You are a Covered Entity, and HIPAA should be at the top of your concerns.
You need to ensure your call center is compliant to reduce your risk as to the Covered Entity
The simplest patient information, such as patient name and telephone number, is considered PHI
Your organization, defined as the Covered Entity, hires a call center to capture Personal Health Information (PHI), storing and transmitting PHI in an electronic form, defined as ePHI. The Final Omnibus Ruling provides specific requirements for handling and transmitting ePHI.
Selecting a Call Center can be a daunting task. During your decision process, it is essential to keep one thing in mind; you are a Covered Entity, and HIPAA should be at the top of your concerns.
Are you ready to sacrifice the safety of your patients and risk HHS fines due to HIPAA violations?
Your Call Center is considered a Business Associate; therefore, you must be 100% confident that your service provider adheres to the same requirements to protect PHI and ePHI. Ignoring HIPAA, HITECH, and Omnibus regulations for business associates altogether could be one of the most catastrophic oversights your organization could make for the future. You need to ensure your call center is compliant to reduce your risk as to the Covered Entity. In the end, you need to ask yourself if saving a few dollars each month is worth the fines and the possibility of criminal charges from the Health & Human Services Civil Division (HHS). Home Care Answering Service
Below are some key areas to serve as a guide during your search.
Pricing vs Quality
When searching for a Call Center, there is an immediate attraction to low-priced options or flat-rate prices regardless of volume. Although this appears logical simply because cost efficiency is so critical, be mindful of quality, reliability, and accuracy. In order for most call centers to sustain such a low revenue model, they require their representatives to answer 200-400% more calls than any representative can properly handle. Quality of service is often low due to long hold times, high abandonment rates, unreliability, and severe inaccuracy. Low-cost call center providers will most likely keep you up at night due to their inaccuracy in dispatching and not following proper protocols. The more stress a Call Center representative experiences the more prone they are to taking shortcuts and making mistakes. In most cases, low-cost or flat rate call center providers will not be HIPAA compliant and lack the technology and infrastructure due to inadequate funding.
Most call center owners are unaware of the specific security safeguards that HIPAA requires all Business Associates' to have in place. We estimate that only a handful of the approximately 1,500 answering services within the US are truly 100% HIPAA Compliant.
Claiming HIPAA compliance by listing a few bullet points, such as server protections, filing cabinets with locks, and shredding equipment are insufficient. These items are missing the majority of HIPAA Compliant guidelines to which a healthcare answering service must conform, such as proper and ongoing training, staff recertification, and security of transmitting PHI via email and text messaging.
HIPAA Business Associates Agreement
This may seem basic, but many Covered Entities are not yet aware that the call center service is considered a HIPAA Business Associate and therefore needs to have an enforceable BA agreement in place. You are considered the Covered Entity and the call center provider is your Business Associate, therefore, you have some control over requesting to use your Business Associates Agreement. Without having an agreement in place, you are placing yourself and your organization, the Covered Entity, at the risk of a WILLFUL NEGLECT VIOLATION by not knowing if your BA’s are complying with ALL mandatory HIPAA safeguards required by HHS.
Unsecured Texts, Emails, and Paging
The simplest patient information, such as patient name and telephone number, is considered PHI regardless if this information can be found in public locations like a phone book or internet directory because once there is an association made to medical relevance, this information would be determined to be PHI.
Many call center providers, do not properly incorporate the use of encryption or password protection when delivering important messages containing PHI to the office, doctors, employees, or practitioners. HIPAA guidelines state that all electronic transmission of PHI must be secure which means securing PHI by encryption and/or password protection. Traditional SMS and Text Messaging, Emailing, and Paging is NOT secure due to a lack of encryption and password protection.
Un-secure SMS, Text, Email, and transmissions are considered a violation of HIPAA, HITECH, and Omnibus regulations and can result in massive fines or criminal incarceration for those of willful neglect. Ongoing usage of such unprotected communication methods can result in civil and even criminal charges if any data breach is found due to these unprotected communications. If your call center service does not utilize encryption or password-protected emails, texts, SMS, etc., or does not provide a secure web portal to view message information, you are at risk.
These services are affordable and advertise their ability to overcome the mistakes of the traditional call center industry. Automated systems lack human interaction which is imperative for the quality of patient care. In utilizing an automated service, your patients are forced to speak into a voicemail that is very impersonal and lacks human reasoning. Your patients will not have the ability to ask specific questions such as who is on-call or what is the follow-up status of their first call or if they should go to the local ER.
The interaction between a live representative and your patient is paramount within any decision-making process and should not be overlooked. If your office forgets to update the automated on-call rotation, your patient's quality of care will suffer in the end increasing your liability.
Automated services must also comply with HIPAA guidelines, therefore, the storing and transmitting of PHI within the voicemail system must be secure at all times. Ask your vendor if the automated system provides daily auditing logs required by HIPAA.
Call Center Technology
Look for a call center provider that has complete control over its technology and software, and is not reliant on 3rd party or shelved software solutions, that all too often are not up to date, require extensive downtime for upgrades, or face a business continuity dilemma when their technology breaks down.
In the case of HIPAA compliancy, most software packages of previous versions, do not have the ability to conform to HIPAA requirements. Look for a call center provider that uses the latest and greatest vendor version, which has secure PHI transmission features.
Other factors to look for include whether you are seeking urgent or non-urgent services, business day versus after hours and if you have a specific directive plan that you need to put into place. Some call center providers are not as flexible as others and that must be taken into consideration. Depending on the type of software or system the call center is utilizing, any preferred call handling and dispatching may or may not be available to you, regardless of quality claims.
Exclusively Servicing Home Care Industry
Please take note of those advertising as Home Care Call Center Services. You have to think about if you want your calls to be managed by a company that also manages property management, heating calls, locksmith, or any other call volume that could conflict with your urgent patient calls.