Your organization, defined as the Covered Entity, hires a call center to capture Personal Health Information (PHI), storing and transmitting PHI in an electronic form, defined as ePHI. The Final Omnibus Ruling provides specific requirements for handling and transmitting ePHI.
HIPAA Compliance is a cornerstone of our commitment to safeguarding the privacy and security of sensitive health information at CuraCall. We understand the critical importance of adhering to the regulations outlined in the Health Insurance Portability and Accountability Act (HIPAA) to protect the confidentiality, integrity, and availability of our clients' data.
To ensure that we meet and exceed HIPAA standards, we have partnered with The Compliancy Group, a leading third-party organization specializing in HIPAA compliance. Through this partnership, we have undergone rigorous evaluation and certification processes to demonstrate our dedication to maintaining compliance with HIPAA regulations.
Our third-party certification with The Compliancy Group provides assurance to our clients that we have implemented robust policies, procedures, and safeguards to protect their patients' personal health information (PHI). It serves as a testament to our unwavering commitment to upholding the highest standards of privacy and security in all aspects of our operations.
At CuraCall, we take pride in our HIPAA compliance and our partnership with The Compliancy Group. By choosing us as your communication partner, you can trust that your client's PHI is handled with the utmost care and attention to compliance. We are dedicated to providing peace of mind, knowing that sensitive health information is protected and confidentiality is maintained
Below are some key areas to serve as a guide during your search.
Pricing vs Quality
When searching for a Call Center, there is an immediate attraction to low-priced options or flat-rate prices regardless of volume. Although this appears logical simply because cost efficiency is so critical, be mindful of quality, reliability, and accuracy. In order for most call centers to sustain such a low revenue model, they require their representatives to answer 200-400% more calls than any representative can properly handle. Quality of service is often low due to long hold times, high abandonment rates, unreliability, and severe inaccuracy. Low-cost call center providers will most likely keep you up at night due to their inaccuracy in dispatching and not following proper protocols. The more stress a Call Center representative experiences the more prone they are to taking shortcuts and making mistakes. In most cases, low-cost or flat rate call center providers will not be HIPAA compliant and lack the technology and infrastructure due to inadequate funding.
HIPAA Compliance
Most call center owners are unaware of the specific security safeguards that HIPAA requires all Business Associates to have in place. We estimate that only a handful of the approximately 1,500 answering services within the US are truly 100% HIPAA Compliant.
Claiming HIPAA compliance by listing a few bullet points, such as server protections, filing cabinets with locks, and shredding equipment are insufficient. These items are missing the majority of HIPAA Compliant guidelines to which a healthcare answering service must conform, such as proper and ongoing training, staff recertification, and security of transmitting PHI via email and text messaging.
HIPAA Business Associates Agreement
This may seem basic, but many Covered Entities are not yet aware that the call center service is considered a HIPAA Business Associate and therefore needs to have an enforceable BA agreement in place. You are considered the Covered Entity and the call center provider is your Business Associate, therefore, you have some control over requesting to use your Business Associates Agreement. Without having an agreement in place, you are placing yourself and your organization, the Covered Entity, at the risk of a WILLFUL NEGLECT VIOLATION by not knowing if your BA’s are complying with ALL mandatory HIPAA safeguards required by HHS.
Unsecured Texts, Emails, and Paging
The simplest patient information, such as patient name and telephone number, is considered PHI regardless if this information can be found in public locations like a phone book or internet directory because once there is an association made to medical relevance, this information would be determined to be PHI.
Many call center providers, do not properly incorporate the use of encryption or password protection when delivering important messages containing PHI to the office, doctors, employees, or practitioners. HIPAA guidelines state that all electronic transmission of PHI must be secure which means securing PHI by encryption and/or password protection. Traditional SMS and Text Messaging, Emailing, and Paging is NOT secure due to a lack of encryption and password protection.
Un-secure SMS, Text, Email, and transmissions are considered a violation of HIPAA, HITECH, and Omnibus regulations and can result in massive fines or criminal incarceration for those of willful neglect. Ongoing usage of such unprotected communication methods can result in civil and even criminal charges if any data breach is found due to these unprotected communications. If your call center service does not utilize encryption or password-protected emails, texts, SMS, etc., or does not provide a secure web portal to view message information, you are at risk.
Automated Service
These services are affordable and advertise their ability to overcome the mistakes of the traditional call center industry. Automated systems lack human interaction which is imperative for the quality of patient care. In utilizing an automated service, your patients are forced to speak into a voicemail that is very impersonal and lacks human reasoning. Your patients will not have the ability to ask specific questions such as who is on-call or what is the follow-up status of their first call or if they should go to the local ER.
The interaction between a live representative and your patient is paramount within any decision-making process and should not be overlooked. If your office forgets to update the automated on-call rotation, your patient's quality of care will suffer in the end increasing your liability.
Automated services must also comply with HIPAA guidelines, therefore, the storing and transmitting of PHI within the voicemail system must be secure at all times. Ask your vendor if the automated system provides daily auditing logs required by HIPAA.
Call Center Technology
Look for a call center provider that has complete control over its technology and software, and is not reliant on 3rd party or shelved software solutions, that all too often are not up to date, require extensive downtime for upgrades, or face a business continuity dilemma when their technology breaks down.
In the case of HIPAA compliancy, most software packages of previous versions, do not have the ability to conform to HIPAA requirements. Look for a call center provider that uses the latest and greatest vendor version, which has secure PHI transmission features.
Other factors to look for include whether you are seeking urgent or non-urgent services, business day versus after hours and if you have a specific directive plan that you need to put into place. Some call center providers are not as flexible as others and that must be taken into consideration. Depending on the type of software or system the call center is utilizing, any preferred call handling and dispatching may or may not be available to you, regardless of quality claims.
Exclusively Servicing Home Care Industry
Please take note of those advertising as Home Care Call Center Services. You have to think about if you want your calls to be managed by a company that also manages property management, heating calls, locksmiths, or any other call volume that could conflict with your urgent patient calls.
© 2019 by CuraCall. All rights reserved.
1-678-840-9996
1-800-240-1103
