Skip to content

Trusted by Leading Medical & Healthcare Companies

  • Advanced Homecare Logo
  • Kaiser Permanente Logo
  • Einstein Health Logo
  • Providence Health and Services Logo
  • Advocare Logo
  • OrthoMaryland Logo
  • Visiting Angels Logo
  • Contact
  • About
    • Compliance Statement
    • Letter of Introduction
  • (866) 333-7922
  • Patient Calls Logo Mobile
  • Call Us
  • Live Chat
  • Menu
  • Search
Patient Calls Logoa close up image of patientcalls logo
  • Services
    • Medical Answering Service
    • Secure Text Messaging
    • EMR Integration
      • for eClinicalWorks EMR
      • for Intergy EMR
    • Insurance Verification
    • Remote Work Support
  • Industries Served
    • Hospitals & Healthcare Networks
    • Doctors
    • Homecare & Hospice
    • Internal Medicine
    • Orthopedics
    • Pediatrics
    • Dentistry
    • Optometry
    • Rehab Center
    • Massage Therapy
    • Acupuncture
  • Pricing
  • Privacy & Security
    • Comparison of Features & Security
    • HIPAA Compliance
    • Quality Control
    • Disaster Recovery
    • Flow Of PHI
  • Blog
    • Contact
    • About
      • Compliance Statement
      • Letter of Introduction
    • (866) 333-7922
  • Search

    Get Free Quote
Hipaa Compliance Concept Illustration

10 Common HIPAA Violations Made by Medical Answering Services

Author Picture

Updated on March 15, 2021 by Jordan McGlone

Share this article!share this article

Since 2013, the Department of Health & Human Services Civil Division began enforcing the Omnibus rule which expanded how HIPAA/HITECH regulations are enforced. These acts carry serious fines and penalties for violations, even if they occur by accident or because of an oversight.  

Unfortunately, for many healthcare organizations, as well as their business associates, such as answering services and call centers, HIPAA compliance in not a given. Violations happen on a daily basis, many because organizations don’t fully understand the security and privacy requirements or the potential ramifications of a breach. 

Table of Contents

  • What Is the Cost of Not Complying with HIPAA? 
  • What Defines a Breach of HIPAA? 
  • How Does HIPAA Apply to Healthcare Organizations? 
  • What Are the Most Common HIPAA Violations Made by Medical Answering Services? 
  • How Can Patient Calls Help You? 

What Is the Cost of Not Complying with HIPAA? 

The Department of Health & Human Services enforces HIPAA/HITECH by laws with heavy fines for single violations and maximum penalties for extensive breaches. Each instance of non-compliance can be penalized with fines of $100 per violation up to an annual maximum of $1.5 million.  

Cause for HIPAA ViolationMinimum Penalty Maximum Penalty 
Individual didn’t know (and by exercising reasonable diligence, would not have known) that HIPAA was violated.  $100 per violation, with an annual maximum of $25,000 for repeat violations.$50,000 per violation, with an annual maximum of $1.5 million. 
HIPAA violation due to reasonable cause and not due to willful neglect. $1,000 per violation, with an annual maximum of $100,000 for repeat violations. $50,000 per violation, with an annual maximum of $1.5 million. 
HIPAA violation due to willful neglect but violation is corrected within the required time period. $10,000 per violation, with an annual maximum of $250,000 for repeat violations. $50,000 per violation, with an annual maximum of $1.5 million. 
HIPAA violation due to willful neglect and is not corrected within the required time period. $50,000 per violation, with an annual maximum of $1.5 million. $50,000 per violation, with an annual maximum of $1.5 million. 
Source: American Medical Association.

What Defines a Breach of HIPAA? 

A breach is “the acquisition, access, use, or disclosure of protected health information (PHI) in a manner not permitted which compromises the security or privacy of the protected health information.”  

HIPAA section 164.402

How Does HIPAA Apply to Healthcare Organizations? 

Every healthcare entity must ensure that their internal communications and external transmission of PHI and ePHI (which includes written and digital information related to patient treatment and billing, e-mail addresses, IP addresses and other web contact information, as well as photographs and picture IDs) to and from third-party service providers is HIPAA compliant. This requires: 

  • Secure emails and SMS texts, 
  • Business Associate Agreements in place, 
  • Documented HIPAA Compliance Officer, 
  • HIPAA Breach Notification Procedure, 
  • Safe storage of all Personal Health Information.

What Are the Most Common HIPAA Violations Made by Medical Answering Services? 

In order to maintain HIPAA compliance, here’s what your medical answering service should not be doing. 

  1. Texting Patient Information 

Doctors and other healthcare professionals don’t go anywhere without their phone these days. But standard mobile devices and cellular service providers don’t provide the safeguards needed to securely send/receive texts containing protected health information. If unlocked, it would enable anyone with access to the mobile phone to also access the PHI stored or transmitted on it. Further, information that should be protected would become vulnerable if the device was stolen or hacked.  

SMS, text messages through an app, or any communications for that matter, need to use encryption and strong password protection to be considered compliant with HIPAA Privacy & Security Rules. In order to work within the regulations, texts can be sent with encryption or as notifications without including PHI. To ensure security, while also being easy to use, medical answering services may provide a HIPAA-compliant web portal or mobile app for messaging.  

