North American Customer Service Management Association

Support for Contact Center Professionals

Step 3 HIPAA


The Health Insurance Portability and Accountability Act (HIPAA) of 1996 was enacted on August 21, 1996 and everyone knows it as HIPAA. The goal of HIPAA is to protect the health information of patients. HIPAA is made up of three rules: Privacy Rule, Security Rule and Electronic Data Exchange. Electronic Data Exchange defines the format between providers and payers to carry out billing, coding and verifications to provide a standard. The Security Rule defines access, storage and confidentially of electronically protected health information. Privacy Rule determines how patient information is used and disclosed. The Privacy and Security rules apply most of the time to contact center agents as they access and use electronic Protected Health Information (ePHI) daily.

What types of HIPAA Information is Protected?
Any individually identifiable health information is information, including demographic information, that relates to:
- The individual’s past, present, or future physical or mental health or condition,
- The provision of health care to the individual, or
- The past, present, or future payment for the provision of health care to the individual.

In addition, individually identifiable health information identifies the individual or there is a reasonable basis to believe it can be used to identify the individual.

For example, a medical record, laboratory report, or hospital bill would be Protected Health Information (PHI) if information contained therein includes a patient’s name and/or other identifying information.

Contact centers in the healthcare and insurance industry handle patients and their personal health information. Contact centers are responsible for handling patient data within the confines of the law or face the consequences, which are quite expensive.

Companies employ a range of physical, operational, systems, and network safeguards to help ensure that information is protected and this includes the contact center as well.

What is a privacy policy? A privacy policy is a statement or a legal document that discloses some or all the ways a party gathers, uses, discloses, and manages a customer or client's data. It fulfills a legal requirement to protect a customer or client's privacy. Many times, owners and managers take short cuts and think they are the only ones who need HIPAA training. This is where violations occur. It is the agent’s responsibility to abide by the HIPAA rules as well as anyone who has contact with the patient. Taking the time to insure every employee is familiar with HIPAA and understands how it applies to them will help eliminate costly fines.

For example, agents like to “peek” at client information – this happens with well-known people more commonly out of curiosity and this “peeking” is a violation – which results in the agent’s termination. A tele-nurse was let go for sharing a famous NFL player’s surgery information at the dinner table. That story later found itself on social media and the rest is history. If the agent doesn’t have a business reason to be reviewing client information it is an opportunity for a citation, especially if private information lands on a social media page. If your organization is the information source, then you are liable for large fines and lawsuits. Unless a patient is a dependent, or Power of Attorney has been obtained, it is illegal to release Personal Health Information (PHI), even to family members. To protect patients, contact center staff may only discuss patient information with the patient or someone authorized by the patient. br/>

The Health Insurance Portability and Accountability Act (HIPAA) Security Rule establishes a national set of minimum security standards for protecting all electronic Protected Health Information (ePHI) that is created, received, maintained, or transmitted. The Security Rule contains the administrative, physical, and technical safeguards that must be put in place to secure ePHI.

The most common HIPAA violations are lost devices that are not password protected, hackers, and employee dishonesty. Lack of passwords is usually found on laptops and other handheld devices and this can be an issue with work-at-home agents. Your compliance policy should include that all devices are required to be password protected with password changes on a regular basis.
Employee dishonesty is a tough one to monitor as we saw from the tele-nurse. Contact Centers use call-recording features to insure compliance as well as a Quality Assurance group that monitors calls for compliance. While not all calls are listened to all calls are recorded and stored to legal requirements. See this link for details. http://www.hhs.gov/hipaa/. Calls can be retrieved for any reason easily from the storage bank. The most secure storage of these private conversations is to encrypt the audio files. While the HIPAA Omnibus Ruling does NOT require encryption of data, Health and Human Services (HHS) has been levying stiff fines against businesses that don’t properly protect information.

While encryption is not required, why wouldn’t you insure the highest level of protection? Can you be “over” compliant with your client’s personal information? With a comprehensive contact center platform, these capabilities are built into the platform. This makes it easy and inexpensive to add an extra layer of security. Encryption is an easy tool for making information unusable, unreadable, and undecipherable when lost, or hacked by unauthorized access.

Companies that violate HIPAA regulations are subject to penalties by the U.S. Department of Health & Human Services. What does a citation cost? HIPAA violations are expensive; the penalties for noncompliance are based on the level of negligence and can range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for violations of an identical provision.

The FCC is responsible for enforcing company privacy policies and it is taken very seriously. When companies tell consumers, they will safeguard their personal information, the FTC can and does take law enforcement action to make sure that companies live up to these promises. The FTC has brought legal actions against organizations that have violated consumers’ privacy rights, or misled them by failing to maintain security for sensitive consumer information. If you think you can get cheat and get around HIPAA think again. Is the cost of a citation worth it?

Understanding and recognizing HIPPA data and how to handle it is 90% of compliance. Anytime you meet patient information or any PHI that is written, spoken or electronically stored, YOU become involved with some facet of the privacy and security regulations.

Information in the health record, such as:
- Encounter/visit documentation
- Lab results
- Appointment dates/times
- Invoices
- Radiology films and reports
- History and physicals (H&Ps)
- Patient Identifiers

What Are Some Examples of Patient Identifiers?
- Names
- Medical Record Numbers
- Social Security Numbers
- Account Numbers
- License/Certification numbers
- Vehicle Identifiers/Serial numbers/License plate numbers
- Internet protocol addresses
- Health plan numbers
- Full face photographic images and any comparable images
- Web universal resource locaters (URLs)
- Any dates related to any individual (date of birth)
- Telephone numbers
- Fax numbers
- Email addresses
- Biometric identifiers including finger and voice prints
- Any other unique identifying number, characteristic or code

Tips!

Be proactive and act to protect customers and your company. Don’t wait for an incident.
Think ahead. Ask yourself, “What is one more step that we can take towards a higher level of security?”

Take the Next Step!


HIPAA has been around now for 20 plus years and organizations still get hit with compliance violations. Everyone who interacts with clients and uses client data must know and understand the Security Rule and Privacy Rule at a minimum. Knowing what types of data and how to handle it safely is the key to avoiding costly fines and protecting client information.

Contact centers more and more are not only providing health care billing, claims support and benefits information they are now employing nurses and doctors who are diagnosing and prescribing treatments. Contact Centers are getting more sophisticated every day. strong>The loss of trust and the loss of clients these organizations face when violations occur is expensive. Remember, implementing HIPAA isn’t only about avoiding violations and fines, it's about protecting your patients and your business.

Work Space Vendors

Contact Center Furniture

Commercial Interior Designer

NACSMA Consultant

Furniture

Specialized Office Systems offers customized solutions to deliver printing, promotional products, apparel, office supplies and business furniture to multiple locations across the country. You will receive the personalized service you want and the attention to detail you need.

Interior Designer

Cresa Commercial founded in 1993 was convinced that representing tenants exclusively was the best way to go. Not only would it give our clients the kind of objective, unbiased advice they might not get elsewhere, but it would also give us a unique offering in the real estate marketplace.

Consultant

The North American Customer Service Management Association (NACSMA) assists Service Center professionals with improving the delivery of Customer Care to their clients by providing a collaborative networking approach to operational issues.