Your organization, defined as the Covered Entity, hires a call center to verbally capture Personal Health Information (PHI) and to store and transmit PHI in an electronic form, defined as ePHI. The Final Omnibus Ruling provides specific requirements for handling and transmitting ePHI.
Selecting an answering service can be a daunting task. During your decision process, it is important to keep one thing in mind; you are a Covered Entity and HIPAA should be at the top of your concerns. Home Care Answering Service
Are you ready to sacrifice the safety of your patients and risk of HHS fines due to HIPAA violations?
Your answering service is considered a Business Associate, therefore you must be 100% confident that your service provider adheres to the same requirements to protected PHI and ePHI. Ignoring HIPAA, HITECH, and Omnibus regulations for business associates altogether could be one of the most catastrophic oversights your organization could make for the future. You need to ensure your answering service is compliant, to reduce your risk as the Covered Entity. In the end you need to ask yourself if saving a few dollars each month is worth the fines and the possibility of criminal charges from the Health & Human Services Civil Division (HHS). Home Care Answering Service
Below are some key areas to serve as a guide during your search.
Pricing vs Quality
When searching for a answering service, there is an immediate attraction to low priced options or flat-rate prices regardless of volume. Although this appears logical simply because cost efficiency is so critical, be mindful of quality, reliability, and accuracy. In order for most call centers to sustain such a low revenue model they require their representatives to answer 200-400% more calls than any representative can properly handle. Quality of service is often low due to long hold times, high abandonment rates, unreliability, and severe inaccuracy. Low cost answering service providers will most likely keep you up at night due to their inaccuracy in dispatching and not following proper protocols. The more stress an answering service representative experiences the more prone they are to taking short cuts and making mistakes. In most cases, low cost or flat rate answering services are not HIPAA complaint and lack the technology and infrastructure due to inadequate funding.
Most answering service owners are unaware of the specific security safeguards that HIPAA requires all Business Associates' to have in place. We estimate that only a handful of the approximately 1,500 answering services within the US are truly 100% HIPAA Compliant.
Claiming HIPAA compliancy by listing a few bullet points, such as, server protections, filing cabinets with locks, and shredding equipment is insufficient. These items are missing the majority of HIPAA Compliant guidelines in which a healthcare answering service must conform to, such as, proper and ongoing training, staff recertification and security of transmitting PHI via email and text messaging.
HIPAA Business Associates Agreement
This may seem basic, however many Covered Entities are not yet aware that the call center service is considered a HIPAA Business Associate and therefore needs to have an enforceable BA agreement in place. You are considered the Covered Entity and the answering service is your Business Associate, therefore, you have some control over requesting to use your Business Associates Agreement. Without having an agreement in place, you are placing yourself and your organization, the Covered Entity, at the risk of a WILLFUL NEGLECT VIOLATION by not knowing if your BA’s are complying with ALL mandatory HIPAA safeguards required by HHS.
Unsecured Texts, Emails and Paging
The simplest patient information, such as patient name and telephone number, is considered PHI regardless if this information can be found in public locations like a phone book or internet directory because once there is an association made to medical relevance, this information would be determined to be PHI.
Many answering services, do not properly incorporate the use of encryption or password protection when delivering important messages containing PHI to the office, doctors, employees, or practitioners. HIPAA guidelines state that all electronic transmission of PHI must be secure which means securing PHI by encryption and/or password protection. Traditional SMS and Text Messaging, Emailing, and Paging are NOT secure due to lack of encryption and password protection.
Un-secure SMS, Text, Email, transmissions are considered a violation of HIPAA, HITECH, and Omnibus Regulations and can result in massive fines or criminal incarceration for those of willful neglect. Ongoing usage of such unprotected communication methods can result in civil and even criminal charges if any data breach is found due to these unprotected communications. If your call center service does not utilize encryption or password protected emails, texts, SMS, etc., or does not provide a secure web portal to view message information, you are at risk.
These services are affordable and advertise their ability to overcome the mistakes of the traditional answering service industry. Automated systems lack human interaction that is imperative in the quality of patient care. In utilizing any automated service, your patients are forced to speak into a voicemail that is very impersonal and lacks human reasoning. Your patients will not have the ability to ask specific questions such who is on-call or what is the follow up status of their first call or if they should go to the local ER.
The interaction between a live representative and your patient is paramount within any decision making process and should not be overlooked. If your office forgets to update the automated on-call rotation, your patients quality of care will suffer in the end increasing your liability.
Automated services must also comply with HIPAA guidelines, therefore, the storing and transmitting of PHI within the voicemail system must be secure at all times. Ask your vendor if the automated system provides daily auditing logs required by HIPAA.
Call Center Technology
Look for an answering service that has complete control over its technology and software, and is not reliant on 3rd party or shelved software solutions, that all too often are not up to date, require extensive downtime for upgrades, or face a business continuity dilemma when their technology breaks down.
In the case of HIPAA compliancy, practically no answering service software package of previous versions, have the ability to conform to HIPAA requirements. Look for a answering service that uses the latest and greatest vendor version, which has secure PHI transmission features.
Other factors to look for include whether you are seeking urgent or non-urgent services, business day versus after hours and if you have a specific directive plan that you need to put into place. Some answering services are not as flexible as others and that must be taken into consideration. Depending on the type of software or system the answering service is utilizing, any preferred call handling and dispatching may or may not be available to you, regardless of quality claims.
Exclusively Servicing Home Care Answering Services vs. Commercial Answering Services
Please take note for those advertising as Healthcare Exclusive Answering Services / Home Care Answering Services. You have to think about if you want your calls being managed by a company that also manages property management, heating calls, locksmith or any other call volume that could conflict with your urgent patient calls.