinic]. Please call me back at [number] regarding your request.”

What to avoid saying in voicemail (examples)

• “Your HIV test was positive—call us back.”
• “Your CT showed a mass; the doctor wants to discuss cancer treatment.”
• “We’re calling from the oncology clinic about your chemotherapy schedule.”
• “Your father’s lab results are abnormal; he’s in room 412.”

Voicemail decision checklist

• Do we have permission to leave a voicemail at this number?
• Is this the patient’s preferred contact method?
• Can the message be limited to a call-back request?
• Am I avoiding diagnosis/treatment/location details?

4) Discussing care at the bedside while respecting roommates and visitors

Bedside conversations are necessary for care, but they often occur within earshot of roommates, visitors, and staff passing by. The goal is to communicate effectively while controlling who can hear.

Continue in our app.

• Listen to the audio with the screen off.
• Earn a certificate upon completion.
• Over 5000 courses for you to explore!

Or continue reading below...

Download the app

Step-by-step: bedside conversation safeguards

• Step 1: Scan the environment. Identify who is present (roommate, visitors, staff) and how close they are.
• Step 2: Ask the patient who may stay. Use a neutral question that gives the patient control.
• Step 3: Lower your voice and position yourself. Stand close to the patient, face them, and avoid projecting toward the doorway or roommate.
• Step 4: Offer privacy options for sensitive topics. Suggest stepping out, using a curtain, moving to a consult room, or returning later.
• Step 5: Use “chunking.” Share essential information at bedside; defer sensitive details to a more private setting when feasible.

Sample phrases (bedside)

• Visitor check: “Is it okay if we talk about your care while [name/your visitors] are here, or would you prefer privacy?”
• Roommate awareness: “I’m going to close the curtain and speak quietly. If you’d like, we can discuss the more sensitive parts in a private area.”
• Deferring sensitive details: “I can go over the general plan now, and we can review the detailed results in a more private space.”

Practical tips for shared rooms

• Use curtains, but remember they reduce visibility more than sound—still lower your voice.
• Avoid reading full lab panels or detailed histories aloud if others can hear.
• When possible, use written materials or show results on the screen directly to the patient rather than speaking them loudly.
• Be mindful of whiteboards and bedside displays if they are visible to visitors; follow your unit’s display practices.

5) Hallway and elevator risks (and how to prevent them)

Hallways, nurses’ stations, cafeterias, and elevators are high-risk areas because you cannot control who is listening. Even if you do not use a patient name, details can identify a patient (room number, unique condition, family situation, or timing).

Common risky behaviors

• Giving report or discussing results at the nurses’ station where visitors are nearby
• Talking about a patient by room number in an elevator
• Discussing “interesting cases” in public areas
• Taking speakerphone calls in hallways

Safer alternatives

• Move to a designated report room or closed office for handoffs.
• Use secure, approved communication tools for quick coordination (per your organization’s policy).
• If you must speak briefly, keep it non-identifying and minimal until you reach a private area.

Sample phrases to stop a risky conversation

• “Let’s step into a private area before we continue.”
• “We’re in a public space—can we move this to the report room?”
• “I can’t discuss patient details here. I’ll call you back from a private location.”

6) Using interpreters appropriately (including phone/video interpretation)

Interpreters help ensure accurate communication and patient understanding. Privacy risks arise when untrained individuals interpret, when speakerphone is used in public areas, or when family members are asked to interpret sensitive information.

Practical safeguards

• Use qualified interpreters per policy. Prefer your organization’s approved in-person, phone, or video interpreter services.
• Avoid using family members as interpreters for clinical discussions unless your policy allows it under limited circumstances and the patient agrees; even then, consider privacy and accuracy risks.
• Control the environment. Use a private room when possible; avoid speakerphone in hallways or shared spaces.
• Introduce roles and confidentiality. Confirm the interpreter is connected and that the patient understands who is on the line.
• Speak in short segments. This reduces errors and limits repeated sensitive details.

Sample phrases (with interpreters)

• To the patient: “We’re going to use a professional interpreter to make sure we communicate clearly. Everything we discuss is private.”
• To the interpreter: “Please interpret exactly what is said, in the first person, and let me know if anything is unclear.”
• When family offers to interpret: “Thank you. For accuracy and privacy, we use a professional interpreter. You’re welcome to stay if the patient wants you here.”

Scenarios and how to respond

Scenario A: Caller claims to be a physician

Situation: A caller says, “This is Dr. Patel. I need the patient’s latest potassium and EKG findings right now.” The caller sounds confident and urgent.

Risks: Impersonation; wrong recipient; disclosure without verification.

Recommended response (script + steps):

• “I can help, but I need to verify your identity first. What is your first and last name, department, and call-back number?”
• “Which service are you on, and what is your relationship to the patient?”
• “I’m going to call you back through the hospital operator/on-call list to confirm.”
• Call back using an approved number; re-verify; then share the needed information per your workflow.

Red flags that require escalation: refusal to provide details, anger at verification, inconsistent unit/service information, insistence on using a personal cell number not in approved sources.

Scenario B: Family member asks for lab results

Situation: A caller says, “I’m her daughter. Can you tell me her lab results from today? I’m really worried.”

Risks: The caller may not be the authorized contact; the patient may not want results shared by phone; voicemail/call recording risks.

Recommended response (script + steps):

• “I understand you’re concerned. Before we talk about anything, I need to verify who I’m speaking with and confirm what we’re allowed to share.”
• Collect caller name, relationship, call-back number; verify against your organization’s approved contact/verification process.
• If verification/permission is not confirmed: “I’m not able to share results by phone right now. The best next step is [approved process: have the patient call, speak with the care team during visiting hours, or use the patient portal if applicable].”
• If verified and permitted: share only what is necessary for the purpose, and avoid leaving detailed results on voicemail.

Scenario C: Nurse giving report in a semi-public area

Situation: Shift change is busy. Two nurses begin a detailed handoff at the nurses’ station while visitors are seated nearby.

Risks: Visitors or other patients overhear identifiers, diagnoses, or sensitive details.

Recommended response (script + steps):

• Use an interruption phrase: “Let’s move this report to the report room so we’re not discussing patient details out here.”
• Relocate to a private area; lower voices; keep screens angled away from public view.
• If relocation is not immediately possible, do a minimal, non-identifying safety handoff first (e.g., urgent tasks), then complete full report privately.

Quick reference: communication safeguards checklists

Phone call checklist

• Verify caller identity and role
• Verify patient identifiers (caller provides them)
• Use call-back via approved number if any doubt
• Avoid discussing details if others can overhear your side of the call
• Document per policy when required (e.g., critical results)

Voicemail checklist

• Confirm permission/preference to leave voicemail
• Leave only name, department, call-back number, and minimal purpose
• No diagnoses, results, procedures, medications, or location details

In-person conversation checklist

• Check who is within earshot
• Ask patient preference about visitors
• Lower voice; position close; avoid doorways
• Move sensitive discussions to a private area when feasible
• Stop and relocate if conversation drifts into identifiable details in public spaces