I am curious about this. I found this on a lawyer’s site:

E-mails and Texts from Patients. The foregoing rules apply to e-mails or texts by the covered entity or business associate to patients; the same rules do not apply to e-mails or texts from the patient. “The Security Rule … does not apply to the patient. A patient may send health information to you using email or texting that is not secure. That health information becomes protected by the HIPAA Rules when you receive it.” (OCR Guide at p.31).
HIPAA, E-mails, and Texts to Patients or Others | Holland & Hart LLP

So this seems to say that when a provider gets communication from a patient/client, the provider has a responsibility to treat it as a confidential communication. The fact that the method of communication is in itself not secure doesn’t absolve the provider of the responsibility to keep it confidential once he or she is in possession of it.

This sounds reasonable to me. It seems like a violation to me that a provider would feel free to share a patient/client’s information with anyone just because they recieved it via a voicemail. Like the problem with voicemail is that it may be inherently insecure, not that it gives absolution to the provider to break confidentiality once he or she has recieved it.