What is HIPAA?

The Health Insurance Portability and Accountability Act, better known as HIPAA, is a law that was created in 1996 to help regulate and protect the personal health information of patients.  The Health Information Technology for Economic and Clinical Health Act, better known as HITECH, has it’s roots with HIPAA. Some other offshoots of HIPAA include PHI (Protected Health Information) and BAAs (Business Associate Agreements). Essentially, these laws and requirements make it so that doctors or other medical professionals cannot pass your information through unprotected systems making the data vulnerable to prying eyes. With Specialty Answering Service, we understand how important it is for our clients to maintain HIPAA compliance, so we’ve changed our method of doing things as well.

Since the start of HIPAA, medical professionals all over the country have had to completely change how they run their practice to make sure they are adhering to the appropriate guidelines. Tasks that seemed so routine before, like inputting data or filing records, now have to be handled delicately to insure the patient information stays protected.  This means that if you’re using any companies to help in your day to day tasks, like answering your calls or shredding your documents, these companies also have to follow the same rules to insure they are not leaking any private data. HIPAA defines these companies you use as “business associates”, and all of these 3rd party business associates would need to enter into a Business Associates Agreement in order for your practice to maintain complaince.

Business Associates Agreement

A Business Associates Agreement is another offshoot of HIPAA, and is another protection mechanism in place making sure your patients’ health information stays protected. Whenever you do business with a 3rd party, that party needs to adhere to HIPAA even if they themselves are not in the medical industry. A business associate could include any person or company that produces, receives, communicates or maintains protected health information (PHI) on behalf of a covered entity, like a health care provider.

Once this agreement, or contract, is signed (by both parties), you are able to disclose private information without any violation. However, if your 3rd party associate breaks the contract, you could also be held liable for their actions. For example, if you sign a BAA with a medical lab, and they happen to disclose information to an outside party that’s not on the agreement, you could be held accountable. Before you enter into an agreement, you should always consult with a lawyer so you know exactly what you’re agreeing to. If both parties aren’t on the same page, it may lead to fines (which can cost over a million dollars per violation), loss of business, damage to your reputation, and/or lawsuits.

Running any office is complicated, but running a medical office comes with it’s own set of hoops that you have to jump through on a daily basis. To try and make your job a little easier, we’ve compiled a list of vendors below that a medical professional may partner with, and why you would need to make sure you’re covered with a BAA:

• Cloud/IT Data Base: No matter what system or software you use, all of your patient data is stored somewhere in cyberspace. You’ll want to enter into a BAA with whatever party you’ve chosen to do business with to insure that this information stays protected from hackers, or any other outside source looking to steal information. Data breaches are more common than you would think, so it’s important that you keep this information protected at all costs.
• CRM Providers: If you use a CRM (Customer Relationship Management) platform to manage all of your patient data, you’ll need to enter into a BAA with the CRM vendor to insure that information stays protected. There are many CRMs that are medical based, like Veeva and Evariant, so they already know the deal when it comes to HIPAA. It doesn’t hurt to always cross your t’s and dot your i’s.
• Answering Services: If you outsource your calls to an answering service, you’ll want to make sure that the answering service is HIPAA compliant. This means that the messages they send to you cannot contain any patient information. For example, Specialty Answering Service complies with HIPAA by sending standard messages that alert you that you have a new message and to log into your secure online portal for more details. We can also sign a BAA to insure that we are staying compliant under HIPAA. Other answering services may comply with HIPAA by sending messages via fax. However, not all answering services are HIPAA compliant, so if you’re in the market for an answering service or on call service,  make sure you do your research before partnering with one.
• Billing: If you do not process or send out invoices in your own office, then you’ll want to sign a BAA with your medical billing company because they’ll have access to patient information.  Any and all patient data needs to stay protected, and this would include billing records.
• Lawyers/Legal Firm: An important aspect of running a medical office is making sure you have proper legal representation just in case things don’t go according to plan. Even if you’re not in any sort of predicament, it’s always smart to have back up just in case. When you do hire a lawyer, you should also enter into a BAA with them as they would need to have access to patient records. If you do not, you might find yourself getting hit with a double whammy.
• Insurance Providers: Due to the high costs of the medical industry, most medical practices partner with various insurance providers. Since the insurance provider would have access to patient health records, you would need to sign a BAA with them to keep that information protected.
• Medical Labs: If you’re in the medical industry, then chances are you partner with some sort of lab to analyze any blood or culture samples you take from your patients. They are essentially an extension to your practice, so entering a BAA with any labs you work with is crucial.
• Medical Transportation Services: If you partner with a medical lab, then you most likely also partner with a medical transportation service. These services would be used to to transport any blood or culture samples to a lab for further testing. Included with these samples are the patient records, which the transportation service would have access to. So, you would want to sign a BAA with them as well to protect those items.
• Appointment Reminder Notifications: Usually, medical offices will send out some sort of reminder when a patient is due for their annual check up, or if they have an upcoming appointment. If you use a 3rd party company to send out texts, emails, phone calls and/or post cards, you’ll want to make sure they are adhering to HIPAA in addition to signing a BAA.
• Shredding Services: If you run a larger practice, then you may need to hire a 3rd party to shred documents/records that are no longer needed. Since they’ll have access to all of the information you give them, you’ll need to enter into a BAA with the company to insure that information gets destroyed correctly and nothing gets left behind.

