What Can We Leave on Voicemail Under HIPAA?
Executive summary
HIPAA does not forbid leaving voicemail messages for patients. The HIPAA Privacy Rule explicitly permits covered health care providers and pharmacies to leave messages on answering machines and to communicate with patients by phone about their care. The operational constraint is that you must apply “reasonable safeguards,” and the federal HIPAA regulator explicitly recommends limiting voicemail content because you should not assume only the patient will hear it.
In practical terms, the safest default is “callback-only” messaging (clinic name, callback number, and a minimal reference to confirm an appointment). More detailed voice messages can be defensible when the patient has requested or agreed to that mode of communication and when you can show a safeguards process (destination verification, identity verification when appropriate, and documented patient preferences).
Voicemail transcription changes the risk landscape. If your phone system or an app electronically records, stores, or transcribes messages that include PHI, the HIPAA Security Rule is typically implicated and the transcription or storage vendor can become a business associate, triggering business associate agreement obligations and security expectations.
Informational note: This report is for informational purposes only and does not constitute legal advice.
Legal framework for voicemail messages
The baseline HIPAA rule is that a covered entity may not use or disclose protected health information (PHI) except as permitted or required by the Privacy Rule. Disclosures to the individual are permitted, and disclosures for treatment, payment, and health care operations are permitted under the relevant provisions.
Voicemail to the patient is typically treated as a disclosure to the individual in support of treatment-related communication. The federal HIPAA regulator confirms that the Privacy Rule does not prohibit leaving messages on patients’ answering machines, but it emphasizes limiting the amount of information disclosed as a reasonable safeguard.
When a message is left with a family member or another person who answers the phone, HIPAA relies on a different permission pathway. 45 CFR § 164.510(b) allows certain disclosures to family, friends, or others involved in the individual’s care or payment, and when the individual is not present the covered entity may disclose only the PHI directly relevant to that person’s involvement, using professional judgment and best interest reasoning.
The safeguards requirement that controls voicemail content and process is 45 CFR § 164.530(c). It requires appropriate administrative, technical, and physical safeguards to protect the privacy of PHI and requires the covered entity to reasonably safeguard PHI to limit incidental uses or disclosures.
HIPAA right-of-access obligations also show up indirectly in voicemail workflows. 45 CFR § 164.502 requires covered entities to disclose PHI to an individual when requested and required by the right of access rule at 45 CFR § 164.524. If your staff uses voicemail to coordinate completion of access requests (for example, “your records are ready”), the voicemail still needs to be consistent with safeguards and any confidential communication preferences the patient has requested.
Reasonable safeguards for voicemail and what “reasonable” looks like
The most useful way to operationalize “reasonable safeguards” is to treat it as an engineering problem with predictable failure modes. The HIPAA regulator provides a blunt example: for voicemail, consider leaving only the entity’s name and number and only what is necessary to confirm an appointment, or ask the individual to call back. This is not framed as optional etiquette. It is framed as the practical way to meet the safeguards expectation given that other people may hear a message.
The safeguards standard is also the foundation for HIPAA’s concept of “incidental disclosures.” The Privacy Rule permits certain incidental uses and disclosures that occur as a by-product of an otherwise permitted disclosure, but only when reasonable safeguards are in place and the minimum necessary standard is implemented where applicable. The same HHS material makes a point that matters for voicemail policy writing: the minimum necessary standard does not apply to all disclosures, including disclosures for treatment among providers, but reasonable safeguards still do. That is why voicemail programs usually adopt “less content is better” even in situations where minimum necessary technically does not drive the analysis.
Reasonable safeguards for voicemail usually fall into three categories that align with the regulator’s guidance on telehealth voice communications and on electronic communications generally. First is private setting control: making calls in private where feasible and using practical steps like lowered voices and avoiding speakerphone to limit incidental disclosure risk. Second is destination and identity control: verifying you are calling the right number and, when the individual is not known, verifying identity through reasonable methods because HIPAA does not mandate one specific identity verification technique. Third is content control: limiting what is said on messages because voicemail is inherently replayable and often accessible on shared devices.
