Yes. Medical answering services are considered business associates and must comply with HIPAA regulations. Answering services providing services to hospitals, clinics, doctors’ offices, nursing facilities, and other companies in the healthcare industry must meet these strict security and privacy requirements.
The Health Insurance Portability and Accountability Act states that healthcare providers, their suppliers and service providers are ethically and legally required to protect patient information. HIPAA Privacy and Security Rules outline how covered entities and business associates, including phone answering services, must protect PHI and ePHI while enabling the flow of information to provide quality medical services.
How HIPAA Affected the Healthcare Industry
In 1996, the need to protect an individual’s personal health information gave rise to the creation of HIPAA. Since then, HIPAA, HITECH, and Omnibus regulations have forced the implementation of additional security and compliance methods for organizations handling sensitive health data. These have presented significant legal and technical challenges within the industry including medical and healthcare answering services.
These regulations have fundamentally impacted how a patient’s information can be stored and transmitted. Now, details of a patient’s medical condition, healthcare treatments, contact information, billing information, and incurred payments must be more secure and private than ever before.
Since September 2013, the responsibility to comply with HIPPA has expanded to include the business associates and subcontractors of covered entities which handle PHI. Now, these entities share the same levels of liability as the organizations they serve. In fact, covered entities are fully responsible for performing risk audits of the business associates which they rely on to collect, store, and transmit personal health information.
The Impact of HIPAA on Medical Answering Services
Experts have dubbed PHI security the most expensive set of requirements within the HIPAA Privacy & Security Rules. These important regulations apply to medical answering services, which store and transmit PHI, and they have had major implications in terms of technological and procedural upgrades. For answering services, the costs involved with reaching compliance are high and making the required changes is time-consuming.
Legacy answering services had to rethink and redesign their storage and transmission procedures related to sending PHI to medical staff via text messages, pagers and e-mail. These traditional methods are no longer considered secure within the context of HIPAA-HITECH-Omnibus. In addition, medical answering services must now provide the proper levels of encryption, accountability, and password protection for all parties who access PHI both internally and externally.
Answering services need to be HIPAA compliant because they are part of a network of organizations that handle sensitive data. These organizations, known as covered entities and business associates (BA), are responsible for safeguarding personal health information and protecting patient privacy.
For medical establishments and healthcare professionals, HIPAA compliance is also a critical part of protecting their practice. It is also their responsibility to ensure that their third-party suppliers and service providers maintain the same high level of data security and regulatory compliance.
What Is PHI?
Protected health information (PHI) is individually identifiable data about a person’s health status that has been created, collected, transmitted, or stored by a HIPAA-covered entity when providing healthcare services. This includes, but is not limited to:
- Last names,
- Addresses,
- Birthdates,
- Phone numbers,
- Social security numbers,
- Email addresses,
- Health insurance information,
- Medical device identification numbers,
- Headshot images.
Related article: What Is Interoperability and How Are Data Access Regulations Changing?
What Does HIPAA Compliance Involve for Answering Services?
Since 2013, HIPAA regulations have been applied to all service providers in the medical industry. BAs are held to the same privacy and security standards as healthcare providers.
As a BA with access to patient information, medical answering services are also bound by HIPAA regulations.
Protected Communications
Any BA that is trusted with patient information must have a secure computer system and network for accessing and transmitting sensitive data. Access to any computer or device that may handle PHI must also be limited to only authorized and trained staff members. Authorized users should be required to pass two-factor authentication before gaining access to PHI.
Phone calls, text messages, voice messages, and email containing PHI must all be sent and received using password and encryption protection.
Use of HIPAA-Compliant Devices
Exchanging regular SMS messages from your mobile phone to a patient or including PHI is a prime example of a HIPAA violation. BAs, including answering services, must use electronic devices and communication platforms with encryption and password protection when handling this type of data. In turn, doctors and medical staff must also have these security measures in place when communicating about and with patients.
Security for Recorded and Stored Information
Even while PHI is at rest, it must be secure. Sensitive data and recorded calls stored in databases, physical servers, or cloud storage must have cybersecurity protections in place. Additionally, physical protections must be used to restrict access to areas where sensitive data is accessed and stored.
Training for Call Agents in HIPAA Compliance
Call agents working for a medical answering service must be fully trained in following security policies and procedures related to HIPAA compliance. This includes cybersecurity awareness training and learning the proper reporting protocols and contingency plans in case of a data breach.
Continual Monitoring for HIPAA Compliance
Compliance is an ongoing process. Medical answering service providers should continue to monitor call center practices and updated policies to ensure that security and privacy measures are effective. The agency may choose to appoint and HIPAA compliance officer who provides dedicated oversight to this area of responsibility.
What’s at Risk?
An unencrypted email, a vulnerability in the computer system, unauthorized access to servers, a successful phishing attack on an untrained call center employee…any one of these events could spell disaster for a BA. Data breaches and the discovery of HIPAA violations are both detrimental to business associates. And they can also damage the reputation of healthcare organizations and the professional standing of practitioners with whom they work.
A HIPAA breach is defined as, “The acquisition, access, use, or disclosure of protected health information in a manner not permitted which compromises the security or privacy of the protected health information.” And any breach is punishable by legal action and hefty fines. While no healthcare organization can be 100% protected, the regulations laid out in HIPAA support the implementation of industry best practices for protecting patient information and confidentiality.
Learn more about HIPAA-Compliant Telehealth and the Changes Expected from HIPAA Regarding the Use of Technology in Healthcare in 2021.
Trust a Medical Answering Service with Proven HIPAA Compliance
If your medical answering service does not meet HIPAA compliance standards, it’s time to switch. The strength of your medical organization depends on it.
PatientCalls began focusing on HIPAA compliance before Omnibus rules went into effect and it continues to be a top priority for our organization and our clients. Contact PatientCalls for more information about our compliance assurance.