HIPAA does not prohibit leaving a voicemail. This is one of the most persistent myths in a medical front office, and it causes real harm — practices that believe voicemail is banned end up not reaching patients at all. HHS says the opposite, plainly: the Privacy Rule does not prohibit covered entities from leaving messages for patients on their answering machines. What the rule does is constrain what goes in the message, and impose a second obligation most clinics forget entirely: if a patient asks you to call them somewhere else, you generally have to. The second one is where the enforcement actions live.
The short answer
| Question | Answer | Source |
|---|---|---|
| May we leave a voicemail? | Yes | HHS FAQ 198 |
| May we say anything we want in it? | No — limit the information disclosed | HHS FAQ 198; minimum necessary |
| Must we call an alternative number if asked? | Yes, if the request is reasonable | 45 CFR 164.522(b) |
| Is "call the office at work instead of home" reasonable? | Yes, absent extenuating circumstances | HHS FAQ 198 |
| Does transcription to email change things? | Yes — it becomes ePHI | Security Rule, 164.302–318 |
Minimum necessary, applied to a 12-second message
HHS's guidance is practical rather than prescriptive:
The operating principle is that a voicemail is heard by whoever is standing near the machine. So the question to ask before every message is not "is this true?" but "what is the least I can say and still accomplish the call?"
Two categories deserve particular care. Test results and clinical detail are the obvious ones. The less obvious one is the practice name itself: if your practice name announces a specialty, then "this is the county oncology clinic calling" has already disclosed a condition before you said anything else. For specialty practices, a message that gives a callback number and a neutral identifier is worth thinking about deliberately.
The rule that catches clinics out
45 CFR 164.522(b) is short and it is the one to know. A covered health care provider must accommodate reasonable requests by individuals to receive communications of PHI by alternative means or at alternative locations.
Note what it does not say. It does not say you may accommodate. For a health care provider, the accommodation of a reasonable request is required, and the provider may not require the individual to explain why they are asking. HHS states that a request to receive calls at the office rather than at home is a reasonable request, absent extenuating circumstances.
The reason this is a phone system problem and not just a policy problem is that the request has to survive the trip from the front desk into the system that actually dials. A note in a chart that the reminder engine never reads is not an accommodation. If your reminder calls are automated, the alternative-contact flag has to be a field the automation honors — not a comment a human is supposed to notice.
What it looks like when it goes wrong
OCR publishes case examples, and one of them is precisely this fact pattern. A hospital employee left a telephone message with a patient's daughter that detailed both the patient's medical condition and treatment plan. Two separate failures in one call: the minimum necessary standard was not observed, because the message contained far more than was needed; and the confidential communications requirements were not followed, because the employee left the message at the patient's home number despite the patient's instruction to be contacted through her work number.
That is the shape of the risk. Not a breach of the phone system — a staff member being helpful and thorough on a call, into the wrong number, having never been told the patient had asked otherwise.
A voicemail script that holds up
A defensible default, and it takes eight seconds:
What it contains: who to call, and the number. What it omits: why. The patient knows why. The person in the kitchen does not need to.
Variants worth having written down:
- Appointment confirmation. HHS names this as an appropriate purpose. "Calling to confirm your appointment on Thursday at 2pm" is within the example HHS gives. "Calling to confirm your appointment Thursday at 2pm for your infusion" is not the same message.
- Results. Do not leave them. "We have results to discuss, please call" is a callback request, not a result.
- Prescription ready. HHS's FAQ addresses pharmacies informing patients a prescription is ready. Naming the medication is a different disclosure from saying a prescription is ready.
- No answer, no machine identification. If the voicemail greeting does not identify the person and you cannot confirm the number, leave your name and number only, or nothing.
Voicemail-to-email turns a call into ePHI
This is the part specific to a modern phone system and it is regularly missed.
A spoken voicemail is a Privacy Rule question. The moment your system transcribes that message and emails it, or stores the audio file on a server, the content becomes electronic protected health information — and the Security Rule applies to it in full. That means access controls, audit controls, transmission security, and everything else in 164.312, applied to a message that used to be a blinking light on a desk phone.
