|
How HIPAA Affects You
By James M. Ballard
May, 2003
Call
centers that handle protected health information need a strategy for meeting the
government security and privacy mandates of HIPAA (the Health
Insurance Portability and Accountability Act), which was signed into law
in 1996.
HIPAA
is an evolving government mandate that sets standards for the security and
privacy of protected health information. HIPAA
security and privacy rules require covered entities, such as hospitals and
health care centers, along with business associates of covered entities, to
institute policies and procedures that reasonably safeguard such information,
whether it is exchanged verbally or electronically.
To
meet the various HIPAA requirements, many health care companies have created
their own HIPAA task force. These
groups are responsible for keeping up with the ever-changing HIPAA requirements
and for determining how their company's purchases of hardware, software, and
outsourced technology solutions are affected by these rules.
Companies rely on vendors to provide hardware and software solutions that
will comply with the HIPAA rules and to enhance the products and solutions to
maintain compatibility with future changes.
It
is critical to stay up to date on the changes to HIPAA regulations.
Some vendors, such as my company, Startel Corp. of Irvine, Calif., have
assembled a strategic team of software engineers and HIPAA attorneys to continue
to review HIPAA requirements and implement necessary changes in software
platforms. Customers should look to
their vendors to provide solutions that will enable them to cost-effectively
implement the modifications to remain
HIPAA compliant.
How will HIPAA compliance affect you?
If your call center takes and forwards messages that contain protected
health information, such as patient messages to health care practitioners,
HIPAA requires you to take reasonable steps to
avoid the accidental disclosure of these messages.
Some steps are simple to implement.
For instance, depending on the environment, operators may need to speak
softly and limit the amount of personal information they include in patient
messages. Other strategies require
technical safeguards, and that's where a vendor's add-on "HIPAA
features" become critical.
One
of the most important HIPAA regulations affecting call centers is the
safeguarding of protected health information that is electronically stored.
One easy way to protect patient information is to require a secured,
password-based login, which effectively blocks unauthorized access to such
information. The system should be designed to automatically log off
unattended workstations after a certain amount of time, and require a password
for accessing workstations and central databases.
Privacy screens can also be used to darken the screen if there has been
no activity for a given amount of time. The
operator can reactivate the screen with a mouse click or may be required to
re-enter his or her password. The
user should be able to determine the timing and the required steps to re-enter
the system.
HIPAA regulations also
require call centers to restrict unnecessary access to electronically
stored patient information. An
audit trail of who has accessed this information is critical.
This audit trail should show the message number or identifier, the date
and time it was accessed, and by whom. The
audit information itself should be protected to reduce the risk of sensitive
information being revealed. Each
time a message is viewed, saved, printed, or sent to a client, that information
should be recorded in this log, along with details about when and by whom the
action was initiated. Audit
trails help you to comply with access rules by recording how, and by whom,
messages and other patient data have been handled.
Information
transmitted by most email systems is vulnerable to interception.
HIPAA security regulations require call centers to encrypt or otherwise
safeguard protected health information that is transmitted over the Internet.
HIPAA software helps you to meet this requirement by adding a simple
encryption mechanism to your email system.
Upon receiving encrypted emails, clients use a standard key for
decryption.
Fax
transmissions of patient data must also be handled with care.
HIPAA software should provide a confidential cover sheet explaining that
the fax contains sensitive material. Ideally,
the cover sheet should automatically be attached to the fax prior to being sent.
By
using Health Level 7 data transfer protocol, the movement of patient information
to online directories is controlled by the sender, so that sensitive patient
information is protected. The
directory used by the operators needs to be flexible enough to restrict viewing
of patient information, while enabling operators to provide sufficient
information to callers for efficient and effective call processing.
It is critical for companies required to comply
with HIPAA to work with vendors that have studied the legal aspects of the
regulation and that understand the implementation issues.
Many vendors are struggling with HIPAA and only a few have employed legal
and engineering experts to safeguard your implementation of HIPAA compliant
software. Before purchasing a
product that will be governed by HIPAA standards, be sure to review how the
vendor arrived at its solutions and whether it meets your company's HIPAA task
force standards. HIPAA regulations
will continue to change and your vendor must have the capability and knowledge
to change with the rules, so that you and your company can maintain a
HIPAA-compliant environment.
James
Ballard is director of sales at Startel Corp.
For further information on the Startel Corp. HIPAA compliance standards,
please email info@startelcorp.com.
Return
to List of Articles || Read more articles at MyArticleArchive.com
|
