Security & Compliance

Call Recording Consent: What a Clinic Must Get Right

If your clinic records calls, the consent question is decided by state law, not by the FCC and not by your VoIP vendor's default settings. Under federal wiretap law — 18 U.S.C. § 2511(2)(d) — it is not unlawful for a person who is a party to a communication to record it, or to record where one party has given prior consent, unless the recording is made for a criminal or tortious purpose. That is the familiar "one-party consent" baseline. But a number of states set a higher bar and require the consent of all parties. Because your patients call you from wherever they happen to be, a practice that records calls is exposed to the law of more than one state. The safe configuration — and the one nearly every practice should adopt — is to notify and obtain consent from every caller, on every recorded call, every time.

The short answer

  • Federal floor: one-party consent. A party to the call may record it.
  • State ceiling: some states require all-party consent, and penalties there can include criminal liability and civil damages.
  • The FCC: per its own consumer guidance, has no rules regarding the recording of telephone conversations by individuals, and points to state law and to state attorneys general on wiretapping.
  • HIPAA: does not prohibit recording, but a recording of a patient call is protected health information and inherits every safeguard, retention, access, and business-associate obligation that comes with PHI.
  • Practical rule: announce the recording, capture consent, and let the caller decline.

What federal law actually says

The relevant text is in the federal Wiretap Act. Section 2511(2)(d) provides that it is not unlawful for a person not acting under color of law to intercept a wire, oral, or electronic communication where such person is a party to the communication, or where one of the parties has given prior consent — unless the communication is intercepted for the purpose of committing a criminal or tortious act.

Two things follow. First, your practice, as a party to the call, has a federal basis to record. Second, that basis evaporates the moment the purpose becomes improper, and it does nothing to preempt a stricter state statute.

The FCC is not the authority here

Practices often assume there is an FCC rule requiring a beep tone every few seconds, or a specific recorded disclosure. The FCC's own consumer guidance says plainly that the FCC has no rules regarding recording of telephone conversations by individuals, but some state laws prohibit this practice. It refers questions about intrastate wireline recording to state public service commissions and questions about wiretapping law to state attorneys general.

What this changes: stop looking for a federal recording standard to comply with. There is no single national script that makes a recorded call safe. The controlling questions are: which states are your callers in, and can you prove you told them?

Why state law decides it

State recording statutes differ on the core question — whether one party's consent is enough or whether every party must consent — and they also differ on what counts as consent, whether the statute reaches cordless and mobile calls, and what the remedies are. Courts have read them in ways that do not always track the plain text, and legislatures amend them.

For a medical practice, three facts make this harder than it looks:

  1. You do not control where the caller is. A patient may be calling from a state whose law is stricter than yours. Assume the strictest law that could plausibly apply.
  2. Interstate calls raise the question of which state's law governs — a question you do not want to be litigating.
  3. Your staff may be remote. A softphone in a different state changes the analysis again.

None of that is a reason not to record. It is a reason to adopt all-party consent as the operating standard regardless of what your home state requires, and to confirm the current statute in each state you operate in with counsel rather than with a blog post — including this one.

Recordings of patient calls are PHI

A recording of a call in which a patient identifies themselves and discusses a symptom, an appointment, a prescription, or a bill is protected health information held by a covered entity. The HIPAA Privacy Rule's administrative requirements at 45 CFR 164.530(c) require covered entities to have appropriate administrative, technical, and physical safeguards in place to protect the privacy of PHI, and to reasonably safeguard it from any intentional or unintentional use or disclosure in violation of the rules — including limiting incidental disclosures.

In practice, that means a call recording archive is a PHI repository, and it needs to be treated like one:

QuestionWhat the practice must be able to answer
Who can listen?Role-based access, with a named list. Not "anyone with the admin password."
Where is it stored?Which vendor, which region, encrypted at rest.
Is there a BAA?If the vendor stores or transmits recordings containing PHI, you need one.
How long is it kept?A written retention period, enforced automatically — not "forever, by default."
Who has listened?An access log you can actually produce.
How is it deleted?A defined disposal path, including for exports someone dropped on a shared drive.

