This answer is simple, just call your current answering service and ask them. But first, please make sure that you educate yourself about a few simple HIPAA requirements, shown below, that every answering service should understand.
- Who is your HIPAA Compliance Officer?
- Have your agents been trained in HIPAA / HITECH / OMNIBUS?
- When was the last documented training and how often is the training refreshed?
- Is your e-mail and text solution secure with encryption and/or password protection?
- Does your office use Windows XP or any earlier version of Windows?
- Auditing logins – Does your answering service software have the ability to audit logins in real-time and prevent unauthorized users which would result in PHI breaches?
- What prevents one of your employees from stealing a PC that stores PHI information on it?
- Are you willing to sign our Business Associate Agreement?
- Are you properly storing, transmitting, and destroying all messages within the system which contain PHI as required by HIPAA guidelines?
If your current answering service does not have an immediate answer to the questions above then we suggest looking for a new HIPAA-compliant medical answering service.
The requirements of HIPAA are incredibly more detailed than the above eight questions. If your current answering service does not have clear or immediate answers, then there is a high probability that they are currently not HIPAA compliant.
As the covered entity, you must ask yourself if you are prepared to give your answering service more time to become HIPAA compliant and risk violations, fines, and possible criminal charges.
Based upon HHS requirements and documented fines from PHI breaches, you are exposing your business and personal wellbeing to hefty fines and/or criminal charges due to the severity of the breach and if those violations are deemed the result of ‘willful neglect.’
No. Any traditional transmitting method like alphanumeric paging is not considered secure, therefore NOT HIPAA compliant. This is due to the absence of encryption and password protection of PHI being electronically transported. Some answering services and medical offices in fear of losing this antiquated technology have revised their policies to only allow for the transmitting patient name and telephone number. The argument is that a ‘patient’s name and telephone number is not considered PHI since that information can be found in public listings.’ Initially, we agree with the assessment that information obtained in public locations would not be deemed PHI. HOWEVER, once a name and phone number can be linked with any medical relevance, then any information obtained publicly being transmitted in its simplest form would be considered PHI and would require proper security and protection as defined by HIPAA.
Yes. Your organization, defined as the covered entity, hires the answering service to capture PHI verbally and to store and transmit PHI in an electronic form, defined as ePHI. The Final Omnibus Ruling provides specific requirements for handling and transmitting ePHI.
Therefore, all medical answering services that store and transmit protected health information (PHI/ePHI) must maintain HIPAA compliance at all times.
It is also the responsibility of your organization, defined as the covered entity, to perform a risk analysis of your current answering service in order to determine possible PHI breach points of storing and transmitting PHI.