Since answering services are considered to be business associates, they adhere to all guidelines outlined by HIPAA as they would have access to your patients’ private health information (PHI). For example, if your patient calls your number that is forwarded to the answering service and the receptionist jots down their name and medical issue – that’s PHI. A business associate would include any person or company that produces, receives, communicates or maintains PHI on behalf of a covered entity, like a health care provider.

If your answering service says they are 100% HIPAA compliant, then there are some things they shouldn’t be doing, as well as some things that they should be doing. We’ve listed both sets of points below.

5 Things Your Answering Service Should Never Do:

To maintain HIPAA compliance, there are 5 things a HIPAA compliant answering service should never do. If you experience any of the below, then you’re in danger of being able to answer the question ‘How your answering service can get you fined by HIPAA.’

#1: Your Answering Service Shouldn’t be Texting Protected Health Information

If your answering service is texting you protected health information, they could be violating HIPAA regulations. Unless your business is not governed by HIPAA, you need to make sure that all patient information stays protected. While cell phones may have passwords, they can easily be stolen or hacked into, thus revealing patient information that would no longer be protected.

If you are receiving texts from your answering service, they should either be encrypted, or they should simply be alerting you of a new message, devoid of any PHI. At which point you should be able to log into a secure web portal or a secure mobile app to access those messages. If your answering service does not have a web portal or a mobile app, usually you would be able to call them back to retrieve the information verbally.

An easy way to encrypt your text messages would be download the app called Signal, which is available for both iPhone and Androids. However, in order for you to maintain encryption and security, both parties would have to have the app. So, this may be difficult if you’re working with a third party like an answering service.

Pro tip: While you may get written consent from a few patients to disclose PHI via text between yourself and the service, you may not get it from others. So, you’d have to see if your answering service has the capability to distinguish between those messages. Otherwise, they’d all have to be sent in a uniform format. 

#2: Your Answering Service Shouldn’t be Emailing Protected Health Information

In addition to texting, answering services should not be emailing any protected health information either. So, if your answering service is emailing you, the message should either be encrypted or it should just have a standard alert which instructs you to log into your secure portal to view the information (or to call back for further details). If the patient has given written consent that information can be sent via email from the service to your practice without being encrypted, you’ll want to check with your service to see if emails for those specific patients can be customized accordingly. Otherwise, they’ll also have to be sent in a uniform format.

Similarly, this also goes for your answering service’s customer support department. Sometimes, if calls get escalated or if customer service needs to intervene, they may send a follow up email that contains the caller’s information. However, this could also be considered a HIPAA violation. A good support team will direct you to your online portal to view the details of the call.

The only way to really ensure that your emails are protected would be to have them encrypted. Some standard encryption methods are:

• Transport Layer Security: TLS encryption is composed of two layers; the TLS Record Protocol and the TLS Handshake Protocol. The Record Protocol provides a safe and secure connection, while the Handshake Protocol allows both users to verify each other and to agree to a specific encrypted system before any data is passed through.
• Secure/Multipurpose Internet Mail Extensions: S/MIME encryption is a method of encryption that uses two types of keys, both private and public, which provides a specific function to protect your data. In addition, it allows you to add a digital signature to your emails which would verify  you as the legitimate sender.

#3: Your Answering Service Shouldn’t be Paging Protected Health Information

Like texting and emailing, sending PHI to an alpha pager would also be considered a HIPAA violation. Since the information that is passed through to the pager is not encrypted, the data is not safe. In addition, alpha pagers are not protected by any sort of password, like a cell phone could be. So, if you happen to set your alpha pager down somewhere outside of your own office, there is a chance it could be stolen and the messages on it would be susceptible for anyone to see.

While sending messages via alpha pager is a no-go, there are some HIPAA compliant pagers on the market which would be appropriate to use. However, as paging is no longer a common form of communication, your coverage area may be limited.

