Cyber Security and HIPAA in a Medical Contact Center


Startel, Professional Teledata, Alston Tascom

By Bobby Bennett

Regardless of size, medical contact centers must take steps to protect against cyberattacks and ensure HIPAA compliance. These two issues warrant intentional and proactive attention.

Ways to Prevent Cyberattacks

With cyberattacks on the rise, what steps should a contact center take to prevent falling victim? The first is to recognize that it could happen to anyone. Do not equate small with safe. According to a 2017 Trend Micro online survey, 45 percent of small business owners believe they will never be targeted. The cyber security firm 4iQ states in its 2019 Identity Breach Report that cybercriminals targeted small businesses with cyberattacks at an inordinate rate in 2018—up 425 percent over the previous year. Here are some ways to prevent such an attack: 

  • Install, use, and regularly update antivirus and anti-spyware software on every computer used in your business.
  • Use a firewall for your internet connection.
  • Download and install software updates for your operating systems and applications as they become available.
  • Make backup copies of important business data and information.
  • Control physical access to your computers and network components.
  • Secure your Wi-Fi network and make sure it is hidden.
  • Require individual user accounts for each employee.
  • Limit employee access to data and information. Also limit authority to install the software.
  • Regularly change passwords.
  • Consider two-factor authentication such as a password and a PIN.

The Federal Communications Commission provides a Small Biz Cyber Security Planner on their website. 

A business associate is also liable and subject to civil and criminal penalties for making uses and disclosures of PHI not authorized by its contract or required by law. Click To Tweet

HIPAA and Protected Health Information

Another factor to be mindful of as a call center that takes calls for healthcare providers and clinics is that you are a business associate of the covered entity. A HIPAA business associate is a contractor or vendor to a HIPAA-covered entity that creates, maintains, or transmits protected health information in performing a function or service to the covered entity.

If a covered entity engages a business associate to help it carry out its health care activities and functions, the covered entity must have a written business associate contract or other arrangement with the business associate that establishes specifically what the business associate has been engaged to do and requires the business associate to comply with the [HIPAA] Rules’ requirements to protect the privacy and security of protected health information. In addition to these contractual obligations, business associates are liable for compliance with certain provisions of the HIPAA Rules. (HHS.Gov)

A business associate contract serves to clarify and limit, as appropriate, the permissible uses and disclosures of protected health information (PHI) by the business associate. They may use or disclose PHI only as permitted or required by its business associate contract or as required by law. 

A business associate is also liable and subject to civil and criminal penalties for making uses and disclosures of PHI not authorized by its contract or required by law. It is important that employees are trained and understand the HIPAA rules required of a business associate. You can find sample Business Associate Agreement Provisions and training resources on the HHS.gov website.

Text messaging (SMS) has become the preferred method of message delivery for both the contact center and healthcare providers. With this growing trend comes the risk associated with the transmission of PHI. 

Standard forms of SMS could mean that text messages may remain on a device for an extended time. If the device is recycled, lost, or left accessible to unauthorized persons, HIPAA violations may occur. You must provide safeguards to reduce your exposure to these risks. 

Secure messaging is a HIPAA-compliant way to safely exchange sensitive information via text. Most contact center system vendors have developed secure messaging applications for use with their systems. However, quite often it is difficult for a contact center to convince a large medical group to make changes and convert from their current secure messaging provider to one offered by the contact center. 

Conclusion

Don’t ignore the risks of cyberattacks and HIPAA-noncompliance in your medical contact center. Take essential steps today to reduce bigger problems tomorrow. 

Startel

Bobby Bennett is the western regional sales manager for Startel, Professional Teledata, and Alston Tascom, leading providers of best-in-class contact center solutions for healthcare and medical telephone answering service call centers. Startel’s Alston Tascom Division has created a stand-alone, vendor-agnostic secure messaging gateway that has integrations with some of the most popular secure messaging providers. Contact Bobby at bobby.bennett@startel.com or 800-782-7835.