Choosing Your HIPAA Compliant Answering Service
If you are a Home Care Organization, you may be experiencing the relentless 24-hour per day operation. Your patients trust you to support their continual medical needs that in many cases cannot be reliably predicted, placing a tremendous amount of pressure on your shoulders.
Depending on your organization, the requirement for around the clock contact management between your patients, family members and employees may vary. Regardless, your fundamental responsibility as a health care provider is to provide 24-hour responsiveness to patients’ health demands.
Selecting an answering service can be a daunting task because “window shopping”, now mostly done via Google is a difficult and time consuming way to sort through marketing gimmicks starting with low monthly fees. This forces you to interview potential candidates to ensure your decision is the correct one.
During your decision process, it is important to keep one thing in mind. You are a Covered Entity and HIPAA should be at the top of your concerns.
Are you ready to sacrifice the safety of your patients and risk of HHS fines due to HIPAA violations?
Your answering service is considered a Business Associate, therefore you must be 100% positive that you will find a service provider that adheres to the same requirements to protect Personal Health Information (PHI).
Below are important areas to review, understand, and serve as a guide during your new answering service search:
When searching for a answering service, you have no doubt seen and have been attracted to the low priced options or flat-rate prices regardless of volume. Although this appears attractive simply because all of us want to decrease cost, the issue with many of these services is quality, reliability, and accuracy. The only possible manner for low cost answering services to sustain such a low revenue model is to try and make their agents act super human; forcing them to answer 200-400% more calls than an agent can physically handle. Therefore, the quality of service being provided is very low due to long hold times, high abandonment rates, unreliability, and severe inaccuracy due to high employee churn. In addition, these types of services have a much higher client turn-over rate than a more expensive and higher quality answering service.
Finally, low cost answering service providers will most likely keep you up at night due to their inaccuracy in dispatching and not following proper protocols. The more stress an answering service agent experiences the more prone they are to taking short cuts and making mistakes. In most cases, low cost or flat rate answering services are not HIPAA Complaint and lack the technology and infrastructure due to lack of funding.
Ignoring HIPAA, HITECH, and Omnibus regulations for business associates altogether could be one of the most catastrophic oversights your organization could make for the future. You need to ensure your answering service is not sticking its head in the sand, hoping for HIPAA to just go away; drastically increasing your risk as the Covered Entity. In the end you need to ask yourself if saving a few dollars each month is worth HHS fines and the possibility of criminal charges.
2. HIPAA Compliancy
In a recent study specific to the answering service industry, it was noted that answering service owners were woefully uneducated regarding the specific security safeguards that HIPAA requires all BA’s to have in place. We roughly estimate that only a handful of the approximately 1,500 answering services within the US are truly 100% HIPAA Compliant. The good news is that answering service owners are starting to become better educated on HIPAA. The bad news is that the majority of them may not have been able to meet the September 23rd 2013 deadline due to the sizable software upgrades and associated costs required.
We have seen answering services, throughout our Google search, that claim to be HIPAA compliant by listing a few bullet points, such as, server protections, filing cabinets with locks, and shredding equipment. These items are missing the majority of HIPAA Compliant guidelines in which a medical answering service must conform to, such as, proper training and security of transmitting PHI via email and text messaging.
Answering services quoting HIPAA is a good start but does not get to the core of what you require from an operational standpoint. Unfortunately, generic HIPAA references are nothing more than the basic security that comes with most website hosting accounts. Those in charge at the Health & Human Services (the government agency enforcing HIPAA) want quite a bit more security than that and the Covered Entity is responsible for their Business Associates’ actions if a breach of PHI has been encountered, this includes your answering service.
