Achieve Immediate HIPAA-Compliance of Your Medical Answering Service

Stay safe from HIPAA violations, fines, and negative public exposure.

PatientCalls is consistently at the forefront of HIPAA / HITECH / OMNIBUS compliance when compared to our competitors and we are proud of it. We deploy exclusive and proprietary methods of encryption technology to securely obtain, store, and transmit all personal health information (PHI) in order to provide confidence for our covered entities. As a covered entity, you must audit your business associates, including your answering service, in order to mitigate your risk of breaching HIPAA/OMNIBUS regulations. Rest assure, PatientCalls helps to organize those audits and assumes the required responsibility that your office and our other clients demand of us.

Our HIPAA COMPLIANCY OFFICER (HCO) implements stringent and frequent audits of our policies and staff members to ensure PatientCalls stays ahead of its competition within the medical answering service and call center industry.

Very simply, you cannot afford to continue with your current answering service if they are not compliant. If you are not 100% sure of your current answering service’s compliance then you need to call PatientCalls immediately.

How HIPAA Has Affected the Medical Answering Service Industry

Every individual requires the proper care including excellent healthcare facilities and the necessary levels of security in order to enjoy a great quality of life and to have comfort in knowing their personal health information (PHI) remains confidential at all times.

Such confidentiality, and the requirement to protect an individual’s personal health information, gave rise in 1996 to the creation of HIPAA, or the Health Insurance Portability & Accountability Act. Since then HIPAA/HITECH/Omnibus regulations have forced the implementation of additional security and compliance methods for organizations handling personal health information. These have encompassed significant legal and technical challenges within the industry including medical and healthcare answering services.

The security and privacy of protected health information (PHI) were strengthened tremendously especially within the HITECH & Omnibus as it relates to HIPAA. Now, details of a patient’s medical conditions, healthcare treatments, contact information, billing information, and incurred payments must be more secure and private than ever before.

Put simply, these implemented rules have impacted how a patient’s information can be stored and transmitted and is precisely why call center providers and answering services thriving within the medical and healthcare industries had to perform heavy lifting in order to comply with past and current HIPAA regulations. Now, in short, there are legal and fundamental procedural differences between an answering service of past and a HIPAA-compliant medical answering service of the present. And you must be aware of all of the differences.

What makes these privacy changes so critical?

Experts have dubbed PHI security as the most expensive requirement within the HIPAA Privacy & Security Rules. Experts have done so because, apart from improving patient privacy rights, such rules reinforce the government’s capability of enforcing a set of laws with healthcare providers and others professionally associated with them. Finally, the costs of answering services alone in order to comply with HIPAA have been very expensive and time-consuming.

Prior to the Omnibus Ruling, covered entities assumed most of the responsibility in failing to comply with HIPAA regulations. However, after September 2013, all business associates and their subcontractors who handle PHI have the same levels of liability as the covered entities they serve. Covered entities are still fully responsible for performing risk audits of the business associates which they rely on to collect, store, and transmit personal health information. This cannot be forgotten.

As you can see, such changes in security requirements and fault liability were shuffled to all entities. They now apply to medical answering services, which store and transmit PHI. This has had major cost consequences in terms of required technological and procedural upgrades to comply with the September 2013 deadline.

For reference, please review the PatientCalls ePHI flow diagram for PHI storage and transmission specific to a medical answering service and its clients.

How do these changes affect the traditional or legacy answering service?

Due to required HIPAA security, legacy answering services had to rethink and redesign their storage and transmission procedures specifically related to sending PHI to medical on-call staff, via text messaging, alphanumeric paging and email. These traditional methods are no longer considered secure within the context of HIPAA-HITECH-Omnibus. In addition, medical answering services must now provide the proper accountability and access logs for all parties who access PHI both internally and externally.

At present, no medical answering service should be deploying any legacy methods to transmit messages that contain PHI. They should have implemented specific methods that are inclusive of the proper levels of encryption and password protection to ensure PHI is not disclosed or intercepted during its transmission or accessed by unauthorized parties while being stored electronically. Such security requirements have given rise to secure web portals, secure messaging applications, and sending emails within encrypted paths between various recipients of PHI.

In order to safeguard the privacy of patients and remain compliant with current HIPAA regulations when transmitting any form of electronic messages containing PHI, answering services are required to implement the following;                     

Email: Answering services have been restricted from sending traditional emails that include PHI without identifying possible security limitations within the transmitting network which includes the storage devices on both ends. New concepts include providing secure web portals for PHI retrieval or the implementation of additional security measures, as PatientCalls has done.

