As a covered entity, your organization is required to perform a risk analysis of your current answering service. It’s necessary to ensure that any third-party answering service – which stores, handles or transmits protected health information – is compliant with HIPAA regulations.
To help you avoid fines and penalties for non-compliance, we have outlined the most common HIPAA violations currently being overlooked by covered entities.
Top 5 HIPAA Violations Committed by Non-Compliant Answering Services
The following violations leave organizations – and, as a consequence, the covered entities they work for – vulnerable to security breaches and at risk for HIPAA fines.
|Unsecured E-mails – Some answering services send unencrypted or non-password-protected emails containing PHI to medical offices or staff members.|
|Our system sends emails with password-protected PDFs over an encrypted path. |
|Unsecure SMS/Texts – Some answering services send text messages / SMS messages which are unencrypted or not password-protected to medical offices and staff members, including doctors, after hours. They are in violation of HIPAA if they contain PHI, such as patient names and telephone numbers.|
|Our system sends SMS notifications that simply prompt medical staff to view urgent messages over our encrypted and password-protected portal. This also provides accountability data regarding access to PHI and time stamps.|
|Alphanumeric Paging – Some answering service send PHI, such as patient names or telephone numbers. Alpha paging transmissions are not encrypted, therefore, they violate HIPAA regulations. In addition, alpha devices are not considered HIPAA-compliant storage devices.|
|Our system prohibits the use of the alpha paging devices and redirects all PHI transmitted electronically to secure e-mail or SMS. This is done via our secure portal or other approved software solutions, such as, but not limited to, Gmail or Office 365.|
|Absence of Named HIPAA Compliancy Officer (HCO) – Some answering service do not have a defined HCO with the proper credentials and training.|
|PatientCalls exceeds HIPAA requirements by naming an Operational HCO and a Technical HCO. |
|Absence of Business Associate Agreement – Some answering services do not have signed Sub-Contractor Business Associate Agreements on file with all software vendors that have access to any PHI being stored or transmitted.|
|PatientCalls has BAA’s and BAC’s in place with all clients and sub-contractors. We also post our BAA on a secure web link for all clients in their monthly invoices. This acts as our backup and binding agreement between parties in the event a BAA is lost or accidentally destroyed.|
Below are a few more potential HIPAA violations that your organization should discuss with your current medical answering service.
|Message Archiving – Some answering services are not properly securing, storing, and destroying PHI as required by HIPAA guidelines.|
|Our system stores and destroys PHI in accordance with HIPAA guidelines. We do not allow any PHI to be stored or retrieved within our voicemail system.|
|Agent Training – Some answering services have not provided adequate and frequent training of their staff and management.|
|PatientCalls starts with the basics and tests our staff periodically. We also implement daily training procedures that are fully integrated into our CRM application requiring agents’ acknowledgment prior to logging off of their work shift.|
|PHI Access Auditing – Some answering services do not properly audit or log all events of accessing PHI due to employee logins and/or customer access from a verbal or electronic perspective.|
|Our system provides detailed access event logs and reports to support periodic auditing. We have created cybersecurity features that block or prevent any user (employee, customer, hacker) from accessing any PHI after multiple and repeated authentication failures.|
|Cybersecurity – Some answering services are not properly deploying firewalls or necessary means to track and warn of cyber threats.|
|PatientCalls has developed a unique firewall that monitors all SMS/WEB portal traffic for malicious activity with the ability to block IPs’ attention.|
How Can We Help You?
Your company can avoid these compliance violations, and their related fines and penalties, by trusting an answering service which is HIPAA compliant.
PatientCalls has taken the proper steps to ensure compliance with all HIPAA regulations and security protocols. Using our exclusive PatientNote service, you can rest assured that all data transmissions to and from PatientCalls meet or exceeds all HIPAA, HITECH, and Omnibus laws and regulations. For more information, call us directly at 866-330-5481.