How to configure recording safely

  1. Decide why you are recording. Quality assurance, training, and dispute resolution are defensible purposes. "Because the platform has the feature" is not, and it creates a discoverable archive of PHI for no operational benefit.
  2. Announce it at the top of every recorded call — both inbound and outbound — and give the caller a way to proceed without being recorded.
  3. Capture the consent in the recording itself. The announcement plus the caller continuing the call is the evidence.
  4. Scope it. Do not record every queue. Recording the billing line and the triage line raises very different risk.
  5. Set retention short and enforce it in the platform. A 30-, 60-, or 90-day auto-purge is a control; a policy document nobody enforces is not.
  6. Restrict playback and export, and turn on the access log.
  7. Get a BAA covering the recording storage.
  8. Handle patient access requests. A recording that is used to make decisions about a patient may fall within their designated record set — know in advance how you would respond.
  9. Re-verify after every vendor migration. Recording defaults have a habit of coming back on.

Common mistakes

  • Recording every call by default because the platform shipped that way.
  • Announcing the recording only on inbound calls, while staff make recorded outbound calls to patients with no disclosure at all.
  • Treating a beep tone as sufficient notice in an all-party-consent state.
  • Keeping recordings indefinitely with no retention schedule, then discovering the archive during a breach investigation.
  • Exporting recordings to a laptop or a shared drive for "coaching" and leaving them there.
  • Assuming the VoIP vendor's BAA covers a third-party recording add-on that a different company operates.

Recording is genuinely useful — it settles disputes, it makes coaching concrete, and it is often the only record of what a caller was actually told. But it converts your phone system into a PHI archive and puts a fifty-state consent question on the practice manager's desk. Announce it, scope it, purge it, and log it.

Common questions

Does federal law let us record our own patient calls?

Yes. Under 18 U.S.C. § 2511(2)(d), a person who is a party to the communication, or who has one party's prior consent, may record it — unless the recording is for a criminal or tortious purpose. But federal law is a floor, not a ceiling: state law may require the consent of all parties.

Is there an FCC rule requiring a beep tone?

The FCC's consumer guidance states that the FCC has no rules regarding recording of telephone conversations by individuals, and directs people to state law. Do not build your recording policy around an FCC standard that does not exist.

Does HIPAA prohibit recording patient calls?

No. But a recording that contains PHI is PHI. It falls under the Privacy Rule's safeguard requirements, needs access controls and a retention schedule, and if a vendor stores it on your behalf, that vendor needs a business associate agreement.

What is the safest configuration for a multi-state practice?

Treat all-party consent as your standard: announce the recording at the start of every recorded call, inbound and outbound, give the caller a path to decline, and record the disclosure within the recording itself. Then confirm the current statute in each state you operate in with counsel.

Common questions

Does federal law let us record our own patient calls?

Yes. Under 18 U.S.C. 2511(2)(d), a person who is a party to the communication, or who has one party's prior consent, may record it, unless the recording is for a criminal or tortious purpose. But federal law is a floor, not a ceiling: state law may require the consent of all parties.

Is there an FCC rule requiring a beep tone on recorded calls?

No. The FCC's consumer guidance states that the FCC has no rules regarding recording of telephone conversations by individuals, and directs the question to state law and state attorneys general. Do not build a recording policy around an FCC standard that does not exist.

Does HIPAA prohibit recording patient calls?

No, but a recording that contains PHI is PHI. It falls under the Privacy Rule's safeguard requirements at 45 CFR 164.530(c), needs access controls and a retention schedule, and if a vendor stores it on your behalf, that vendor needs a business associate agreement.

What is the safest recording configuration for a multi-state practice?

Treat all-party consent as the operating standard: announce the recording at the start of every recorded call, inbound and outbound, give the caller a way to decline, and capture the disclosure inside the recording itself. Then confirm the current statute in each state you operate in with counsel.