Why You need to have a medical answering service for the holiday season - PatientCalls.com The Most Optimized Methods Of Appointment Setting For Doctors Offices
Medical answering service for doctors, physicians, and medical groups nationwide.

HIPAA Compliant Medical Answering Service News & Information

hipaa compliant answering service
phone 866-333-7922

Medical Answering Service Information

Could your Medical Answering Service get you fined by HIPAA?

For years, PatientCalls has been echoing about the vital importance and liability of the answering service's role acting as a HIPAA Business Associate (BA) for the protection of your patients' Personal Health Information (PHI). And since the Omnibus Ruling in 2013, the importance of a Covered Entity (CE) partnering with a responsible business associate, like PatientCalls, is even more crucial to your medical organizations livelihood.

The article information below is from Medical Interactive educational materials whom corroborates PatientCalls view on the HIPAA association between your medical organization and your answering service. And will hopefully provide the necessary levels of justification to persuade you to understand the important differences between and answering service and a HIPAA Compliant Medical Answering Service.

As you will see, some of the arguments made  are those who do not believe that an answering service is in fact a BA (Business Associate). However, as time has passed more and more of the naysayers (usually small answering services who do not have the resources or do not wish to allocate resources into becoming HIPAA compliant) have for the most part started to come around to this realization.

As the Medical Interactive Community Document references;

Is an answering service a BA?

"Yes, the answering service is granted access to PHI when patients disclose medical concerns that prompt them to call." 4

In the HITECH Act signed February 17, 2009 and effective September 23, 2010 "... liability was created under the HIPAA Privacy and Security Rules for persons that are not covered entities but that create or receive protected health information in order for a covered entity to perform its health care functions, to ensure individuals' personal health information remains sufficiently protected in the hands of these entities." 5 Further in the Omnibus Final Rule (OFR) under "Statutory and Regulatory Background, HITECH (ii)" business associates and vendors of Personal Health Records are addressed:

"The HITECH Act is designed to promote the widespread adoption and interoperability of health information technology. Subtitle D of title XIII, entitled "Privacy," supports this goal by adopting amendments designed to strengthen the privacy and security protections for health information established by HIPAA. These provisions include extending the applicability of certain of the Privacy and Security Rules' requirements to the business associates of covered entities; requiring that Health Information Exchange Organizations and similar organizations, as well as personal health record vendors that provide services to covered entities, shall be treated as business associates; requiring HIPAA covered entities and business associates to provide for notification of breaches of "unsecured protected health information"; establishing new limitations on the use and disclosure of protected health information for marketing and fundraising purposes; prohibiting the sale of protected health information; and expanding individuals' rights to access their protected health information, and to obtain restrictions on certain disclosures of protected health information to health plans. In addition, subtitle D adopts provisions designed to strengthen and expand HIPAA's enforcement provisions". 6

This corresponds to the current regulation Business Associate definition referenced earlier. 7

Knowledgeable answering services are aware of this position though the realization of being in a Business Associate position is unfortunately unknown to some covered entities and services. An example answering service website states that such services are in position of required HIPAA compliance. 8 This site correctly lists several common mistakes of answering services as:

1."... sending unencrypted/non password protected emails containing PHI to your office or staff members" 2. "...transmitting Text Messages/SMS messages which are unencrypted/password protected....containing PHI, such as, patient name and telephone number to your office and staff members, including doctors after hours." 3. "...sending any PHI, such as Patient Name or Telephone Number. Alpha paging transmissions are not encrypted, therefore, violate HIPAA regulations. 4. "...does not have a defined HCO (HIPAA Compliancy Officer) with the proper credentials and training." 5. "...does not have signed Subcontractor Business Associate Agreements on file with all software vendors who have access to any Personal Health Information being stored or transmitted" 9

Your answering service must be HIPAA compliant including the ability to use secure methods of data transmission with avoidance of standard SMS (texting) channels. Care should be taken to have an appropriate Business Associate Agreement (BAA) in place with "Satisfactory assurances" that HIPAA requirements are being followed. 10 The answering service should be able to provide positive and detailed responses to questions such as:

1. Has the service designated a HIPAA Compliance Officer (HCO)? 2. Do employees have periodic HIPAA regulation training? 3. Do messaging and Email systems incorporate security for protected health information? TM

4. Are periodic risk assessments made for privacy and security of health information? 5. Are Business Associate Agreements (BAA) used?