Not Every Company You Work With is Considered a Business Associate

Sometimes you may work with vendors that might not need to be regulated under HIPAA, and therefore would not need to sign a BAA. The vendors listed below may not need to enter into a BAA with you, however, please check with your lawyer to make sure:

• Janitorial/Medical Waste Services: Typically, janitors or companies that dispose of medical waste do not need to adhere to HIPAA since they aren’t handling any patient information. However, they do still have to come into your practice so they will have indirect access to medical records.
• Website Hosting/Developers: If you pay an outside source to create and/or manage your website, you probably don’t need to sign a BAA with them. Generally speaking, your website shouldn’t have any patient information on the surface. However, if your website also serves as an online portal for your patients to log into, or a repository to gather patient email addresses for newsletter mailings, then you’ll want to make sure your 3rd party associate is HIPAA compliant and you may want to enter into a BAA with them as well.
• Business Consultants: If you have a business consultant, you may want them to enter into a BAA depending on how involved they are. If they don’t have access to your patient records, then you’re probably fine. However, you should consult with a lawyer before making any decisions.
• Direct Mail Companies: Direct mail refers to a marketing effort used by all types of industries to try and target a larger audience. For example, these promotional efforts could include brochures or pamphlets regarding your medical practice. Since these companies can realistically send mail to anyone, you may not need to enter in a BAA if you’re not giving out your own patients’ addresses.

These examples are just a few of the many types of business associates a medical professional may partner with. No matter how many or how little business associates you have, it’s always important to make sure everybody’s up to code. When you stay current on HIPAA regulations, you can insure that all of your patients’ health information stays protected. Happy patients equal more business and more business equals happy medical professionals. Everybody wins!

The post List of 14 Companies HIPAA Considers Business Associates appeared first on Specialty Answering Service.

Once you’ve made the decision to outsource phone support to an answering service, the next thing you have to decide is how you want the service to handle your calls. Obviously, call center representatives aren’t going to know the ins and outs of your practice. However, there are many ways to give the people answering your line a better feel for what it is that you do and the type of assistance your callers will require.

While answering services may not be able to see patients for you, what they can do is screen calls and schedule appointments, and in some cases, push the information they gather from your callers directly into your CRM software. There’s a lot to consider before you take the plunge, so take a look at the tips and tricks below, and you’ll be well on your way to getting the most out of your call center!

1. HIPAA Compliance: This is a must anytime Protected Health Information is changing hands.
2. Scheduling Appointments: We’ve included a few key points on the calls that drive your practice.
3. Emergency Calls: When time is of the essence, flawless programming is of the utmost importance.
4. Prescription Refills: Some refills just can’t wait and may warrant separate call handling.
5. The Right FAQs: While operators can’t give out medical advice, they can certainly address general questions.
6. Customer Relationship Management & Other Integrations: CRM and other software integrations will give your staff more time to focus on in-office patients who need your undivided attention.
7. Hospital & Consult Calls: Depending on the nature of the practice, consult calls may be considered emergencies.
8. Specific People: When people ask for doctors and staff directly, this ensures that the operators know who they are.
9. Overflow & After-Hours: In many cases, call handling will be different based on your business hours.
10. Download the Mobile App: Find out how technology can keep you informed and on time.
11. Stick to the Basics: Common call types and straightforward scripts make life easier for operators and callers alike.
12. Repeat Callers: Even the most fine-tuned practice can let return calls fall by the wayside. Be prepared for repeats.
13. Triaging Techniques: Use pointed questions or an IVR recording to filter out priority calls.
14. Look for a Free Trial: Don’t rely on anyone else’s opinion. Do your research, make use of the trial period, and choose the service that’s right for you.

