If you run a medical practice and use a telephone answering service to handle patient communication, then it’s important to make sure your answering service is up to date on all HIPAA regulations. Why? Because if they aren’t, you’re going to end up spending mega bucks on fines levied against your practice for HIPAA violations.
Since answering services are considered to be business associates, they adhere to all guidelines outlined by HIPAA as they would have access to your patients’ private health information (PHI). For example, if your patient calls your number that is forwarded to the answering service and the receptionist jots down their name and medical issue – that’s PHI. A business associate would include any person or company that produces, receives, communicates or maintains PHI on behalf of a covered entity, like a health care provider.
If your answering service says they are 100% HIPAA compliant, then there are some things they shouldn’t be doing, as well as some things that they should be doing. We’ve listed both sets of points below.
5 Things Your Answering Service Should Never Do:
To maintain HIPAA compliance, there are 5 things a HIPAA compliant answering service should never do. If you experience any of the below, then you’re in danger of being able to answer the question ‘How your answering service can get you fined by HIPAA.’
#1: Your Answering Service Shouldn’t be Texting Protected Health Information
If your answering service is texting you protected health information, they could be violating HIPAA regulations. Unless your business is not governed by HIPAA, you need to make sure that all patient information stays protected. While cell phones may have passwords, they can easily be stolen or hacked into, thus revealing patient information that would no longer be protected.
If you are receiving texts from your answering service, they should either be encrypted, or they should simply be alerting you of a new message, devoid of any PHI. At which point you should be able to log into a secure web portal or a secure mobile app to access those messages. If your answering service does not have a web portal or a mobile app, usually you would be able to call them back to retrieve the information verbally.
An easy way to encrypt your text messages would be download the app called Signal, which is available for both iPhone and Androids. However, in order for you to maintain encryption and security, both parties would have to have the app. So, this may be difficult if you’re working with a third party like an answering service.
Pro tip: While you may get written consent from a few patients to disclose PHI via text between yourself and the service, you may not get it from others. So, you’d have to see if your answering service has the capability to distinguish between those messages. Otherwise, they’d all have to be sent in a uniform format.
#2: Your Answering Service Shouldn’t be Emailing Protected Health Information
In addition to texting, answering services should not be emailing any protected health information either. So, if your answering service is emailing you, the message should either be encrypted or it should just have a standard alert which instructs you to log into your secure portal to view the information (or to call back for further details). If the patient has given written consent that information can be sent via email from the service to your practice without being encrypted, you’ll want to check with your service to see if emails for those specific patients can be customized accordingly. Otherwise, they’ll also have to be sent in a uniform format.
Similarly, this also goes for your answering service’s customer support department. Sometimes, if calls get escalated or if customer service needs to intervene, they may send a follow up email that contains the caller’s information. However, this could also be considered a HIPAA violation. A good support team will direct you to your online portal to view the details of the call.
The only way to really ensure that your emails are protected would be to have them encrypted. Some standard encryption methods are:
- Transport Layer Security: TLS encryption is composed of two layers; the TLS Record Protocol and the TLS Handshake Protocol. The Record Protocol provides a safe and secure connection, while the Handshake Protocol allows both users to verify each other and to agree to a specific encrypted system before any data is passed through.
- Secure/Multipurpose Internet Mail Extensions: S/MIME encryption is a method of encryption that uses two types of keys, both private and public, which provides a specific function to protect your data. In addition, it allows you to add a digital signature to your emails which would verify you as the legitimate sender.
#3: Your Answering Service Shouldn’t be Paging Protected Health Information
Like texting and emailing, sending PHI to an alpha pager would also be considered a HIPAA violation. Since the information that is passed through to the pager is not encrypted, the data is not safe. In addition, alpha pagers are not protected by any sort of password, like a cell phone could be. So, if you happen to set your alpha pager down somewhere outside of your own office, there is a chance it could be stolen and the messages on it would be susceptible for anyone to see.
While sending messages via alpha pager is a no-go, there are some HIPAA compliant pagers on the market which would be appropriate to use. However, as paging is no longer a common form of communication, your coverage area may be limited.
#4: Your Answering Service Shouldn’t be Leaving Protected Health Information on a Voicemail
If you’re having your answering service reach out for urgent situations, there is room for HIPAA violation here as well. If your answering service does not reach you, they should either leave no message, or at the very most they should leave a call back number so you can contact them back to retrieve the information. If your answering service is leaving patient information on your voicemail, they are violating HIPAA.
