Spam Calls in Healthcare: How to Reduce Risk and Protect Patient Data

5 Spam Call Prevention Strategies to Keep Patient Data Secure

Spam calls pose a persistent threat to healthcare practices like yours, but there are steps you can take to reduce your risk and protect patient data. Use a layered approach that combines technology, policy, and training. Here are five ways physician practices can mitigate spam calls and keep patient data secure:

1. Understand Robocall Rules and Regulations

The U.S. government has taken steps to limit robocalls. While HIPAA governs the protection of patient data, the TCPA and the Telephone Robocall Abuse Criminal Enforcement and Deterrence (TRACED) Act regulate how and when healthcare entities can contact patients through automated systems. For day-to-day practice operations, focus on reducing spoofed calls and having a clear process for opt-outs and suspicious callers. Understanding these requirements is essential for your practice to maintain compliance and mitigate costly penalties.

TRACED Act Provisions

Passed in 2019, the TRACED Act increases fines for illegal robocalls from $1,500 to up to $10,000 per call. This legislation requires the FCC to mandate the STIR/SHAKEN caller identification framework, which enables phone companies to verify that the caller ID information transmitted with a call matches the caller’s real phone number.

The STIR/SHAKEN framework authenticates caller ID information across voice-over-Internet-Protocol (VoIP) networks. The goal is to help combat caller ID spoofing and ensure that the phone number displayed matches the actual caller. To maintain compliance and protect patients from fraudulent calls, medical practices should ensure their phone systems support this framework.

2. Conduct Thorough Staff Training

Staff training is where most practices win or lose this. The goal is a consistent response when a caller sounds legitimate but is pushing for details.

• Train staff to recognize vishing and spoofing patterns and to slow the call down when something feels off.
• Don’t confirm appointments, insurance, or balances until the caller’s identity and authorization are verified.
• Don’t share login credentials or payment details on inbound calls.
• If a caller pressures staff to “just confirm one thing,” hang up and call back using a known number from the chart, your website, or your official vendor contact list.
• Run quick refreshers quarterly and after any incident so the process stays consistent across front desk, billing, and clinical teams.

3. Follow HIPAA Call Best Practices

Your staff’s adherence to HIPAA-compliant call practices is crucial to protecting your patients’ privacy. Best practices for HIPAA-compliant telephone calls include:

• Verifying the caller’s identity: Before sharing any PHI, ask for at least two patient identifiers, such as date of birth and address.
• Limiting disclosures to the minimum necessary: Share only the information needed to address the caller’s request.
• Using private spaces for phone conversations: Avoid using a speakerphone in public or open areas.
• When leaving a voicemail, limit the message to basic details such as the practice name and callback number. Avoid including diagnoses, test results, or treatment plans.
• Following written policies: Ensure that the practice’s HIPAA policies are clear, accessible, and consistently applied by all team members.
• Staying alert for scams: Do not share login credentials, account information, or payment details over the phone with unsolicited callers. When in doubt, hang up and call the verified number back.

4. Document your call-handling policy

Written call rules prevent drift, especially as staff rotate between front desk, billing, and clinical support. Keep the policy short, and make it easy to find.

• Document how staff should verify identity before discussing anything patient-related.
• Document what’s permitted in voicemails and how to handle opt-outs for automated reminders.
• Document when to escalate suspicious calls.
• Keeping this in writing makes training faster, reduces “everyone does it differently,” and gives you a reference point when you update workflows or onboard new staff.

5. Choose a HIPAA-Compliant Phone System

Implementing a HIPAA-compliant communications platform with the latest features and spam call protection is essential. Not every phone system is HIPAA-compliant. When selecting a phone service for your practice, ensure that you:

• Use a HIPAA-compliant phone service with appropriate security safeguards
• Employ secure communications platforms with Business Associate Agreements (BAAs) for any third-party call or text services
• Implement systems with built-in spam screening and call reputation features
• Use a phone system that supports the STIR/SHAKEN framework for caller authentication
• Choose a solution that creates a complete audit trail, enforces access controls, and demonstrates your commitment to protecting patient information during regulatory reviews.

FCC guidelines state that calls from healthcare providers to patients should start with the covered entity stating their name and the reason for the call. Calls may last no longer than 60 seconds, and covered entities may contact individuals no more than three times per week.