HIPAA Compliance

First things first. Any kind of medical practice, or any office where Protected Health Information (PHI) is changing hands, is going to need a HIPAA compliant answering service. Data privacy for covered entities is a requirement of the U.S. Department of Health and Human Services, so you’ll want to make sure that the service you choose is up to speed.

1. Patient information cannot be transmitted via text or email; however, those message delivery methods are still viable, adhering to the following:

• A generic text or email that states something along the lines of, “You have a new message. Please dial your forward number for more information.” This may require specific programming or software that will enable you to customize the outbound message.
• PHI must not be included.

2. Fax remains HIPAA compliant, so that is another option for message delivery.

3. Some services may give you access to an online portal where you’ll be able to view all of your messages and listen to call recordings in a secure environment.

4. If you have requested text notification, you may want to delegate internally who will be receiving what. For example, urgent messages might be sent to the on-call physician, while general messages could be addressed by an office manager.

Scheduling Appointments

The majority of people who call a doctor’s office will probably want to schedule, cancel, or reschedule an appointment, and hiring an answering service that has the ability to manage your calendar will take a lot off your plate. While you’ll have to do your research on which scheduling platform integrations are available with prospective call centers, in most cases, your service will be able to book appointments directly on your website, integrate with Google Calendar, or use proprietary scheduling software.

Typically, if a service is HIPAA compliant, operators should not be able to view or edit previously scheduled appointments, so cancellation and reschedule requests will need to be handled outside of the calendar. You may want operators to take a message for those calls. For same-day cancellations, it might be beneficial to transfer callers to you during business hours to avoid unnecessary prep for a no-show appointment.

Appointment Setting 101

Consider these questions when you’re establishing appointment setting parameters.

• What days and times can appointments be scheduled?
• Can operators schedule more than one patient per time slot?
• What is the duration of each appointment, or do you offer services of varying lengths?
• Should your lunch hour be blocked out?
• Do you offer evening or weekend appointments?
• Do you have multiple practice locations, but all intake calls are directed to the same line?

Also, try to think of every possible scenario so that the scripting makes sense.

• If you have a different protocol for new patients as opposed to existing patients, you’ll want to address proper scripting. For example, existing patients may only need to provide their name and number for a quick look up in your system, whereas if a new patient calls, you may need to ask for their insurance information, address, referral source, date of birth, etc.
• If your practice sees children, or if caregivers frequently call in lieu of patients (e.g., elder care, hospice, etc.), perhaps you should have your service set up a screening question to ask if the caller is the patient or if they’re calling on behalf of the patient.
• If you only accept certain medical plans, it would help to ask upfront if the patient will be using insurance to avoid scheduling self-pay appointments that the patient cannot afford.
• If you have several doctors in your practice, or if certain doctors are not accepting new patients, operators should inquire as to which doctor the patient would like to see, and each practitioner should have their own calendar.
• Emergency appointments may be best scheduled by your office staff rather than the call center, as operators will not be able to “tweak” availability or move things around to accommodate an urgent need.

Emergency Calls

In addition to scheduling appointments, another call type that you can be sure you’ll receive is emergencies. Unless you have an ironclad immune system or ridiculously good luck, you’ve likely been sick at some point. When you don’t feel well, sometimes you just want to talk to your doctor. If it is after hours or no one is available, you may be left telling your story to a message machine. And with busy practices, who knows when that message will be picked up? Having a live operator field emergency calls rather than pushing everyone to voicemail gives patients a sense of relief.

Emergency Scripting Considerations

• Adding screening questions will help ensure that only true medical emergencies are being handled right away. For example, the operator could open with, “Are you calling regarding an emergency?” And a secondary question could be asked such as, “Can this wait until business hours, or do you need to speak with the doctor urgently?”
• Most services have some sort of ER system in place. Before signing up with a call center, it’s of the utmost importance that you decide on the appropriate protocol for calls that warrant immediate attention. For example, your account can be programmed to transfer emergency calls directly to the on-call practitioner.

