As you go through the process of choosing an answering service for your business there may be a few obvious factors that come to mind such as vendor reputation, price and coverage. However, if you are concerned with the confidentiality of patient information, then one of the top features on your list should be HIPAA compliant. Any company that deals with protected health information (PHI) is required to protect this information through physical, process and network security measures. The following points can help you determine if your medical answering service will uphold their end of HIPAA compliance standards.
Health Insurance Portability and Accountability Act (HIPAA)
Since 1996, HIPAA has provided protection at the federal level for the health information of individuals that is held by any organization or entity. This includes:
- Covered Entities (CE): Anyone who provides treatment or deals with payment and operations.
- Business Associates (BA): Anyone with access to patient information that provides support with treatment, operations or payment. Subcontractors and any other individual working with business associates must also be in compliance.
HIPAA addresses sharing, saving and accessing medical and personal information of any individual, which is why your medical answering service must have certain safeguards in place to protect and regulate this information. The physical and technical security measures that your HIPAA compliant vendor sets up are typically the most relevant and can consist of:
- Physical Access Control: Limiting facility access to strictly authorized individuals and enforcing policies regarding the use and access of workstations and electronic media.
- Technical Protection: Regulating access to electronic protected health data through the use of assigned user IDs, automatic log off, emergency access procedures, etc.
- Transmission Security: All methods of transmitting data need to protect against unauthorized public access. Whether the health information is transmitted by email, cellular or private network, its security is paramount.
It is the responsibility of your organization, to determine if your current or future answering service is capable of maintaining HIPAA compliancy. To make sure an answering service vendor is in full compliance of HIPAA you need to find out how they stay on top of current HIPAA regulations and are aware of the top HIPAA violations.
Top HIPAA Violations
These security breaches put both the service vendor and their clients at risk for HIPPA fines. You are putting your business at risk if the medical answering service engages in any of the following:
- No Named HIPAA Compliancy Officer- A medical answering service provider needs to have a defined compliancy officer with the necessary credentials and training.
- Unencrypted Transmissions – If an answering service is sending or storing patient health information on unencrypted pages they are in violation of HIPPA regulations.
- Unsecured Emails – Sending emails that are not encrypted or password protected with patient health information to you or your staff members.
- Unsecured Texts- Transmitting texts or SMS messages that are not encrypted or password protected and contain patient health information such as name and phone number.
- Lack of a Business Associate Agreement- No subcontractor business associate agreements on record with every software vendor who has access to personal health information that is stored or transmitted.
While an answering service vendor can support your business operations, it is essential for them to be HIPAA compliant. Check to make sure their customer service representatives have completed the necessary trainings to meet all regulations. Inquire about their trainings and workshops to stay on top of new HIPAA regulations. By completing the appropriate research before working with a medical answering service you will be protecting both your patients and your business. Do you already have an answering service in place to handle your calls? Ask them about their HIPAA compliance regarding communication, technology and organizational practices.