Site icon Specialty Answering Service

A lesson in HIPAA compliance in answering services from What About Bob.

What About Bob - Don't Hassle Me I'm Local

What about Bob? is a hilarious movie that showcases the antics of a cunning, obsessive-compulsive narcissist who can’t manage even one day without his psychotherapist. Bob Wiley uses his guile to pull the wool over the eyes of three call center representatives and steal away with information that should have remained private. In the days of HIPAA compliance, this is a big no-no! To ensure that your medical office answering service is meeting the guidelines set forth by the U.S. Department of Health & Human Services, best practices and confidentiality in healthcare are essential to every secure transaction. Check out these two examples that highlight what to do and what not to do when it comes to HIPAA and ISO 27001 certification.

Example A: Go ahead, Bob.

Betty: Mid-Manhattan Exchange
Bob: Yes, this is Bob Wiley, I’m a patient of Dr. Marvin’s. I have to speak with him right away. It’s urgent.
Betty: I’m sorry, Mr. Wiley, but Dr. Marvin is out of…
Bob: Uh, it’s Bob. And you are?
Betty: Betty.
Bob: Betty, hi.
Betty: Bob, Dr. Marvin’s out of town, and Dr. Harmon’s taking his calls.
Bob: I know that, Betty. It’s just that there’s been some confusion. I was supposed to call Dr. Marvin but I’ve lost his phone number.
Betty: Bob, I can’t give out that number.
Bob: I know that, Betty, but you could call him on the other line and tell him that I’m on hold on the other line. Couldn’t you please? Thanks, Betty. Please?
————
Anna: Phone, Daddy.
Dr. Marvin: Thank you, Anna. Thank you, sweetheart.
Dr. Marvin: Yes?
Betty: Dr. Marvin? This is Betty at your exchange. I’m sorry to disturb you, but I have a Bob Wiley on the line who says you’ll wanna talk to him.
Dr. Marvin: Betty, you know better than that. Dr. Harmon is covering for me.
Betty: I told him that, Dr., but he said he lost your number and that it was urgent.
Dr. Marvin: Alright, put him through.
Betty: Go ahead, Bob.

In this scene, Betty was a superstar. She did everything right during the live call. Despite Bob’s attempt to weasel Dr. Marvin’s number out of her, she politely told him that she could not give out that number. Instead, she attempted to reach the doctor on the other line, letting him know who was calling and giving him the opportunity to either take the call or have Betty take a message. No personal information was exchanged and the call was handled promptly and professionally.

But let’s take a look at what happens when Bob shows up at the call center’s door asking for his physicians information. The Mid-Manhattan Exchange is responsible for a slew of HIPAA answering service violations, leaving the call center vulnerable to a serious security breach.

Example B: Lake Winnipesaukee

Betty: Who is it?
Bob: Detective Roberts from Homicide. I have some questions about a Bob Wiley
Betty: What? (to coworker) That was the Bob who kept calling Dr. Marvin.
Bob: (flashes Blue Shield badge) That was that Bob who kept calling. Unfortunately, Bob committed suicide about 15 minutes ago.
Betty: Oh my God.
Coworker: That’s terrible.
Bob: Very sad. Should, should never have happened. He was a very sweet guy. Uh, but he did leave a note, however. He mentioned the name Betty.
Coworker: She’s Betty.
Betty: I’m Betty.
Bob: Oh. So you’re Betty.
Betty: Uh, Bob called here trying to reach his psychiatrist.
Bob: Oh. Well, where is he? I’ll have to ask him some questions, too.
Betty: Uh, uh, Dr. Marvin’s on vacation in New Hampshire.
Bob: New Hampshire?
Betty: I can get him on the phone for you.
Bob: Good. No, don’t. If I really need to, I can have someone from NHPD drop by on him. Uh, but, what if I wanted to write him a letter? Would you have a mailing address of some kind up there?
Betty: Oh, sure. That’s, um, P.O. Box 14
Bob: Yes
Betty: Lake Winnipesaukee
Bob: Which is spelled
Betty: (with coworker) W-I-N-N-I-P-E-S-A-U-K-E-E
Betty: That’s two N’s
Coworker: Two E’s
Bob: E E – two N’s, two E’s. Thank you very much, ladies! I’m crazy about you. Especially you, Betty.

Violation #1 – Who’s allowed into your call center?

Bob, masquerading as Detective Roberts from Homicide, knocks on the door and is permitted to waltz onto the call center floor with ease. The door isn’t being monitored by anyone other than Betty and her colleagues. And you can pretty much bet there are no security cameras.

Violation #2 – What about signing in?

Betty doesn’t bother to check or verify “Detective Roberts'” identification even though he is flashing a very obvious Blue Shield badge. He hasn’t been asked to sign in. And he hasn’t been given clearance to access the facility by call center security. He just asks for information and receives it. No questions asked – except by Bob!

Violation #3 – Protected information is in plain sight.

Way back when, we used to write down messages on those little pink notepads, just like Betty and her colleagues. Those days are gone, and for good reason. All of that paper leaves a visible trail of protected information that could quickly fall into the wrong hands.

Violation #4 – Stop writing. Start typing.

Betty and her colleagues are using paper and pens to write everything down. This opens the door for fraud or misconduct in the workplace that could result in a data breach. When call center representatives document calls, the records should be solely electronic and they should become inaccessible to representatives as soon as they are entered. Otherwise, your call center can pretty much forget about HIPAA compliance and ISO 27001 certification.

Violation #5 – PHI is called Protected Health Information for a reason!

Now, granted, Betty gave out Dr. Marvin’s address and not a patient’s personal records. But the principle is the same. When it comes to call center transactions, protected health information can’t be shared with just anyone – not even if they are pretty convincing as a detective in a trench coat. It can’t be discussed aloud in public places where other people may be able to overhear. It can’t be transmitted via email unless encrypted, and it can’t be sent via text message. Messages documented by your call center can only be communicated by fax.

So, what has Bob taught us? Well, first off, never trust a guy in a trench coat. Unless he’s Clark Kent or something. And second, if you are a call center employee, verify verify verify. Don’t just let anyone onto the floor. Don’t just give anyone information, whether on the phone or in person. Don’t discuss PHI in public, don’t have sensitive paperwork or messages hanging around, and avoid using pen and paper as much as possible. Learn the proper security protocols set forth by your employer, and follow them to the letter. It not only protects those whose lines you are answering, but it protects you and your medical answering service from shady characters like Bob Wiley. Enough said.

Exit mobile version