SMS/Text messaging: If SMS/text messages include any patient information their delivery must also be secure, which includes encryption and password protection. The current carrier networks are not secure therefore current SMS technology also fails to offer the required security.

When considering how mobile devices have transformed our methods of communication, the medical answering service providers have had a large task to overcome. It is imperative for you, the covered entity, to ensure and vet the proper medical answering service, like PatientCalls. PatientNote is our answer to securing PHI over SMS.

Mobile devices: Some may think that mobile devices are secure simply because you can create a strong password for entry. However, mobile devices are not secure within the context of HIPAA. Therefore, you must be 100% certain that your medical answering service is not sending data insecurely or that your staff is saving any PHI on their mobile devices. PatientCalls – at no time – asks users to store PHI on a mobile device and has taken the proper measures to help you become HIPAA compliant.

TLS Connections: As a data encryption protocol, TLS guarantees a portion of data security. However, standing alone, TLS does not comply with HIPAA. Therefore, the medical answering service must be creative in their attempts to deploy TLS as a part of their security requirements.

As you can see, the answering service industry has evolved in the following manner:

1. Answering Service
2. Medical Answering Service
3. HIPAA-Compliant Medical Answering

PatientCalls top-rated medical answering service is the most trusted business associate and industry leader among our HIPAA-compliant medical answering service constituents. We are proud to ensure PatientCalls provides the proper levels of security for our company, your practice, and all patients.

After all, your medical answering service provides more hours of coverage for your office then your daily staff, so please do not waiver on your requirements to find and utilize the proper answering service.

HIPAA FAQs

Does an answering service have to be HIPAA compliant?

The answer is YES!

If your office or organization operates within the healthcare industry and directly handles patients’ personal health information (PHI), then your organization is considered a covered entity. Therefore, if you utilize the services of a medical answering service or medical dispatch center, and these business partners have access to any of your patients’ health information or store and transmit PHI electronically, then it is considered your HIPAA business associate and therefore must comply with HIPAA/HITECH/OMNIBUS. In addition, your answering service must audit all business relationships with their vendors – such as shredding companies and answering service software vendors – and maintain Sub-Contractor Business Associate Agreements.

Is alpha paging and/or numeric paging HIPAA compliant?

The answer is NO!

Any traditional transmitting method like alphanumeric paging is not considered secure, therefore NOT HIPAA compliant. This is due to the absence of encryption and password protection of PHI being electronically transported. Some answering services and medical offices in fear of losing this antiquated technology have revised their policies to only allow for the transmitting patient name and telephone number. The argument is that a ‘patient’s name and telephone number is not considered PHI since that information can be found in public listings.’ Initially, we agree with the assessment that information obtained in public locations would not be deemed PHI. HOWEVER, once a name and phone number can be linked with any medical relevance, then any information obtained publicly being transmitted in its simplest form would be considered PHI and would require proper security and protection as defined by HIPAA.

Are their consequences if a covered entity does not use a HIPAA-compliant answering service?

Based upon HHS requirements and documented fines from PHI breaches, you are exposing your business and personal wellbeing to hefty fines and/or criminal charges due to the severity of the breach and if those violations are deemed the result of ‘willful neglect.’

How do I know if my current answering service is HIPAA compliant?

This answer is simple, just call your current answering service and ask them. But first, please make sure that you educate yourself about a few simple HIPAA requirements, shown below, that every answering service should understand.

Who is your HIPAA Compliance Officer?

1. Have your agents been trained in HIPAA / HITECH / OMNIBUS?
2. When was the last documented training and how often is the training refreshed?
3. Is your email and text solution secure with encryption and/or password protection?
4. Does your office use Windows XP or any earlier version of Windows?
5. Auditing logins – Does your answering service software have the ability to audit logins in real-time and prevent unauthorized users which would result in PHI breaches?
6. What prevents one of your employees from stealing a PC that stores PHI information on it?
7. Are you willing to sign our Business Associate Agreement?
8. Are you properly storing, transmitting, and destroying all messages within the system which contain PHI as required by HIPAA guidelines?

If your current answering service does not have an immediate answer to the questions above then we suggest looking for a new HIPAA-compliant medical answering service.

The requirements of HIPAA are incredibly more detailed than the above eight questions. If your current answering service does not have clear or immediate answers, then there is a high probability that they are currently not HIPAA compliant.

As the covered entity, you must ask yourself if you are prepared to give your answering service more time to become HIPAA compliant and risk violations, fines, and possible criminal charges.