Essentially, your answering service should not be leaving PHI on any sort of device that is susceptible to data breaches, whether it be as a text, email, page, or voicemail. Ironically, though, sending patient information via fax is considered to be HIPAA compliant.
Pro tip: Similarly to emailing and texting, you may be able to leave PHI on a voicemail if the patient consents. Again, this information would be passed between the answering service and the physician, and the patient would not be involved. If they are okay with this transaction of information, you’d have to check with your service to see if they can customize protocols accordingly.
#5: Your Answering Service Shouldn’t be Giving out Medical Advice
While this one isn’t necessarily a violation under HIPAA, it is still a huge liabilty for any medical provider. Under no circumstances should your answering service be giving out medical advice to patients, as they would be doing it on behalf of a trained physician but with no real consent from the doctor to do so.
For example, it would be fine for one person to give another person advice to take Aspirin if they had a headache, but not as an entity that is talking to patients on behalf of a medical provider. This is because the patient could later come back and say that “Joe from the answering service advised me to take this” even though that person didn’t have any background knowledge of the patient’s health history.
Really, the only medical advice your answering service should be giving is to call 911 if it’s a true medical emergency. Otherwise, they should inform the caller that they cannot give advice since they are the answering service, but that they can take down their information to have their call returned by a licensed medical physician.
5 Things Your Answering Service Should Always Do:
While there are several things that your answering service shouldn’t be doing in terms of HIPAA, there are also a handful of things that your answering service should be doing to keep your patients’ information safe. For example:
#1: Your Answering Service Should be Secure
Ensuring that your answering service is secure is very important to maintain the privacy of your patients. An answering service that claims to be HIPAA compliant should be ISO 27001 certified and should be able to prove it.
Having a secure call center is more than just having secure systems and software. This also means that the operators handling your calls should be in paperless environments so that they cannot write any information down, and they should also be free of their cell phones while at their computers. This eliminates the chance of them texting or taking pictures of private health information.
#2: Your Answering Service Should Have HIPAA Training
Your answering service should have at least one HIPAA Compliancy Officer on site that is available to train all of the agents handling your calls on current HIPAA regulations. While the agents may not need an extensive 6 week course on HIPAA, they need to at least know the basics so that they can handle your calls properly.
Additionally, your answering service’s HIPAA Compliancy Officer should be kept up to date on all HIPAA regulations via training seminars and be able to provide periodic training to the operators so that they can be kept up to date as well.
#3: Your Answering Service Should Have Procedures in Place for Data Breaches
In the event that data is breached, your answering service should have a plan in place and they should be as transparent as possible with their customers. For example, if one or all of their systems gets hacked into, the first thing they should do is have their IT team shut everything down so that no further access can be made into the system except for them. Then, they should try to determine what information was stolen, if any.
From there, they should send out correspondence to all of their customers that it affected letting them know of the breach, what information was or could have been stolen, and ways to go about protecting their information from here on out. For example, allowing your customers to purchase identity protection on your dime for a certain time frame after the incident occurred (e.g., 6 months to a year) is a great way to say that you’re sorry. While it doesn’t fix what happened, it’s a step in the right direction and may encourage your customers to stay customers.
#4: Your Answering Service Should Enter into a Business Associates Agreement with Your Practice
An important step of partnering with an answering service is to enter into a Business Associates Agreement (also known as a BAA) so that you can disclose protected health information (PHI) securely under HIPAA. Once the contract is signed, you are then able to disclose PHI with your answering service safely.
However, if your practice is not protected under a BAA and your answering service happens to violate HIPAA, your medical practice could be held liable and face up to a million dollars per violation. So, imagine if you get 10 calls in one night, and each one incurred a violation, you’d be facing up to 10 million dollars in fines and a severely damaged reputation.
#5: Your Answering Service Should Have a Secure Means of Retrieving Your Messages
As stated briefly above, your answering service should give you a secure method to retrieve your messages. Typically, services will give you access to a secure online portal and/or a secure mobile app that you would have to log into to retrieve message details. In some cases, you may even be able to add other users that would be able to log into the portal as well in the event you are not in or if there are several physicians that should be receiving the messages as well.
If your answering service does not offer an online portal or a mobile app, then usually you would be able to call them back to retrieve the messages verbally. However, keep in mind that this may be considered billable usage on your line so it’s important to confirm those details prior to signing up, in case that will not work for you and your practice.