Table A: Message type versus recommended voicemail content and safeguards
Message typeWhat the regulator clearly supportsRecommended voicemail content boundaryPractical safeguards to applyAppointment reminderHHS expressly says you may leave appointment reminders and suggests limiting content (name, number, appointment confirmation). “This is [clinic]. Please call us at [number] to confirm your appointment on [date/time].” Avoid reason for visit.Confirm phone number from registration; remove detailed appointment type from the message when risk is higher; honor confidential communications requests. Prescription ready or refill reminderHHS expressly includes “prescription is ready” type messages in the voicemail FAQ and still warns to limit content. “Your prescription is ready. Please call us.” Avoid medication name unless patient preference is documented and the risk is acceptable.Use callback-only when possible; avoid stating drug names that can reveal conditions; confirm contact directives. Lab result follow-upHIPAA permits treatment communications by phone with reasonable safeguards, but HHS voicemail guidance still pushes toward limited content. “Please call us about your results.” Avoid stating values, diagnosis, or test type on voicemail by default.Require clinician callback process; identity verification on live call; document patient consent if detailed voicemail is requested. Medication change or urgent care instructionHIPAA permits treatment communication, but voicemail creates a replayable record and can be heard by others. “Please call us as soon as possible.” Avoid specific instruction on voicemail unless there is a documented patient preference and the risk is justified.Use escalation path (second call attempt, alternate number per patient directive, secure message); document attempts and why voicemail content was limited. Sensitive diagnosis or highly stigmatizing conditionHIPAA allows treatment communications, but HHS examples and safeguards logic make specific voicemail content difficult to defend as “reasonable” absent explicit patient request and controls. Do not name the condition. Use callback-only.Default to live contact or secure channel; enforce patient preference and segmentation; train staff for “no specifics” rule.
This table is intentionally conservative. HIPAA does not publish a universal “voicemail safe phrasebook.” The defensible approach is to adopt a default content-minimization rule and allow exceptions only when there is documented patient direction and a control story you can explain.
Confidential communications and documenting patient preferences
Patient preference is not just customer service. It is a HIPAA right. 45 CFR § 164.522(b) requires covered health care providers to permit individuals to request and to accommodate reasonable requests to receive communications of PHI by alternative means or at alternative locations. The regulation allows providers to require the request in writing, to require the patient to specify an alternative contact method, and to condition accommodation on how payment will be handled when appropriate. It also prohibits requiring an explanation for the request.
The voicemail FAQ from the HIPAA regulator gives concrete examples that map directly to voicemail workflows: if a patient requests calls at the office rather than at home, or requests a different mailing location, those are considered reasonable requests absent extenuating circumstances, and the covered entity must accommodate the request.
The enforcement risk is real even when the underlying disclosure was not malicious. In a published case example, the regulator investigated a hospital after an employee left a telephone message at the patient’s home number despite the patient’s instruction to contact her through a work number. The same example describes that the message included detailed medical condition and treatment plan information, and the resolution involved new procedures, staff training, and explicit direction about what information could be left in messages.
A second case example describes a general hospital leaving a message on a home answering machine and failing to accommodate the patient’s request to communicate only through mobile or work phones. The resolution included retraining and policy changes specifically for staff whose duties included leaving messages.
A clinic-grade documentation approach is to treat “contact directives” as structured data, not as free-text notes. At minimum, you need fields for primary number, approved voicemail permission level (none, callback-only, or detailed), approved alternate number, approved text or email channels, and an effective date. Because HIPAA allows you to require confidential communications requests in writing, a practical control is to capture the request on a short form or in an EHR preference module and store it in a way that front desk and clinical staff can actually see before calling.
Voicemail transcription, third-party services, and business associate risk
Voicemail transcription is where clinics often “accidentally” expand the PHI footprint. The legal hinge is whether PHI is being transmitted or maintained in electronic media and whether a vendor is doing more than transient transmission.
The definition of “electronic media” includes electronic storage and transmission media. It also clarifies that voice transmissions by telephone are not considered transmissions via electronic media only if the information being exchanged did not exist in electronic form immediately before the transmission. Modern systems frequently store voicemail in electronic form, which shifts risk and often makes the Security Rule relevant.
The HIPAA regulator’s audio-only telehealth guidance is unusually direct about modern voice technologies. It states that the Security Rule applies to electronic PHI transmitted by, or maintained in, electronic media, and it explains that while traditional landlines are generally not electronic, VoIP and mobile technologies using electronic media are. It then lists example technologies that require Security Rule compliance, including technologies that electronically record or transcribe a session and messaging services that electronically store audio messages. These examples map closely to voicemail platforms that store recordings and generate transcriptions.
