HIPAA Contact Center Essentials

By Donna Fluss

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its impacts are felt by Americans almost daily. From the HIPAA privacy notifications we receive from hospitals, doctors, dentists, and others to the lines we stand behind at the pharmacy counter to allow privacy for the person ahead of us, we frequently encounter HIPAA-initiated situations. While these are relatively minor inconveniences, HIPAA can have more significant implications for contact centers that routinely interact with protected health information (PHI).

Contact Centers Impacted by HIPAA: Any contact center, regardless of size, that has access to PHI must adhere to HIPAA regulations. This includes “covered entities” (health plans, healthcare clearinghouses, and healthcare providers) such as hospital business offices as well as “business associates” (persons or organizations contracted by covered entities), like outsourced third-party debt collectors. It also includes benefit management companies, one- or two-person doctor’s office “contact centers,” and many others. The good news is that the Act recognizes that “one size does not fit all” when it comes to volume of PHI or risk of exposure from one organization to another. To allow for these differences, the Act includes “flexible” and “scalable” standards; however, it does not mean that no standards apply.

HIPAA Guidelines: Contact centers working with or considering working with PHI should take time to understand applicable HIPAA requirements. Start with the two primary building blocks: the privacy rule (protecting personally identifiable health information) and the security rule (operationalizing the privacy rule by keeping PHI safe electronically, on paper, and verbally). A summary of both rules can be found at www.hhs.gov/ocr/privacy/hipaa/understanding.

Here are some of the essentials from the privacy rule and security rule that contact center leaders should know:

  • Ensure responsibility for HIPAA compliance within your company. The Act requires that a Privacy Official and Security Official be designated; however, depending on the size of the organization, they may be the same person.
  • Address the three HIPAA areas of concern: administrative safeguards, physical safeguards and technical safeguards. Administrative safeguards include managing access to PHI, HIPAA-compliance training (for new employees and ongoing) and regularly evaluating all HIPAA security measures. Physical safeguards cover access controls to facilities, workstations, and electronic media. Technical safeguards audit the organization’s controls, ensuring that PHI is secure and not altered.
  • When it comes to PHI, it is all about “minimum necessary.” PHI includes virtually all information, from patient names to medical procedures. The Act requires usage of the least amount of PHI to accomplish a task. Minimum necessary compliance should be monitored in the quality assurance (QA) process and modeled in conversations within the contact center.
  • HIPAA does not include a certification process. It is up to each organization to understand which HIPAA requirements apply to them and to be in compliance with those standards.

HIPAA compliance should not be taken lightly. Failure to adhere to HIPAA regulations can result in fines and, if violated with malicious intent, prison sentences.

Donna Fluss is the founder of DMG, a vendor-independent research and consulting firm that analyzes contact center and back-office technology and best practices. Contact her at donna.fluss@dmgconsult.com with any questions you may have and to learn how to make today’s innovative and powerful technologies and best practices work for your organization.

If your contact center is looking for assistance in becoming HIPAA-compliant, please contact Jana Benetti at Jana.Benetti@DMGConsult.com or 623-935-4111.

[From Connection Magazine Sep/Oct 2015]