#4: Your Answering Service Shouldn’t be Leaving Protected Health Information on a Voicemail

If you’re having your answering service reach out for urgent situations, there is room for HIPAA violation here as well. If your answering service does not reach you, they should either leave no message, or at the very most they should leave a call back number so you can contact them back to retrieve the information. If your answering service is leaving patient information on your voicemail, they are violating HIPAA.

Essentially, your answering service should not be leaving PHI on any sort of device that is susceptible to data breaches, whether it be as a text, email, page, or voicemail. Ironically, though, sending patient information via fax is considered to be HIPAA compliant.

Pro tip: Similarly to emailing and texting, you may be able to leave PHI on a voicemail if the patient consents. Again, this information would be passed between the answering service and the physician, and the patient would not be involved. If they are okay with this transaction of information, you’d have to check with your service to see if they can customize protocols accordingly. 

#5: Your Answering Service Shouldn’t be Giving out Medical Advice

While this one isn’t necessarily a violation under HIPAA, it is still a huge liabilty for any medical provider. Under no circumstances should your answering service be giving out medical advice to patients, as they would be doing it on behalf of a trained physician but with no real consent from the doctor to do so.

For example, it would be fine for one person to give another person advice to take Aspirin if they had a headache, but not as an entity that is talking to patients on behalf of a medical provider. This is because the patient could later come back and say that “Joe from the answering service advised me to take this” even though that person didn’t have any background knowledge of the patient’s health history.

Really, the only medical advice your answering service should be giving is to call 911 if it’s a true medical emergency. Otherwise, they should inform the caller that they cannot give advice since they are the answering service, but that they can take down their information to have their call returned by a licensed medical physician.

5 Things Your Answering Service Should Always Do:

While there are several things that your answering service shouldn’t be doing in terms of HIPAA, there are also a handful of things that your answering service should be doing to keep your patients’ information safe. For example:

#1: Your Answering Service Should be Secure

Ensuring that your answering service is secure is very important to maintain the privacy of your patients.

Having a secure call center is more than just having secure systems and software. This also means that the operators handling your calls should be in paperless environments so that they cannot write any information down, and they should also be free of their cell phones while at their computers. This eliminates the chance of them texting or taking pictures of private health information.

#2: Your Answering Service Should Have HIPAA Training

Your answering service should have at least one HIPAA Compliancy Officer on site that is available to train all of the agents handling your calls on current HIPAA regulations. While the agents may not need an extensive 6 week course on HIPAA, they need to at least know the basics so that they can handle your calls properly.

Additionally, your answering service’s HIPAA Compliancy Officer should be kept up to date on all HIPAA regulations via training seminars and be able to provide periodic training to the operators so that they can be kept up to date as well.

#3: Your Answering Service Should Have Procedures in Place for Data Breaches

In the event that data is breached, your answering service should have a plan in place and they should be as transparent as possible with their customers. For example, if one or all of their systems gets hacked into, the first thing they should do is have their IT team shut everything down so that no further access can be made into the system except for them. Then, they should try to determine what information was stolen, if any.

From there, they should send out correspondence to all of their customers that it affected letting them know of the breach, what information was or could have been stolen, and ways to go about protecting their information from here on out. For example, allowing your customers to purchase identity protection on your dime for a certain time frame after the incident occurred (e.g.,  6 months to a year) is a great way to say that you’re sorry. While it doesn’t fix what happened, it’s a step in the right direction and may encourage your customers to stay customers.

#4: Your Answering Service Should Enter into a Business Associates Agreement with Your Practice

An important step of partnering with an answering service is to enter into a Business Associates Agreement (also known as a BAA) so that you can disclose protected health information (PHI) securely under HIPAA. Once the contract is signed, you are then able to disclose PHI with your answering service safely.

However, if your practice is not protected under a BAA and your answering service happens to violate HIPAA, your medical practice could be held liable and face up to a million dollars per violation. So, imagine if you get 10 calls in one night, and each one incurred a violation, you’d be facing up to 10 million dollars in fines and a severely damaged reputation.