3. HIPAA Business Associates Agreement
This may seem basic, however many Covered Entities are not yet aware that the answering service is considered a HIPAA Business Associate and therefore needs to have an enforceable BA agreement in place. You are considered the Covered Entity and the answering service is your Business Associate, therefore, you have some control over requesting to use your Business Associates Agreement. Without having an agreement in place, you are placing yourself and your organization, the Covered Entity, at the risk of a WILLFUL NEGLECT VIOLATION by not knowing if your BA’s are complying with ALL mandatory HIPAA safeguards required by HHS.
4. Unsecured Texts & Emails and Alpha Paging
Please understand that the simplest patient information, such as patient name and telephone number, is considered PHI regardless if this information can be found in public locations like a phone book or internet directory because once there is an association made to medical relevance than the simplest patient information would be determined to be PHI.
Most answering services, do not properly incorporate the use of encryption or password protection when delivering important messages containing PHI to your office, doctors, employees, or practitioners. HIPAA guidelines state that all electronic transmission of PHI must be secure which typically means securing PHI by encryption and/or password protection. Traditional SMS and Text Messaging, Emailing, and Alpha-Numeric Paging are NOT secure due to lack of encryption and password protection.
Un-secure SMS, Text, Email, and Alpha-Numeric formats are considered a violation of HIPAA, HITECH, and Omnibus Regulations and can result in massive fines or criminal incarceration for those of willful neglect. Ongoing usage of such unprotected communication methods can result in civil and even criminal charges if any data breach is found due to these unprotected communications. If your medical answering service does not utilize encryption or password protected emails, texts, SMS, and Alpha-Numeric pages or does not provide a secure web portal to view message information, you are at risk and should vet a new answering service immediately.
5. Automated Service
We also found a few automated services being advertised. These services are affordable and advertise their ability to overcome the mistakes of the traditional and antiquated answering service industry. We find this claim to be completely false and invalid and issue for major concern because all automated systems lack human interaction that is imperative in the quality of patient care. In utilizing any automated service, your patients are forced to speak into a voicemail that is very impersonal and lacks human reasoning. Your patients also do not have the ability to ask specific questions such who is on-call or what is the follow up status of their first call or if they should go to the local ER.
The interaction between a live answering service agent and your patient is paramount within any decision making process and should not be overlooked. Remember, an automated system is only as accurate as the information setup within the system itself, therefore, if your office forgets to update the automated on-call rotation, your patients quality of care will suffer in the end increasing your liability.
Finally, these automated services must also comply with HIPAA guidelines, therefore, the storing and transmitting of PHI within the voicemail system must be secure at all times. Does the automated system provided daily auditing logs required by HIPAA, these are the questions you need to ask when using an automated medical dispatch patient care system.
6. DO NOT Overlook The Technology They Use!
Other factors to look for include whether you are seeking urgent or non-urgent services, business day versus after hours and if you have a specific directive plan that you need to put into place. Some answering services are not as flexible as others that must be taken into consideration. Depending on the type of software or system the answering service is utilizing, any preferred call handling and dispatching may or may not be available to you, regardless of quality claims.
Look for an answering service that has complete control over its technology and software, and is not reliant on 3rd party or shelved software solutions, that all too often are not up to date, require extensive downtime for upgrades, or face a business continuity dilemma when their technology breaks down. In the case of HIPAA compliancy, practically no answering service software package of previous versions, has the ability to conform to HIPAA requirements and may require 4-9 months to implement the latest software revision from their provider. Look for a answering service that uses the latest and greatest vendor version, which has secure PHI transmission features.
We only found a handful of answering services that have developed and continually maintain their own software packages in-house that seems to create a tremendous advantage over their competitors. It seems these types of systems may offer much more flexibility and security in the transmission of PHI, you just need to find them.
7. Home Care Exclusive Answering Services vs. Commercial Answering Services
Please take note for those advertising as Healthcare Exclusive Answering Services. Make sure you browse the entire website and determine if the answering service also provides service for other industries. If so, you have to think about if you want your calls being managed by a company that also manages property management, heating calls, or any other call volume that could conflict with your urgent patient calls.