Emergency Message Notification

If calls are to be transferred, determine which hours operators should connect calls to you vs. sending a message.

If there is a reach on-call, you may want to find out if you are able to call in to the service and have them patch you through to the patient so that you can protect your own privacy.

You may use any combination of emergency notification such as:

• Warm Transferring Calls – the operator will remain on the line with the caller and give you the opportunity to accept or decline the call. If the call is declined, the operator returns to the caller and continues with information gathering or closes the call.
• Reaching On-Call Staff – after the caller disconnects, the operator will dial through your on-call staff list as many times as you would like. Note that voicemail messages including patient information are not HIPAA compliant. Instead, the operator can leave a message such as, “This is your answering service. You have a new urgent call. Please dial your forward number for assistance.”
• Texting – for a HIPAA compliant text message, the message itself cannot include patient information.
• Emailing – this is compliant, as long as the email does not include patient information.
• Paging – this is compliant, as long as the page is numeric only, as opposed to alpha-numeric.
• Faxing

Prescription Refills

While prescription refill calls are generally not urgent, there are times when a refill request cannot wait. For this call type, you’ll want to add a screening question – perhaps something along the lines of, “Have you already run out?” or, “Are you about to run out?” If the patient has already run out, and it is critical that they re-up, these calls could result in some sort of transfer or urgent text. If the patient still has some time before they run out, your service could give the caller the option to call back during normal business hours or leave their information and have the office follow up with them on the next business day. Patients can also be referred to their pharmacy, as pharmacists can often submit electronic refill requests on the patient’s behalf.

The Right FAQs

Though FAQs aren’t really part of your “call handling,” they do help out the operators substantially. You don’t want to overload them with information regarding your practice, but they should be able to answer basic questions and have a few details on the more common questions that your callers ask. For example, your FAQs could include the following:

• Your location
• Your business hours
• The office phone and/or fax number
• What insurance plans you accept
• Can a patient pay out-of-pocket? If so what are the prices?
• What services do you provide? Is it a standard family practice, or do you specialize in anything in particular?
• List the names of all the doctors in the practice
• Is there an email address where callers can send general inquiries?
• Is there a website?
• Do you have a cancellation policy?

Customer Relationship Management (CRM) & Other Integrations

We can all agree that perhaps the most annoying aspect of your first appointment with a new doctor is the time spent filling out a seemingly endless clipboard of paperwork. Perhaps even more annoying than filling it out is the job of the individuals who have to enter every piece of data into the office’s CRM system. Tedious, right? While an answering service can’t do all of your work for you, the right service can be a huge asset to any medical office’s front desk team by asking essential information in that first phone call and sending the details to your records system.

• A Medical Answering Service with CRM integrations are a huge time-saver. By pushing each caller’s data directly to your database, you’ll have the information at your fingertips. Sure, you’ll still have work to do – but less time spent filling up your database is more time spent ensuring that your patients have the best possible in-office experience.
• Calendar integrations eliminate the need for you to book appointments on your own. (See the section on Scheduling Appointments).
• With an email integration, your service may be able to send out new patient paperwork that can be completed prior to the office visit. Alternately, they can push data into your outbound mail system, e.g., MailChimp or Constant Contact, so that you can email important documents in one click.

Hospital Calls or Consult Calls from Other Medical Professionals

Does your office receive calls from neighboring hospitals, practices, or home care services that may be treating your patients? If so, consider how these calls should be handled when they reach the service. Some information that may be helpful to you would be:

• Name of the medical facility they are calling from
• Caller’s name and/or Doctor’s name
• Call back number
• Patient’s name
• Patient’s date of birth
• Location of the patient (if admitted, floor and room number)
• What the call is regarding

Depending on the facility, issue (e.g., an emergency consult), or time of day, a message alone may not be suitable. You may want certain calls transferred to the office during business hours, and for after-hours calls, a reach on-call protocol may be necessary.

Specific People

Sometimes, callers will ask to speak directly with a doctor or staff member. While you may not be available to speak with them, you’ll still want them to know that their call is important to you, and you will be in touch with them as soon as you are available. A Specific Person path really comes in handy, especially if you have a number of practitioners and support staff in your practice. Generally, your script would be programmed with a drop-down list of all the individuals that may be requested along with a small identifier next to each name. For example, whom did the caller ask to speak with?