Business associate analysis is the next layer. Under 45 CFR § 160.103, a business associate includes a person who, on behalf of a covered entity and not as workforce, creates, receives, maintains, or transmits PHI for regulated functions or provides services that involve disclosure of PHI. That definition is exactly why transcription vendors and hosted voicemail platforms often become business associates.
The telehealth guidance also clarifies the conduit versus business associate line. A covered entity using a telephone to communicate with patients is not required to enter into a business associate agreement (BAA) with a telecommunication service provider that has only transient access to the PHI it transmits, because the vendor is acting merely as a conduit. But if the vendor is more than a conduit, for example an app that stores recordings or transcripts in the developer’s cloud infrastructure for later use, the covered entity needs a BAA with that vendor.
For cloud transcription and storage, the Department’s cloud computing guidance states that when a covered entity uses a cloud service provider to create, receive, maintain, or transmit ePHI on its behalf, the provider is a business associate and a HIPAA-compliant BAA is required. It explicitly states this remains true even if the cloud provider only stores encrypted ePHI and lacks the decryption key.
Retention and access are often missed. If voicemail recordings or transcriptions are stored and used to make decisions about the patient, they may fall within the “designated record set” definition, which includes records maintained by or for a covered entity that are used, in whole or in part, to make decisions about individuals. Once in the designated record set, the patient’s right of access can attach.
Incident response when voicemail goes wrong
Voicemail incidents usually come in two forms: you left a message at the wrong number, or your voicemail or transcription system leaked messages. In both, you should treat the event as an impermissible disclosure until you can prove otherwise.
A misdirected voicemail containing PHI is typically an impermissible disclosure under the Privacy Rule’s general rules, and it can become a breach-notification issue if it involves unsecured PHI and the risk assessment does not support a low probability of compromise. The breach definition presumes a breach unless the entity can demonstrate low probability using the required four-factor risk assessment.
Those factors are: the nature and extent of PHI involved, the unauthorized person who received it, whether the PHI was actually acquired or viewed, and mitigation. Operational evidence is what makes those factors defensible. In the voicemail context, call logs and PBX records can show what number was dialed and whether the call connected, device management logs can show whether the message was retrieved through a platform, and any recipient communication can support mitigation.
Notification timelines follow a hard outer limit if the event is a breach. Individuals must be notified without unreasonable delay and no later than 60 days after discovery, and discovery is defined broadly. Additional notice to the Secretary and, for larger events, the media may apply.
HIPAA’s burden of proof rule is what turns “we did our best” into “we documented our best.” The breach notification overview states that covered entities and business associates have the burden of demonstrating that required notifications were provided or that the incident did not constitute a breach, and 45 CFR § 164.414(b) codifies that burden.
Operational controls, templates, and a short decision flow
Voicemail compliance is mostly a workflow and configuration problem. Technical controls reduce the chance you expose PHI to the wrong person, and administrative controls reduce variability in what staff say under time pressure.
Technical controls that are typically defensible under the safeguards standard include disabling voicemail previews on shared devices, requiring authentication for voicemail access, setting short retention for voicemail on endpoints while preserving clinically relevant messages in controlled systems, and routing sensitive communications to secure messaging alternatives instead of voicemail. These controls align with the telehealth guidance’s emphasis on risk analysis for electronic voice technologies and with the Privacy Rule safeguards requirement.
Administrative controls should include a script policy, a destination verification habit, and staff training tied to real workflows. The published enforcement case examples show that staff left overly detailed messages and failed to honor patient contact directives, and the resolutions involved new procedures, revised policies, and ongoing training.
Physical controls are the boring ones that prevent accidental disclosure: making calls in private where feasible, avoiding speakerphone, and not leaving messages in public spaces where others can overhear. HHS telehealth guidance explicitly cites lowered voices and avoiding speakerphone as examples of reasonable safeguards to limit incidental disclosures.
Sample scripts and forms
A safe default voicemail script grounded in the federal voicemail FAQ is: “This is [clinic name]. Please call us at [phone number].” If you must confirm an appointment, add date and time and avoid the reason for visit.
A patient preference capture form should include: approved phone numbers, whether voicemail is allowed, whether voicemail may include appointment timing, whether voicemail may include medication or results references, and the preferred alternate method of contact. HIPAA allows you to require the confidential communications request in writing, and the regulation defines conditions you may impose, such as requiring an alternate contact method and payment handling information when appropriate.
An incident log for voicemail should include: discovery time, number called, message content category, PHI types potentially disclosed, whether the recipient is known, mitigation steps, evidence preserved, the breach risk assessment conclusion, and whether patient notification was required. This structure aligns with the breach risk assessment factors and burden of proof expectations.
