The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 to ensure each individual’s health information is protected through confidential handling. HIPAA consists of five titles meant to safeguard protected health information (PHI). PHI may include health insurance information as well as any other identifiable information such as medical history, test results, and demographic data. It’s imperative for any hospital, nursing home, or other health care organization to use a HIPAA compliant contact center. HIPAA helps to determine who exactly should be allowed access to medical information — a concern that continues to grow in the digital age where constant data breaches occur.
Who must be compliant?
HIPAA rules apply for more than health care providers and insurance agencies; they also apply to business associates of covered entities who handle PHI. “Covered entities” basically includes all health care providers, health insurance providers, and any health care billing services or health information management systems. “Business associates” is an umbrella that covers organizations that work as venders or service providers to covered entities that are allowed to handle protected information. Such business associates could include data service providers, medical equipment venders, external accountants, or electronic health information exchanges. Whether the organization is a hospital, private drug rehab center, or anything else that handles patient and billing information, their call center software and practices must be HIPAA compliant.
The greatest benefits of HIPAA compliance naturally go to the patients. HIPAA requires companies to establish safeguards for sensitive information, and they stand to lose more than just their reputations if they don’t. All health information is stored and transferred with strict security rules, and patients have control over who their information can be released to. Patients are able to take more active roles in their health care and can receive copies of their records to check for errors. Patients are also able to use their records to make it easier to transfer to new health care providers in the future, something that wasn’t guaranteed before HIPAA.
HIPAA has also been beneficial health care organizations transitioning from paper records to electronic records. Administrative functions have been streamlined, and having standards for technical safeguards helps protect electronic information from hackers.
Electronic PHI handling
Since HIPAA was updated in 2013, health care organizations will generally only work with call centers that have been verified to transmit EPHI in compliance with HIPAA. This means that any emails, texts, or other communications carried out by a contact center have to obey HIPAA privacy rules. All emails containing EPHI must be stored using a secured method of email archiving, and contact centers generally put their own methods of secure texting in place to safeguard against unauthorized access to EPHI, whether accidental or intentional.
Text messages regarding EPHI will typically only be able to be sent over a private company network, which will require administrator information and a PIN code. Security measures will prevent the transfer of data outside the network or the copying of documents, and if a breach is detected, the communication in question can be retrieved and deleted. EPHI communications will also have encryption in place to ensure they are unreadable if they ever make it onto a public network.
HIPAA violations and penalties
The Department of Health and Human Services enforces HIPAA security rules through their Office for Civil Rights. They will conduct regular compliance reviews as well as investigate any complaints made regarding HIPAA. Violations can quickly get expensive, depending on the severity of the negligence, with fines reaching up to $50,000 per violation. In cases where offenses are committed knowingly, fines can be even higher, and criminal charges can result in prison time. Any call center handling PHI should go through a HIPAA compliance checklist to ensure their security measures and best practices are up to date.