• Dr. Jones (Neurologist)
• Dr. Smith (Physical Therapist)
• Dr. Richardson (Counselor)
• Ms. Williams (Office Manager)

This way, if someone calls and asks to speak with the office manager but doesn’t give a name, the operator will be able to look at this list and see that Ms. Williams is the office manager. If it is important to you to have your answering service seem like your actual office, this minor tidbit of information could create that feel.

Overflow & After-Hours

Even if you are fully-staffed during business hours, chances are good that you’ll miss a few calls. And no matter what office you run, there will always be someone who tries to reach you after-hours. If you’ve ever called your doctor’s office, only to be met with a super annoying voicemail system instead of a live operator , then from a patient’s perspective, you can see the value in using a service for overflow and after-hours calls. The value for your personnel is that they don’t have to waste precious minutes listening to voicemail. Messages have already been taken and are available for review, so you can immediately begin returning calls and getting patients the assistance they need.

• Typically, services will allow you to set up some sort of business hours/after-hours handling. During your open hours, the operators will have one set of instructions, and after hours, they’ll use a different script.
• If the practice is open and calls are set to roll over to the service when no one is available, operators can let your patients know that due to a high volume of calls, they are taking messages on the office’s behalf. If callers are leery about leaving a message, you may also give them the option to try back later.
• After hours, operators can let your patients know that the office is closed, but they would be happy to take a message and have the call returned when the office re-opens. Or, if it’s an emergency, the script can be built with a reach on-call step to get in touch with the on-call staff.

Download the Mobile App

As technology continues to evolve, people and businesses are forced to evolve with it. Many answering services now offer a mobile app that you can download to retrieve your messages. Having this feature available to someone who can’t sit idly by a computer is a must in patient care industries. If you’re out and receive an urgent message, you can log in to your mobile app, view the details of the call, and possibly even listen to it, if your answering service offers call recording.

• For offices with rotating on-call staff, or in cases where callers request a specific person, your call center may be able to provide a unique login ID for each of your staff members.
• Permissions may be set to provide complete access to all calls, or partial access, where only calls that pertain to the particular individual may be seen.

Stick to the Basics

When you start using an answering service, your first reaction is often to overload the operators with information about your practice, and hope for the best. Would that same approach work for a new in-house receptionist who is just learning the ropes? Not likely. So, while it is important that you provide the service with key FAQs such as address, hours, and a description of what you do, callers and operators alike will have more successful interactions if you stick to the basics. Here are a few things to keep in mind.

• Providing too many options for the operator can be overwhelming and may result in mishandled calls. Remember that your call center is there to lend a helping hand, not to run your business for you.
• Keep in mind that while your service may answer for 100 doctors’ offices, no two accounts are the same. Thus, what works for one account may not necessarily be appropriate for another.
• It’s always a good idea to have an All Other Calls path in your script. If a caller’s request or issue doesn’t match the primary path options, the operator will still have an avenue by which to document the nature of the call.

Repeat Callers

Even if messages are gathered and sent swiftly, a busy practice may need more than 24 hours to return a patient’s call. That being said, not every patient can wait 24 hours. They may grow weary of sitting by the phone and dial your office again instead, stating that they called yesterday and haven’t heard back. How should your service handle these calls? Should the operator simply take another message? Should the call be considered urgent? Or should they try and patch the call through to the office? Preparing your service for these types of scenarios will ensure that calls are handled as efficiently as possible and minimize frustration on the part of the caller.

Triaging Techniques

What if you only want to use an answering service for after-hours emergencies? If that is the case, then many of the tips above won’t apply – but, there are still options that you can explore to keep call handling crisp.