Table B: Checklist fields and retention anchor points
Checklist itemExact fields to captureWhy it matters under HIPAARetention anchorPatient contact directivesPrimary number; alternate number; “no voicemail” flag; voicemail permission level; effective date; staff initialsConfidential communications requests must be accommodated if reasonable, and published OCR cases show enforcement attention when clinics ignore directives. HIPAA requires retention of required documentation for six years, and treating directives as part of your compliance documentation is defensible. Voicemail script policyApproved scripts; prohibited content list; escalation rules; training version/dateSafeguards and incidental disclosure limits depend on consistent execution. Published case examples show policy and training were required to resolve incidents. Policies and training documentation fall under § 164.530(j) retention. Vendor classification for transcriptionVendor; stores recordings (Y/N); creates transcripts (Y/N); cloud storage (Y/N); BAA status; encryption/authenticationVendors that store recordings or transcripts can be business associates; conduit exception does not cover vendors that create and maintain PHI for later use. Maintain BAAs and related documentation under HIPAA documentation requirements. Voicemail incident recordDialed number; content category; evidence (PBX logs, screenshots); mitigation; 4-factor assessment conclusionRequired to justify “not a breach” decisions and to defend notification timing if it is a breach. Event documentation supports burden of proof.
Short decision flow for staff
If the patient has a confidential communications directive, follow it. If the directive is “no voicemail,” do not leave voicemail, and escalate to the alternate method on file.
If voicemail is allowed but you do not have explicit permission for detailed content, leave callback-only. The federal voicemail FAQ explicitly recommends limiting content to name, number, and only what is necessary to confirm an appointment, which is a defensible default.
If the system records or transcribes messages electronically, treat the platform as a PHI system. Confirm whether the vendor is merely a conduit or is creating and maintaining PHI (recordings or transcripts). If it is the latter, treat it as a business associate and require a BAA.
If a voicemail is misdirected or leaked, contain, preserve evidence, and do the breach analysis. Do not improvise. The breach framework presumes a breach unless you document low probability of compromise using the required factors.
Sources
HHS OCR FAQ on leaving messages/voicemail and family member messages
https://www.hhs.gov/hipaa/for-professionals/faq/198/may-health-care-providers-leave-messages/index.html
45 CFR 164.530(c) safeguards standard (Administrative requirements)
https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.530
45 CFR 164.502 general permitted/required uses and disclosures; incidental disclosures reference; required disclosures under 164.524
https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.502
45 CFR 164.510(b) disclosures to family/friends and professional judgment when patient not present
https://www.law.cornell.edu/cfr/text/45/164.510
45 CFR 164.522(b) confidential communications requirements and conditions
https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.522
45 CFR 164.524 right of access and timelines
https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.524
HHS OCR guidance: audio-only telehealth (reasonable safeguards, identity verification, Security Rule for VoIP/digital voice, BAAs for apps storing recordings/transcripts)
https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-audio-telehealth/index.html
45 CFR 160.103 definitions (business associate definition; electronic media; ePHI concept)
https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-A/section-160.103
HHS OCR guidance: HIPAA and Cloud Computing (BAA required; CSP is BA even for encrypted no-view storage; risk analysis expectations)
https://www.hhs.gov/hipaa/for-professionals/special-topics/health-information-technology/cloud-computing/index.html
HHS OCR fact sheet: incidental uses and disclosures (reasonable safeguards and minimum necessary where applicable)
https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/coveredentities/incidentalu%26d.pdf
HHS OCR case examples including telephone message content and confidential communications failures (enforcement patterns)
https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/all-cases/index.html
HHS OCR breach notification overview and burden-of-proof statement
https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html
45 CFR 164.402 breach definition and four-factor risk assessment
https://www.law.cornell.edu/cfr/text/45/164.402
45 CFR 164.404 individual notice
https://www.law.cornell.edu/cfr/text/45/164.404
45 CFR 164.406 media notice threshold
https://www.law.cornell.edu/cfr/text/45/164.406
45 CFR 164.408 notice to the Secretary
https://www.law.cornell.edu/cfr/text/45/164.408
45 CFR 164.410 business associate notice to covered entity
https://www.law.cornell.edu/cfr/text/45/164.410
45 CFR 164.414 burden of proof
https://www.law.cornell.edu/cfr/text/45/164.414