By Luanne Sorenson
Call Centers interested in providing contracted services to health care providers will have a competitive advantage if they are familiar with HIPAA requirements.
What is HIPAA? HIPAA stands for “Health Insurance Portability and Accountability Act.” It is a federal law that went into effect on April 14, 2001. Passed in 1996, the law provides new safeguards to protect patient privacy and confidentiality. In the past, some states have had extensive privacy guidelines while others have had very little. In enacting HIPAA, Congress mandated the establishment of comprehensive federal standards for the “privacy of individually identifiable health information.” The Privacy Rule requires that covered entities “reasonably safeguard” protected health information (PHI) – including electronic and oral information.
According to a U.S. Department of Health and Human Services (HHS) fact sheet dated July 6, 2001, most health plans, health care providers, and health care clearinghouses must comply with the new requirements by April 14, 2003. The law gives HHS authority to make appropriate changes to the rule prior to the compliance date. The Office for Civil Rights (OCR) within HHS has been given responsibility to ensure that HIPAA regulations are explained and enforced.
The OCR points out that “health care providers have a strong tradition of safeguarding private health information. But in today’s world, the old system of paper records in locked filing cabinets is not enough. With information broadly held and transmitted electronically, the rule provides clear standards for all parties regarding protection of personal health information.”
Across the country, health care organizations are working hard to ensure that they are HIPAA compliant by the 2003 deadline. Under HIPAA, patients have significant new rights to understand and control how their health information is used. While final interpretations are still being worked on, all covered entities are required to adopt written privacy procedures. According to HHS, the privacy procedures must include who has access to protected information, how it will be used within the entity, and when the information may be disclosed. Covered entities also must educate employees on the new procedures and designate a privacy officer. In addition, covered entities must take steps to ensure that their business associates protect the privacy of health information.
How does this impact call centers? Under the law, independent call centers are considered business associates. As such the Privacy Rule requires providers and health plans to obtain from their call center, satisfactory assurances, typically through contract, that the center will use the information only for clearly defined purposes, safeguard the information from misuse, and help the covered entity meet HIPAA compliance obligations.
The Privacy Rule also is impacting call center operations. For example, some call centers provide outbound services reminding patients of upcoming appointments. Some interpretations of HIPAA maintain, that when such calls are made, the calling agency cannot leave a message that includes the patient’s name and the nature of the appointment. Instead, verbiage such as, “this is to remind you that someone in your household has an appointment at X clinic on X date” must be used. In some cases, this change is causing confusion among patients who have begun to question why the healthcare organization is calling with a reminder when not enough useful information is provided.
In February of 2001, Secretary Tommy Thompson requested public comments on the final rule to help HHS assess the real impact of HIPAA regulations on health care delivery. During the 30-day comment period over 24,000 comments were received. According to the OCR, it continues to review this input “to determine what changes are appropriate to ensure that the rule protects patient privacy as intended without harming consumers’ access to care or the quality of that care.”
Keep yourself informed as new interpretations are released regarding HIPAA. Initial guidance and other information about the new Privacy Rule are available on the Web at www.hhs.gov/hipaa.
Luanne Sorenson is the Director of Customer Relations at Gundersen Lutheran Medical Center In La Crosse, WI.
[From Connection Magazine – Jan/Feb 2002]