• Have a screening question up front. For example, “You’ve reached the emergency after-hours service for Dr. Smith. This is Gabby. Are you calling with emergency?” If the caller responds in the affirmative, the operator could reach out to the on-call doctor. If it is not an emergency, you might want the operator to say something along the lines of, “I apologize, but this line is for emergencies only. Please try calling back during regular business hours.”
• Include a brief list of what is considered an emergency, e.g., bleeding, pain, post-op complications, suicidal thoughts, etc. You certainly don’t want to leave this judgment up to the operators, so having a short rundown of emergent issues will help them triage calls appropriately and follow the proper procedures for true emergencies.
• Add IVR to your line. This would be an upfront recording and could say something such as, “You have reached the after-hours answering service for the Office of Dr. Jones. If this is a true medical emergency, please hang up and dial 9-1-1, or go to your nearest emergency room. If you need to speak with the doctor urgently, please press 1 to be transferred to an agent.”

Having these types of screeners will filter out legitimate emergencies from callers who just want a direct line to you and your staff. In turn, you may have less usage and a lower monthly invoice.

Look for a Free Trial

If you’re in the market for a medical answering service, be sure to do your due diligence before signing on. While online reviews may be useful to a degree, nothing compares to your own experience and opinion. That’s where a free trial comes in. Most services will offer a trial period that will give you a solid understanding of how your calls will flow, the professionalism of the operators manning your phones, the availability and help offered via customer support channels, your average minutes usage, and more.  To find the best fit for you, take advantage of everything the free trial offers, and place test calls if you’re not ready to forward your lines. The sooner you sign on with the right service, the sooner you’ll be home for those family dinners you’ve been missing!

The post 14 Medical Answering Service Must Haves appeared first on Specialty Answering Service.

Example A: Go ahead, Bob.

In this scene, Betty was a superstar. She did everything right during the live call. Despite Bob’s attempt to weasel Dr. Marvin’s number out of her, she politely told him that she could not give out that number. Instead, she attempted to reach the doctor on the other line, letting him know who was calling and giving him the opportunity to either take the call or have Betty take a message. No personal information was exchanged and the call was handled promptly and professionally.

But let’s take a look at what happens when Bob shows up at the call center’s door asking for his physicians information. The Mid-Manhattan Exchange is responsible for a slew of HIPAA answering service violations, leaving the call center vulnerable to a serious security breach.

Example B: Lake Winnipesaukee

Violation #1 – Who’s allowed into your call center?

Bob, masquerading as Detective Roberts from Homicide, knocks on the door and is permitted to waltz onto the call center floor with ease. The door isn’t being monitored by anyone other than Betty and her colleagues. And you can pretty much bet there are no security cameras.

Violation #2 – What about signing in?

Betty doesn’t bother to check or verify “Detective Roberts'” identification even though he is flashing a very obvious Blue Shield badge. He hasn’t been asked to sign in. And he hasn’t been given clearance to access the facility by call center security. He just asks for information and receives it. No questions asked – except by Bob!

Violation #3 – Protected information is in plain sight.

Way back when, we used to write down messages on those little pink notepads, just like Betty and her colleagues. Those days are gone, and for good reason. All of that paper leaves a visible trail of protected information that could quickly fall into the wrong hands.

Violation #4 – Stop writing. Start typing.

Betty and her colleagues are using paper and pens to write everything down. This opens the door for fraud or misconduct in the workplace that could result in a data breach. When call center representatives document calls, the records should be solely electronic and they should become inaccessible to representatives as soon as they are entered. Otherwise, your call center can pretty much forget about HIPAA compliance.

Violation #5 – PHI is called Protected Health Information for a reason!

Now, granted, Betty gave out Dr. Marvin’s address and not a patient’s personal records. But the principle is the same. When it comes to call center transactions, protected health information can’t be shared with just anyone – not even if they are pretty convincing as a detective in a trench coat. It can’t be discussed aloud in public places where other people may be able to overhear. It can’t be transmitted via email unless encrypted, and it can’t be sent via text message. Messages documented by your call center can only be communicated by fax.

So, what has Bob taught us? Well, first off, never trust a guy in a trench coat. Unless he’s Clark Kent or something. And second, if you are a call center employee, verify verify verify. Don’t just let anyone onto the floor. Don’t just give anyone information, whether on the phone or in person. Don’t discuss PHI in public, don’t have sensitive paperwork or messages hanging around, and avoid using pen and paper as much as possible. Learn the proper security protocols set forth by your employer, and follow them to the letter. It not only protects those whose lines you are answering, but it protects you and your medical answering service from shady characters like Bob Wiley. Enough said.

The post A lesson in HIPAA compliance in answering services from What About Bob. appeared first on Specialty Answering Service.