HIPAA Definitions & Questions Answered
In order to better understand what a HIPAA compliant answering service can do for your organization there are some key definitions which need to be fully understood by all Covered Entities.
Doctors offices, Hospitals, Hospices, and various other healthcare organizations are to have been HIPAA/HITECH Compliant by September 23, 2013 due to the final Omnibus Ruling of Jan 2013.
HHS - US Department of Human and Health Services is the governing body of HIPPA
HIPAA - The Health Insurance Portability and Accountability Act of 1996 (HIPAA; Pub.L. 104–191, 110 Stat. 1936, enacted August 21, 1996) was enacted by the United States Congress and signed by President Bill Clinton in 1996. It has been known as the Kennedy-Kassebaum Act after two of its leading sponsors. Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs. Title II of HIPAA, known as the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers.
HITECH ACT - is transformational legislation that anticipates a massive expansion in the exchange of electronic protected health information (ePHI). The HITECH Act widens the scope of privacy and security protectionsavailable under HIPAA; increases potential legal liability for non-compliance; and provides more enforcement of HIPAA rules.
OMNIBUS - The U.S. Department of Health and Human Services (HHS) Office for Civil Rights announces a final rule, called OMNIBUS, that implements a number of provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, to strengthen the privacy and security protections for health information established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Covered Entity - A HIPAA covered entity is any organization or corporation that directly handles Personal Health Information (PHI) or Personal Health Records (PHR). The most common examples of covered entities include hospitals, doctors’ offices and health insurance providers.
Covered entities are required to comply with Health Information Portability and Accountability Act HIPAA (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) mandates for protection of PHI and PHR.
Business Associate - As defined by the Health Information Portability and Accountability Act (HIPAA), a business associate is any organization or person working in association with or providing services to a covered entity thathandles or discloses Personal Health Information (PHI) or Personal Health Records (PHR).
Examples of business associates include answering services, hosted solution providers, accounting or consulting firms that work with covered entities, such as hospitals or doctors, or any number of other organizations that have or could have access to PHI or PHR.
Does an answering service have to be HIPAA Compliant?
The answer is YES !!!
If your office or organization operates within the healthcare industry and directly handles patients’ personal health information (PHI), than your organization is considered a Covered Entity. Therefore, if you utilize the services of a medical answering service or medical dispatch center, and these business partners have access to any of your patients’ health information or store and transmit PHI electronically, then the answering service or call center is considered your HIPAA Business Associate and therefore must comply with HIPAA/HITECH/OMNIBUS. In addition, your answering service must audit all business relationships with their vendors, such as shredding companies and answering service software vendors, and maintain Sub-Contractor Business Associate Agreements.
Is Alpha Paging and/or Numeric Paging HIPAA Compliant?
The answer is NO !!
Any traditional transmitting method like Alpha Numeric Paging is not considered secure, therefore NOT HIPAA Compliant, due to the absence of encryption and password protection of PHI being electronically transported. Some answering services and medical offices in fear of loosing this antiquated technology have revised their policies which only allows for transmitting patient name and telephone number and their argument is that a patient’s name and telephone number is not considered PHI since that information can be found in public locations like a phone book or internet directory. Initially, we agree with the assessment that any information obtained in public locations would not be deemed PHI, HOWEVER, once name and phone number can be linked or associated with any medical relevance, then any information obtained publicly being transmitted in it’s simplest form would then be considered PHI and would require proper security and protection as defined within HIPAA.
Are their consequences if a Covered Entity does not use a HIPAA Compliant Answering Service ?
Based upon HHS requirements and documented fines due to PHI breaches, you are exposing your business and personal well being to hefty fines and or criminal charges due to the severity of the breach and if those violations are considered of Willful Neglect.
How do I know if my current answering service is HIPAA Compliant ?
This answer is simple, just call your current answering service and ask them. But first, please make sure, you educate yourself about a few simple HIPAA Compliancy requirements, shown below, that every answering service should be able to answer.
Who is your HIPAA Compliancy Officer ?
- Have your agents been trained in HIPAA / HITECH / OMNIBUS ?
- When was the last documented training and how often are is the training refreshed
- Is your email and text solution secure with encryption and/or password protection
- Does your office use Windows XP or any earlier version of Windows ?
- Auditing Log ins – Does your answering service software have the ability to audit log ins in real-time and able to prevent un-authorized users which would result in PHI breaches
- What prevents one of your employees from stealing a PC that stores PHI information on it ?
- Are you willing to sign our Business Associate Agreement
- Are you properly storing, transmitting, and destroying all messages within the system which contain PHI as required by HIPAA guidelines?
If your current answering service does not have an immediate answer to the questions above then we suggest looking for a new HIPAA Compliant Medical Answering service.
The requirements of HIPAA are incredibly more detailed than the above 9 questions, therefore, if your current answering service does not have crisp or immediate answers, then there is a high probability that they are currently not HIPAA Compliant.
With your organization being the Covered Entity, you must ask yourself if you are prepared to give your answering service more time to become HIPAA Compliant risking violations, fines, and possible criminal charges.