  1. Sending Unsecured E-mails  

Some answering services send emails that are not encrypted or password-protected to medical offices or staff members. Yet, the HIPAA Security Rule requires these measures for any transmission of ePHI. 

  1. Paging Patient Information to Medical Staff 

Some answering service send PHI, such as patient names or telephone numbers. Alpha paging transmissions are not encrypted, therefore, they violate HIPAA regulations. In addition, pagers are not considered HIPAA-compliant storage devices. 

  1. Lack of an Official HIPAA Compliance Officer (HCO) 

HIPAA requires covered entities and third-party business associates to assign a person to the role of HIPAA compliance officer. The appointed HCO can be an employee of the organization, or someone external. Either way, the role of the compliance officer is to supervise implementation of the privacy policy and the security measures for PHI. 

Because this role is crucial, special training is required. To operate as the HIPAA Privacy Officer or HIPAA Security Officer, or to work under the officer, one must complete the expert training and certification program. 

Some answering service do not have a defined HCO, or the person appointed as the compliance officer lacks the proper credentials and training. Both issues are considered a HIPAA violation. 

  1. Absence of Business Associate Agreement  

The HIPAA Privacy Rule requires all covered entities to have a signed Business Associate Agreement (BAA) on file for each Business Associate (BA) they work with which may have contact with PHI. Further, the Omnibus Rule made covered entities and Business Associate Subcontractors (BAS) liable for potential violations. 

Since the later rule change, IT and service providers must sign a BAA and meet the requirements for safeguarding ePHI, even if their staff doesn’t usually access, store, or process it. Some answering services do not have signed Sub-Contractor Business Associate Agreements on file with all software vendors and this is cause for heavy fines. 

  1. Improper Storage of Messages 

Some answering services are not properly securing, storing, and destroying PHI as required by HIPAA guidelines. This may include leaving voice messages that contain patient information or storing PHI on mobile devices that are not secured according to HIPAA standards. 

  1. Skipping Agent Training 

Not just anyone can work as a call center agent for healthcare organizations. Agents should be trained in HIPAA compliance and fully understand how their role impacts privacy and security.   

  1. Inadequate Cybersecurity Controls 

Some answering services are not properly deploying firewalls or necessary means to track and warn of cyber threats.  

To ensure compliance with HIPAA regulations, third-parties must implement policies and procedures designed to protect sensitive data. Failure to develop and enforce these control measures makes that vendor’s system vulnerable to cyberattacks and potentially more at risk for a data breach.  

  1. Failure to Maintain Audit Records 

Some answering services do not properly log all events of accessing PHI regarding employee logins or customer access, both verbally and electronically. Detailed documentation, including access logs, must be kept for HIPAA auditing purposes. Further, covered entities and BAs must retain HIPAA audit logs going back at least six years. 

  1. Giving out Medical Advice 

Medical answering agents are trained, it’s true, but they are not medical professionals. It is a huge liability for medical answering services to provide any medical advice to patients; they should be referred to a licensed physician or to emergency healthcare services.  

Related article: How New Federal Interoperability and Patient Access Regulations Affect Your Practice.

How Can Patient Calls Help You? 

Your company can avoid these compliance violations, and their related fines and penalties, by trusting an answering service which is HIPAA compliant.  

PatientCalls has taken the proper steps to ensure compliance with all HIPAA regulations and security protocols. Using our exclusive PatientNote service, you can rest assured that all data transmissions to and from PatientCalls meet or exceeds all HIPAA, HITECH, and Omnibus laws and regulations. For more information, call us directly at 866-330-5481. 

About The Author

Author Picture

Jordan McGlone

Jordan has more than seven years of experience working for PatientCalls and a strong background in the healthcare answering service industry. He designs directive plans to fit the unique structure and activities of healthcare organizations, while ensuring that communications are efficient, compliant with HIPAA privacy and security regulations, and support optimal patient care.

How Tech Is Boosting Healthcare Providers’ Bedside Manner 
February 21, 2023
How Tech Is Boosting Healthcare Providers’ Bedside Manner 
6 Best Work-from-Home Tools for Healthcare 
February 20, 2023
6 Best Work-from-Home Tools for Healthcare 
Telehealth & Remote Healthcare: Cybersecurity Compliance You Need to Know
August 10, 2022
Telehealth & Remote Healthcare: Cybersecurity Compliance You Need to Know
What to Look for in a Business Associate Agreement 
June 14, 2022
What to Look for in a Business Associate Agreement 
Patient Calls Logo
  • 3000 W Valley Forge Circle
    Suite 3800
    King of Prussia, PA 19406
  • (866) 333-7922
  • [email protected]

Overview

  • About Us
  • Contact Us
  • Get Started
  • Resources
  • Privacy Notice
  • Compliance Statement
  • Sitemap

Our Service

  • Medical Answering Service
  • Our Software
  • EMR Integration
  • Security & Disaster Recovery
  • Quality Control
  • Flow Of Protected Health Information
  • Insurance Verification
  • Medical Answering Service Pricing

HIPAA Compliance

  • HIPAA-Compliance
hipaa compliant icon

Industries Served

  • Hospital / Hospitalist
  • Internal Medicine
  • Doctors
  • Homecare / Hospice
  • Orthopedics
  • Pediatrics
  • Dentistry
  • Optometry
  • Massage Therapy
  • Acupuncture
Copyright © 2023 PatientCalls
Scroll to Top