Since 2013, the Department of Health & Human Services Civil Division began enforcing the Omnibus rule which expanded how HIPAA/HITECH regulations are enforced. These acts carry serious fines and penalties for violations, even if they occur by accident or because of an oversight.
Unfortunately, for many healthcare organizations, as well as their business associates, such as answering services and call centers, HIPAA compliance in not a given. Violations happen on a daily basis, many because organizations don’t fully understand the security and privacy requirements or the potential ramifications of a breach.
What Is the Cost of Not Complying with HIPAA?
The Department of Health & Human Services enforces HIPAA/HITECH by laws with heavy fines for single violations and maximum penalties for extensive breaches. Each instance of non-compliance can be penalized with fines of $100 per violation up to an annual maximum of $1.5 million.
|Cause for HIPAA Violation||Minimum Penalty||Maximum Penalty|
|Individual didn’t know (and by exercising reasonable diligence, would not have known) that HIPAA was violated.||$100 per violation, with an annual maximum of $25,000 for repeat violations.||$50,000 per violation, with an annual maximum of $1.5 million.|
|HIPAA violation due to reasonable cause and not due to willful neglect.||$1,000 per violation, with an annual maximum of $100,000 for repeat violations.||$50,000 per violation, with an annual maximum of $1.5 million.|
|HIPAA violation due to willful neglect but violation is corrected within the required time period.||$10,000 per violation, with an annual maximum of $250,000 for repeat violations.||$50,000 per violation, with an annual maximum of $1.5 million.|
|HIPAA violation due to willful neglect and is not corrected within the required time period.||$50,000 per violation, with an annual maximum of $1.5 million.||$50,000 per violation, with an annual maximum of $1.5 million.|
What Defines a Breach of HIPAA?
A breach is “the acquisition, access, use, or disclosure of protected health information (PHI) in a manner not permitted which compromises the security or privacy of the protected health information.”HIPAA section 164.402
How Does HIPAA Apply to Healthcare Organizations?
Every healthcare entity must ensure that their internal communications and external transmission of PHI and ePHI (which includes written and digital information related to patient treatment and billing, e-mail addresses, IP addresses and other web contact information, as well as photographs and picture IDs) to and from third-party service providers is HIPAA compliant. This requires:
- Secure emails and SMS texts,
- Business Associate Agreements in place,
- Documented HIPAA Compliance Officer,
- HIPAA Breach Notification Procedure,
- Safe storage of all Personal Health Information.
What Are the Most Common HIPAA Violations Made by Medical Answering Services?
In order to maintain HIPAA compliance, here’s what your medical answering service should not be doing.
- Texting Patient Information
Doctors and other healthcare professionals don’t go anywhere without their phone these days. But standard mobile devices and cellular service providers don’t provide the safeguards needed to securely send/receive texts containing protected health information. If unlocked, it would enable anyone with access to the mobile phone to also access the PHI stored or transmitted on it. Further, information that should be protected would become vulnerable if the device was stolen or hacked.
SMS, text messages through an app, or any communications for that matter, need to use encryption and strong password protection to be considered compliant with HIPAA Privacy & Security Rules. In order to work within the regulations, texts can be sent with encryption or as notifications without including PHI. To ensure security, while also being easy to use, medical answering services may provide a HIPAA-compliant web portal or mobile app for messaging.
- Sending Unsecured E-mails
Some answering services send emails that are not encrypted or password-protected to medical offices or staff members. Yet, the HIPAA Security Rule requires these measures for any transmission of ePHI.
- Paging Patient Information to Medical Staff
Some answering service send PHI, such as patient names or telephone numbers. Alpha paging transmissions are not encrypted, therefore, they violate HIPAA regulations. In addition, pagers are not considered HIPAA-compliant storage devices.
- Lack of an Official HIPAA Compliance Officer (HCO)
Because this role is crucial, special training is required. To operate as the HIPAA Privacy Officer or HIPAA Security Officer, or to work under the officer, one must complete the expert training and certification program.
Some answering service do not have a defined HCO, or the person appointed as the compliance officer lacks the proper credentials and training. Both issues are considered a HIPAA violation.
- Absence of Business Associate Agreement
The HIPAA Privacy Rule requires all covered entities to have a signed Business Associate Agreement (BAA) on file for each Business Associate (BA) they work with which may have contact with PHI. Further, the Omnibus Rule made covered entities and Business Associate Subcontractors (BAS) liable for potential violations.
Since the later rule change, IT and service providers must sign a BAA and meet the requirements for safeguarding ePHI, even if their staff doesn’t usually access, store, or process it. Some answering services do not have signed Sub-Contractor Business Associate Agreements on file with all software vendors and this is cause for heavy fines.
- Improper Storage of Messages
Some answering services are not properly securing, storing, and destroying PHI as required by HIPAA guidelines. This may include leaving voice messages that contain patient information or storing PHI on mobile devices that are not secured according to HIPAA standards.
- Skipping Agent Training
Not just anyone can work as a call center agent for healthcare organizations. Agents should be trained in HIPAA compliance and fully understand how their role impacts privacy and security.
- Inadequate Cybersecurity Controls
Some answering services are not properly deploying firewalls or necessary means to track and warn of cyber threats.
To ensure compliance with HIPAA regulations, third-parties must implement policies and procedures designed to protect sensitive data. Failure to develop and enforce these control measures makes that vendor’s system vulnerable to cyberattacks and potentially more at risk for a data breach.
- Failure to Maintain Audit Records
Some answering services do not properly log all events of accessing PHI regarding employee logins or customer access, both verbally and electronically. Detailed documentation, including access logs, must be kept for HIPAA auditing purposes. Further, covered entities and BAs must retain HIPAA audit logs going back at least six years.
- Giving out Medical Advice
Medical answering agents are trained, it’s true, but they are not medical professionals. It is a huge liability for medical answering services to provide any medical advice to patients; they should be referred to a licensed physician or to emergency healthcare services.
Related article: How New Federal Interoperability and Patient Access Regulations Affect Your Practice.
How Can Patient Calls Help You?
Your company can avoid these compliance violations, and their related fines and penalties, by trusting an answering service which is HIPAA compliant.
PatientCalls has taken the proper steps to ensure compliance with all HIPAA regulations and security protocols. Using our exclusive PatientNote service, you can rest assured that all data transmissions to and from PatientCalls meet or exceeds all HIPAA, HITECH, and Omnibus laws and regulations. For more information, call us directly at 866-330-5481.