There are significant reasons to be concerned about the activities of any Business Associate. Since answering services are business associates of covered entities such as physicians a number of federal obligations under the Omnibus Final Rule (OFR) and other HIPAA regulations apply with possible civil and criminal penalties in cases of violation. These include such responsibilities as having "contracts or other arrangements with BAS to ensure that the business associates safeguard protected health information, and use and disclose the information only as permitted or required by the Privacy Rule". 11 Also the Security Rule has required covered entities to "have contracts or other arrangements in place with their business associates that provide Satisfactory assurances that the business associates will appropriately safeguard the electronic protected health information they create, receive, maintain, or transmit on behalf of the covered entities." 12

As stated in final HIPAA regulations "A covered entity is liable, in accordance with the Federal common law of agency, for a civil money penalty for a violation based on the act or omission of any agent of the covered entity, including a workforce member or business associate, acting within the scope of the agency." 13

In the earlier example situation whether or not a potential liability existed depended in large part on the proper business associate relationship being present and the Security of the messaging system being used. With the Omnibus Final Rule (OFR) in 2013 adding to, changing, and finalizing earlier HIPAA regulations physicians must now take a new and careful assessment of their relationships with other businesses such as answering services.

Coming to this conclusion makes the next step and easy one.  The BAA (Business Associate Agreement).  PatientCalls requires a signed BAA with all clients but has also provides a BAA to our clients whom may not have the funding necessary for legal review.

At present, some medical professionals still want to know why we require a signed BAA with PatientCalls when they are starting service with us. However, they are getting less and less frequent.

Typically we point to several mistakes that other answering services may be making that should alert a prospective customer, and we encourage them to ask if any of these typical mistakes are being made at their current or other prospective services:



Medical Interactive Document States;

Knowledgeable answering services are aware of this position though the realization of being in a Business Associate position is unfortunately unknown to some covered entities and services. An example answering service website states that such services are in position of required HIPAA compliance. 8 This site correctly lists several common mistakes of answering services as:

1."... sending unencrypted/non password protected emails containing PHI to your office or staff members" 2. "...transmitting Text Messages/SMS messages which are unencrypted/password protected....containing PHI, such as, patient name and telephone number to your office and staff members, including doctors after hours." 3. "...sending any PHI, such as Patient Name or Telephone Number. Alpha paging transmissions are not encrypted, therefore, violate HIPAA regulations. 4. "...does not have a defined HCO (HIPAA Compliancy Officer) with the proper credentials and training." 5. "...does not have signed Subcontractor Business Associate Agreements on file with all software vendors who have access to any Personal Health Information being stored or transmitted"


It becomes clear after reading the definitions of a BA and the expectations of security within the services performed by these BA’s that an answering service needs to fall within these security guidelines. Please reference our PHI Flow Diagram at http://www.patientcalls.com/free-infographic-hipaa-compliant-medical-answering-service-flow-of-phi.htm

PatientCalls not only meets HIPAA requirements but does so in a manner as not to impede our typical operational efficiencies.

If you have any other questions regarding specifics of a Medical Answering Service providing services to your medical or healthcare organization, please call PatientCalls now and we can help give some clarifications on HIPAA laws regarding BAA’s and the role of an answering service.  

We will also give you details on how you can take advantage of this HIPAA secure service risk free for 14 days.  

Call PatientCalls now at 1-866-333-7922.



 

pic office on page sapp patient note texting

It's time to experience organized communications.
With just a few minutes of your time, you can begin to experience PatientCalls top rated answering and paging services tailored specifically to the needs of your healthcare organization.

Try PatientCalls Medical Answering Service!

 


Toll-Free Number: 866-333-7922
 
 
PatientCalls logo


Serving the medical community for over 15 years.


PatientCalls.com

Privacy Statement HIPAA Compliance Statement

PatientCalls Medical Answering Service