Log in
  • Home
  • On Our Minds
  • Ethics
  • Let’s Make The “Call” Together: Ensuring Your Phone Is Keeping Clients' PHI Protected - Tiffany Chhuom, LSWAIC, CDPT, MPH, MSW

Let’s Make The “Call” Together: Ensuring Your Phone Is Keeping Clients' PHI Protected - Tiffany Chhuom, LSWAIC, CDPT, MPH, MSW

September 23, 2018 2:39 PM | Emily Fell

Do you use a phone to schedule or screen clients? Do they leave voicemails or send you text messages? If you said “yes” to either of these questions, then you need to make sure you’re using a phone service that is HIPAA compliant. How do you do so? You’ll need to sign a contract with the phone service provider called a “Business Associate Agreement”, better known as a “BAA.” This contract tells the phone service provider that they cannot use any data from your call logs, voicemail recordings or text messages for any reason. Why would service providers  want to? Because phone companies often use this data to better understand how their customers use their services and sometimes they also sell this data to third parties for marketing purposes. I know that’s scary, but don’t worry. There are several providers that will sign BAA’s with clinicians, the most common being AT&T, Verizon, and Spruce.

Which one should you go with? The goal of this article is to help you learn HOW, not what, to choose when finding a phone and voicemail provider for your practice. Each provider’s price, options and quality of service will change over time, so the selection process is key.

For example, I’ve heard wonderful stories about the ease of going with AT&T and recounts of nightmares. I’ve heard Verizon is very affordable and it’s astronomically expensive. I personally use Spruce and really like it, but it’s not perfect and some colleagues think the cost is far too high for their budget.

When choosing the right provider for you, make sure you know if the provider is a traditional phone provider, like Verizon or AT&T, OR if it’s a “VOIP”, which stands for “Voice Over Internet Protocol”. With VOIP the phone services, the voicemail recordings, and the text messages between you and clients are stored online and not on phones, or computers. This helps to lower the risk of a data breach should a phone be lost or stolen. Communicating with clients through text in an unsecure environment (e.g. your personal cell phone), actually means you’re violating several laws, codes of ethics and regulations; if you don’t have to log in to get into a separate texting application, it’s also an indicator that you’re not as protected--and neither are your clients--in your communication. While you should evaluate any VOIP provider before choosing it, most provide a free smartphone app for you and your clients to use. Each time you need to make a call, send a text or check a voicemail, you just log in--the app stores your client’s information so you can safely access it on your phone. VOIP text messaging also provides the ability to attach web links, documents, and scheduling requests easily, which is a bonus for many clinicians (stay tuned for a follow up article I’m writing about texting and compliance).

Some clients may not want to download another app and they can choose to respond to your messages through regular means. If clients prefer to go that route, just have them agree to this in a disclaimer form, signed by new clients and updated annually. Members of NASW can contact the legal team for a copy of a template technology disclaimer if you’d like an example.  VOIP plans do not require any additional minutes, just data from their phone plan, unless they are connected to WiFi. I cannot speak for others when it comes to VOIP apps, but my own clients have found the Spruce app easy to use even when they were fairly new to smartphone technology.

Regardless if you go with a VOIP provider or a traditional phone provider, here are some key questions to ask:

  1. Do you provide a free Business Associate Agreement that you and I both sign and date? Will a copy be provided to me?

  2. Will I be the only person with access to my data? Does this include deleting the data?

  3. If I put your app on my phone, will your app share data with other apps on my phone?

  4. Are voicemail messages, call logs, and text messages stored online? If so, is there firewall protection? How strong is the encryption?

  5. If my call log, voicemail messages or texts with clients are stored on my phone, how do you ensure that this data will be safe and accessible to only me in the event my phone is lost, damaged or stolen?

  6. How much does this cost monthly versus annually? Are there promotional codes or a referral reward program I could take advantage of to lower the cost?

  7. Is there a contract of service I sign with your company? If so, what penalties will I pay if I leave early?

  8. (If asking about VOIP) How large should my data plan be with my phone service provider if I will be using this service approximately ______ minutes a week/month?

  9. (If asking about VOIP) Can I be reimbursed if too many of my clients cannot use your technology because it isn’t compatible with their device (e.g. Apple’s IPad, Android tablets, Google Pixel phones)?

This may seem like a lot of questions but it is important to make the most informed choice possible about compliant phone use and your practice. I would love to hear from members about other options they’re using for their phone and voicemail needs. In a digital era, this is a difficult time for us all but I truly believe we’re in it together. Stay tuned for future articles about compliance, ethics and different forms of technology, like email, blogging and texting! I use different forms of technology, including email, blogging, and texting in my own practice and have found them both useful and safe, but it took me some time to do the research. If you don’t have time to look into these things on your own, feel free to contact me for additional help and keep an eye out for my future training events. I’ve also added some links below for your future reference. Roger that! Over and out….

 Spruce on Phone Lines and Faxes and HIPAA:


 NASW, ASWB, CSWE, & CSWA Standards for Technology:


 DOH HIPAA Security Series:


Tiffany Chhuom, LSWAIC, CDPT, MPH, MSW is a member of the WSSCSW’s  Ethics Committee and owner of Lucy in the Sky Therapy. Her practice serves adults online and in the Yelm/Rainier area. She provides therapy while also working with clinics and healthcare systems to understand technology and compliance for clinical use. She continues to strengthen her training in trauma, addiction, disability, and adult giftedness.

Washington State Society for Clinical Social Work
PO Box 252 • Everett, WA  98206 • admin@wsscsw.org

Powered by Wild Apricot Membership Software