Yes. Medical answering services are considered business associates and must comply with HIPAA regulations. Answering services providing services to hospitals, clinics, doctors’ offices, nursing facilities, and other companies in the healthcare industry must meet these strict security and privacy requirements.
The Health Insurance Portability and Accountability Act states that healthcare providers, their suppliers and service providers are ethically and legally required to protect patient information. HIPAA Privacy and Security Rules outline how covered entities and business associates, including phone answering services, must protect PHI and ePHI while enabling the flow of information to provide quality medical services.
Why HIPAA Compliance Is So Important For Medical Answering Services
Medical answering services need to be HIPAA compliant because they are part of a network of organizations that handle sensitive data. These organizations, known as covered entities and business associates (BA), are responsible for safeguarding personal health information and protecting patient privacy. HIPPA regulations help assure patient confidentiality which is expected throughout the medical industry.
For medical establishments and healthcare professionals, HIPAA compliance is also a critical part of protecting their practice. It is also their responsibility to ensure that their third-party suppliers and service providers maintain the same high level of data security and regulatory compliance.
What Is PHI?
Protected health information (PHI) is individually identifiable data about a person’s health status that has been created, collected, transmitted, or stored by a HIPAA-covered entity when providing healthcare services. This includes, but is not limited to:
- Last names,
- Phone numbers,
- Social security numbers,
- Email addresses,
- Health insurance information,
- Medical device identification numbers,
- Headshot images.
What Are The HIPAA Compliance Regulations for Medical Answering Services?
Since 2013, HIPAA regulations have been applied to all service providers in the medical industry. BAs are held to the same privacy and security standards as healthcare providers.
As a BA with access to patient information, medical answering services are also bound by HIPAA regulations.
Secure Exchange of Patient Information
Any BA that is trusted with patient information must have a secure computer system and network for accessing and transmitting sensitive data. Access to any computer or device that may handle PHI must also be limited to only authorized and trained staff members. Authorized users should be required to pass two-factor authentication before gaining access to PHI.
Use of HIPAA-Compliant Devices
Exchanging regular SMS messages from your mobile phone to a patient or including PHI is a prime example of a HIPAA violation. BAs, including answering services, must use electronic devices and communication platforms with encryption and password protection when handling this type of data. In turn, doctors and medical staff must also have these security measures in place when communicating about and with patients.
Phone calls, text messages, voice messages, and email containing PHI must all be sent and received using password and encryption protection.
Security for Recorded and Stored Information
Even while PHI is at rest, it must be secure. Sensitive data and recorded calls stored in databases, physical servers, or cloud storage must have cybersecurity protections in place. Additionally, physical protections must be used to restrict access to areas where sensitive data is accessed and stored.
Training for Call Agents in HIPAA Compliance
Call agents working for a medical answering service must be fully trained in following security policies and procedures related to HIPAA compliance. This includes cybersecurity awareness training and learning the proper reporting protocols and contingency plans in case of a data breach.
Continual Monitoring for HIPAA Compliance
Compliance is an ongoing process. Medical answering service providers should continue to monitor call center practices and updated policies to ensure that security and privacy measures are effective. The agency may choose to appoint and HIPAA compliance officer who provides dedicated oversight to this area of responsibility.
What Are The HIPAA Non-Compliance Risks?
An unencrypted email, a vulnerability in the computer system, unauthorized access to servers, a successful phishing attack on an untrained call center employee…any one of these events could spell disaster for a BA. Data breaches and the discovery of HIPAA violations are both detrimental to business associates. And they can also damage the reputation of healthcare organizations and the professional standing of practitioners with whom they work.
A HIPAA breach is defined as, “The acquisition, access, use, or disclosure of protected health information in a manner not permitted which compromises the security or privacy of the protected health information.” And any breach is punishable by legal action and hefty fines. While no healthcare organization can be 100% protected, the regulations laid out in HIPAA support the implementation of industry best practices for protecting patient information and confidentiality.
Learn more about HIPAA-Compliant Telehealth.
Trust a Medical Answering Service with Proven HIPAA Compliance
If your medical answering service does not meet HIPAA compliance standards, it’s time to switch. The strength of your medical organization depends on it.
PatientCalls began focusing on HIPAA compliance before Omnibus rules went into effect and it continues to be a top priority for our organization and our clients.