#5: Your Answering Service Should Have a Secure Means of Retrieving Your Messages

As stated briefly above, your answering service should give you a secure method to retrieve your messages. Typically, services will give you access to a secure online portal and/or a secure mobile app that you would have to log into to retrieve message details. In some cases, you may even be able to add other users that would be able to log into the portal as well in the event you are not in or if there are several physicians that should be receiving the messages as well.

If your answering service does not offer an online portal or a mobile app, then usually you would be able to call them  back to retrieve the messages verbally. However, keep in mind that this may be considered billable usage on your line so it’s important to confirm those details prior to signing up, in case that will not work for you and your practice.

The post The Top 5 Ways Your Answering Service May Be Violating HIPAA. appeared first on Specialty Answering Service.

What is HIPAA?

The Health Insurance Portability and Accountability Act, better known as HIPAA, is a law that was created in 1996 to help regulate and protect the personal health information of patients.  The Health Information Technology for Economic and Clinical Health Act, better known as HITECH, has it’s roots with HIPAA. Some other offshoots of HIPAA include PHI (Protected Health Information) and BAAs (Business Associate Agreements). Essentially, these laws and requirements make it so that doctors or other medical professionals cannot pass your information through unprotected systems making the data vulnerable to prying eyes. With Specialty Answering Service, we understand how important it is for our clients to maintain HIPAA compliance, so we’ve changed our method of doing things as well.

Since the start of HIPAA, medical professionals all over the country have had to completely change how they run their practice to make sure they are adhering to the appropriate guidelines. Tasks that seemed so routine before, like inputting data or filing records, now have to be handled delicately to insure the patient information stays protected.  This means that if you’re using any companies to help in your day to day tasks, like answering your calls or shredding your documents, these companies also have to follow the same rules to insure they are not leaking any private data. HIPAA defines these companies you use as “business associates”, and all of these 3rd party business associates would need to enter into a Business Associates Agreement in order for your practice to maintain complaince.

Business Associates Agreement

A Business Associates Agreement is another offshoot of HIPAA, and is another protection mechanism in place making sure your patients’ health information stays protected. Whenever you do business with a 3rd party, that party needs to adhere to HIPAA even if they themselves are not in the medical industry. A business associate could include any person or company that produces, receives, communicates or maintains protected health information (PHI) on behalf of a covered entity, like a health care provider.

Once this agreement, or contract, is signed (by both parties), you are able to disclose private information without any violation. However, if your 3rd party associate breaks the contract, you could also be held liable for their actions. For example, if you sign a BAA with a medical lab, and they happen to disclose information to an outside party that’s not on the agreement, you could be held accountable. Before you enter into an agreement, you should always consult with a lawyer so you know exactly what you’re agreeing to. If both parties aren’t on the same page, it may lead to fines (which can cost over a million dollars per violation), loss of business, damage to your reputation, and/or lawsuits.

Running any office is complicated, but running a medical office comes with it’s own set of hoops that you have to jump through on a daily basis. To try and make your job a little easier, we’ve compiled a list of vendors below that a medical professional may partner with, and why you would need to make sure you’re covered with a BAA:

• Cloud/IT Data Base: No matter what system or software you use, all of your patient data is stored somewhere in cyberspace. You’ll want to enter into a BAA with whatever party you’ve chosen to do business with to insure that this information stays protected from hackers, or any other outside source looking to steal information. Data breaches are more common than you would think, so it’s important that you keep this information protected at all costs.
• CRM Providers: If you use a CRM (Customer Relationship Management) platform to manage all of your patient data, you’ll need to enter into a BAA with the CRM vendor to insure that information stays protected. There are many CRMs that are medical based, like Veeva and Evariant, so they already know the deal when it comes to HIPAA. It doesn’t hurt to always cross your t’s and dot your i’s.
• Answering Services: If you outsource your calls to an answering service, you’ll want to make sure that the answering service is HIPAA compliant. This means that the messages they send to you cannot contain any patient information. For example, Specialty Answering Service complies with HIPAA by sending standard messages that alert you that you have a new message and to log into your secure online portal for more details. We can also sign a BAA to insure that we are staying compliant under HIPAA. Other answering services may comply with HIPAA by sending messages via fax. However, not all answering services are HIPAA compliant, so if you’re in the market for an answering service or on call service,  make sure you do your research before partnering with one.
• Billing: If you do not process or send out invoices in your own office, then you’ll want to sign a BAA with your medical billing company because they’ll have access to patient information.  Any and all patient data needs to stay protected, and this would include billing records.
• Lawyers/Legal Firm: An important aspect of running a medical office is making sure you have proper legal representation just in case things don’t go according to plan. Even if you’re not in any sort of predicament, it’s always smart to have back up just in case. When you do hire a lawyer, you should also enter into a BAA with them as they would need to have access to patient records. If you do not, you might find yourself getting hit with a double whammy.
• Insurance Providers: Due to the high costs of the medical industry, most medical practices partner with various insurance providers. Since the insurance provider would have access to patient health records, you would need to sign a BAA with them to keep that information protected.
• Medical Labs: If you’re in the medical industry, then chances are you partner with some sort of lab to analyze any blood or culture samples you take from your patients. They are essentially an extension to your practice, so entering a BAA with any labs you work with is crucial.
• Medical Transportation Services: If you partner with a medical lab, then you most likely also partner with a medical transportation service. These services would be used to to transport any blood or culture samples to a lab for further testing. Included with these samples are the patient records, which the transportation service would have access to. So, you would want to sign a BAA with them as well to protect those items.
• Appointment Reminder Notifications: Usually, medical offices will send out some sort of reminder when a patient is due for their annual check up, or if they have an upcoming appointment. If you use a 3rd party company to send out texts, emails, phone calls and/or post cards, you’ll want to make sure they are adhering to HIPAA in addition to signing a BAA.
• Shredding Services: If you run a larger practice, then you may need to hire a 3rd party to shred documents/records that are no longer needed. Since they’ll have access to all of the information you give them, you’ll need to enter into a BAA with the company to insure that information gets destroyed correctly and nothing gets left behind.

Not Every Company You Work With is Considered a Business Associate

Sometimes you may work with vendors that might not need to be regulated under HIPAA, and therefore would not need to sign a BAA. The vendors listed below may not need to enter into a BAA with you, however, please check with your lawyer to make sure:

• Janitorial/Medical Waste Services: Typically, janitors or companies that dispose of medical waste do not need to adhere to HIPAA since they aren’t handling any patient information. However, they do still have to come into your practice so they will have indirect access to medical records.
• Website Hosting/Developers: If you pay an outside source to create and/or manage your website, you probably don’t need to sign a BAA with them. Generally speaking, your website shouldn’t have any patient information on the surface. However, if your website also serves as an online portal for your patients to log into, or a repository to gather patient email addresses for newsletter mailings, then you’ll want to make sure your 3rd party associate is HIPAA compliant and you may want to enter into a BAA with them as well.
• Business Consultants: If you have a business consultant, you may want them to enter into a BAA depending on how involved they are. If they don’t have access to your patient records, then you’re probably fine. However, you should consult with a lawyer before making any decisions.
• Direct Mail Companies: Direct mail refers to a marketing effort used by all types of industries to try and target a larger audience. For example, these promotional efforts could include brochures or pamphlets regarding your medical practice. Since these companies can realistically send mail to anyone, you may not need to enter in a BAA if you’re not giving out your own patients’ addresses.

These examples are just a few of the many types of business associates a medical professional may partner with. No matter how many or how little business associates you have, it’s always important to make sure everybody’s up to code. When you stay current on HIPAA regulations, you can insure that all of your patients’ health information stays protected. Happy patients equal more business and more business equals happy medical professionals. Everybody wins!

The post List of 14 Companies HIPAA Considers Business Associates appeared first on Specialty Answering Service.