Three consequences follow:
- The transcription vendor is handling ePHI on your behalf. That is a business associate relationship, requiring satisfactory assurances documented in a written contract under 164.308(b) and 164.314(a). If transcription is a feature your VoIP provider enabled by default, check whether your BAA covers it.
- Where does the email land? A transcript delivered to a personal inbox, or to a shared front-desk mailbox that six people access with one password, is an access control problem you did not know you had.
- Retention. Voicemail audio and transcripts accumulate silently, often indefinitely, on someone else's infrastructure. Decide how long you keep them and whether the system honors it.
The same logic applies to a patient leaving you a message. Inbound voicemail routinely contains symptoms, medication names, and requests — PHI you did not solicit, now stored electronically. That mailbox is in scope.
A phone system checklist
- Is there an alternative-contact field the reminder automation actually reads?
- Do individual voicemail boxes have individual passcodes, and were the defaults changed?
- Who can hear the shared mailbox? List them by name.
- Is transcription on? If so, where do transcripts go, and is it in the BAA?
- Retention. How long do audio and transcripts live, and who deletes them?
- Is voicemail reachable from outside with just a passcode? Treat that as remote access to PHI.
- Speakerphone at the front desk. A message played aloud at check-in is an incidental disclosure the Privacy Rule expects you to reasonably safeguard against.
- Is the script written down, and is it in your training material rather than in one person's habits?
Leaving a message with a person
Leaving a message with a family member is a different analysis from leaving one on a machine, and it is worth separating. The Privacy Rule permits disclosure to family and others involved in an individual's care in defined circumstances, but that is a judgment about involvement and permission — not an assumption that whoever answers the phone qualifies.
The practical rule for a front office is narrower and safer: the fact that a person answered the phone tells you nothing about their role. If you did not reach the patient, leave your name and your number. The OCR case example above is exactly what happens when a thorough, well-intentioned employee treats the person who picked up as the person they called.
The takeaway
Voicemail is allowed. HHS says so directly, and a practice that refuses to leave messages is solving a problem it does not have while creating one it does. The two real obligations are narrower and more specific: say less — name, number, callback — and honor the alternative number, because 164.522(b) makes reasonable requests mandatory for providers, and a request that never reaches the dialer has not been honored.
Then check whether your system is quietly turning those calls into email. That is the one that converts a phone question into a Security Rule question, and it usually happened because a feature was on by default.
Common questions
Can a doctor's office leave a voicemail for a patient under HIPAA?
Yes. HHS states that the Privacy Rule does not prohibit covered entities from leaving messages for patients on their answering machines. What it requires is that you reasonably safeguard the individual's privacy by limiting the amount of information disclosed. HHS's own suggested approach is to consider leaving only the practice name and number and whatever else is necessary to confirm an appointment, or simply asking the individual to call back. The message is permitted. Its contents are what the rule constrains.
What can you legally say in a healthcare voicemail?
There is no fixed list, because the standard is minimum necessary rather than a set of approved words. In practice a defensible message is the practice name, a callback number, and the least detail that accomplishes the purpose of the call. HHS specifically offers confirming an appointment or asking the patient to call back as examples of appropriately limited content. Test results, diagnoses, treatment details, medication names, and specialty information that reveals a condition are the categories to keep out of a message that anyone in the household might hear.
Does HIPAA require a provider to call a patient at a different number if they ask?
Yes, where the request is reasonable. Under 45 CFR 164.522(b), a covered health care provider must accommodate reasonable requests by individuals to receive communications of PHI by alternative means or at alternative locations. HHS states directly that a request to receive calls at the office rather than at home is considered a reasonable request, absent extenuating circumstances. This is one of the most commonly missed obligations in a clinic, because honoring it depends on the request actually reaching the phone system and the staff.
Is voicemail transcription sent to email covered by HIPAA?
If the transcription contains PHI, then yes, and the analysis changes. A spoken message is a Privacy Rule question. A transcribed message sitting in an email inbox is electronic protected health information, which brings the Security Rule at 45 CFR 164.302 through 164.318 into scope, including access controls, audit controls, and transmission security. It also means the vendor performing the transcription is creating, receiving, or maintaining ePHI on your behalf, which requires a business associate agreement under 164.308(b) and 164.314(a).