By James M. Ballard
Call centers that handle protected health information need a strategy for meeting the government security and privacy mandates of HIPAA (the Health Insurance Portability and Accountability Act), which was signed into law in 1996.
HIPAA is an evolving government mandate that sets standards for the security and privacy of protected health information. HIPAA security and privacy rules require covered entities, such as hospitals and health care centers, along with business associates of covered entities, to institute policies and procedures that reasonably safeguard such information, whether it is exchanged verbally or electronically.
To meet the various HIPAA requirements, many health care companies have created their own HIPAA task force. These groups are responsible for keeping up with the ever-changing HIPAA requirements and for determining how their company’s purchases of hardware, software, and outsourced technology solutions are affected by these rules. Companies rely on vendors to provide hardware and software solutions that will comply with the HIPAA rules and to enhance the products and solutions to maintain compatibility with future changes.
It is critical to stay up to date on the changes to HIPAA regulations. Some vendors, such as my company, Startel Corp. of Irvine, Calif., have assembled a strategic team of software engineers and HIPAA attorneys to continue to review HIPAA requirements and implement necessary changes in software platforms. Customers should look to their vendors to provide solutions that will enable them to cost-effectively implement the modificationsto remain HIPAA compliant.
How will HIPAA compliance affect you? If your call center takes and forwards messages that contain protected health information, such as patient messages to health care practitioners, HIPAA requires you to take reasonable steps to avoid the accidental disclosure of these messages. Some steps are simple to implement. For instance, depending on the environment, operators may need to speak softly and limit the amount of personal information they include in patient messages. Other strategies require technical safeguards, and that’s where a vendor’s add-on “HIPAA features” become critical.
One of the most important HIPAA regulations affecting call centers is the safeguarding of protected health information that is electronically stored. One easy way to protect patient information is to require a secured, password-based login, which effectively blocks unauthorized access to such information. The system should be designed to automatically log off unattended workstations after a certain amount of time, and require a password for accessing workstations and central databases. Privacy screens can also be used to darken the screen if there has been no activity for a given amount of time. The operator can reactivate the screen with a mouse click or may be required to re-enter his or her password. The user should be able to determine the timing and the required steps to re-enter the system.
HIPAA regulations also require call centers to restrict unnecessary access to electronically stored patient information. An audit trail of who has accessed this information is critical. This audit trail should show the message number or identifier, the date and time it was accessed, and by whom. The audit information itself should be protected to reduce the risk of sensitive information being revealed. Each time a message is viewed, saved, printed, or sent to a client, that information should be recorded in this log, along with details about when and by whom the action was initiated. Audit trails help you to comply with access rules by recording how, and by whom, messages and other patient data have been handled.
Information transmitted by most email systems is vulnerable to interception. HIPAA security regulations require call centers to encrypt or otherwise safeguard protected health information that is transmitted over the Internet. HIPAA software helps you to meet this requirement by adding a simple encryption mechanism to your email system. Upon receiving encrypted emails, clients use a standard key for decryption.
Fax transmissions of patient data must also be handled with care. HIPAA software should provide a confidential cover sheet explaining that the fax contains sensitive material. Ideally, the cover sheet should automatically be attached to the fax prior to being sent.
By using Health Level 7 data transfer protocol, the movement of patient information to online directories is controlled by the sender, so that sensitive patient information is protected. The directory used by the operators needs to be flexible enough to restrict viewing of patient information, while enabling operators to provide sufficient information to callers for efficient and effective call processing.
It is critical for companies required to comply with HIPAA to work with vendors that have studied the legal aspects of the regulation and that understand the implementation issues. Many vendors are struggling with HIPAA and only a few have employed legal and engineering experts to safeguard your implementation of HIPAA compliant software. Before purchasing a product that will be governed by HIPAA standards, be sure to review how the vendor arrived at its solutions and whether it meets your company’s HIPAA task force standards. HIPAA regulations will continue to change and your vendor must have the capability and knowledge to change with the rules, so that you and your company can maintain a HIPAA-compliant environment.
James Ballard is director of sales at Startel Corp. For further information on the Startel Corp. HIPAA compliance standards, please email firstname.lastname@example.org.
[From Connection Magazine – May 2003]