I think this is why the wording on hipaa documents specifies, "information we COLLECT from you." If you just throw the information at them when they weren't looking, it's not covered under hipaa, why should it be? If you google this, you will see that some drs advertise having secure voicemail service - that makes me think it's not mandated, it's an extra. But I'm looking at this as a computer analyst would - to me, it's not in the specifications. As a client, if you're not comfortable, then leave. But I don't think it's actionable. I could be wrong - there's a first time for everything