Ensuring HIPAA-Compliance In Contact Centers

Disclaimer: The information provided on this website is not, and is not intended to, constitute legal advice. This article is for general informational purposes only.

Contact centers have to follow compliance regulations to protect their customers’ data and avoid serious consequences, such as heavy fines and/or jail time. For contact centers in the healthcare industry, this also means following the Health Insurance Portability and Accountability Act of 1996 (HIPAA). How can healthcare contact centers ensure they are HIPAA-compliant? 

MiaRec has worked with hundreds of contact centers in highly regulated industries to secure contact centers and their clients’ data. We have provided HIPAA-compliant Voice Analytics and Quality Management solutions to healthcare providers so that they can gather customer insights from their calls without violating regulations.

Read this article to learn more about how HIPAA impacts your healthcare contact center. By the end of this article, you will know how your contact center can utilize customer insights under HIPAA. At the end of this article, we also included a FAQ section to answer common questions about HIPAA.

We will answer:

• What Is HIPAA?
• Do Contact Centers Have To Follow HIPAA?
• What Can Contact Center Solutions Do To Comply?
• How Will I Know If My Contact Center Solution Is HIPAA-compliant? 
• What Are The Consequences For Breaking HIPAA? 
• What Can My Contact Center Do To Be HIPAA-compliant? 
• How Can Voice Analytic Solutions Support Your HIPAA-compliance Strategy?
• FAQ: Defining PHI And Who Has To Comply With HIPAA

What Is HIPAA?

According to the Center For Disease Control And Prevention (CDC), HIPAA is a federal law that established national standards to “protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.”

The HIPAA Privacy Rule enforces HIPAA and standardizes how covered entities can utilize Protected Health Information (PHI). It allows individuals the right to understand and control how their health information is being used. Under the Privacy Rule, health information can be used for informational purposes as long as the patient’s privacy and safety are ensured.  

Image: Infographic on HIPAA from the CDC

Do Contact Centers Have To Follow HIPAA?

Yes, any contact centers that work with or for these covered entities are considered business associates (see FAQ below) and must follow HIPAA regulations. HIPAA was modified, as mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act, to make covered entities’ businesses associated directly liable for call center compliance with certain HIPAA Privacy and Security rules’ requirements.

Contact centers would need to follow the aforementioned Privacy and Security Rule, as well HIPAA’s transaction standards, and the Breach Notification Rule. 

HIPAA’s transactions standards: In order to standardize the electronic exchange of financial and administrative health care transactions, HIPAA requires all covered entities to use or accept the specific electronic transaction formats. Financial and administrative healthcare transactions can include, but are not limited to, claims submissions, enrollment and dis-enrollment in health plans, submitting eligibility for a benefit or employer plan, healthcare payments, and more.

Security Rule: HIPAA’s Security Rule requires covered entities to maintain safeguards to secure electronic protected health information. According to the HHS, they must be able to 

• Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit
• Identify and protect against reasonably anticipated threats to the security or integrity of the information
• Protect against reasonably anticipated, impermissible uses or disclosures
• Ensure compliance by their workforce

Breach Notification Rule: The HIPAA Breach Notification Rule requires HIPAA-covered entities and their business associates to notify affected individuals, the Secretary, and, depending on the circumstance, the media following a PHI breach. Any impermissible use or disclosure of PHI is considered to be a breach. Business associates (contact centers) must also notify covered entities if a breach occurs at or by the business associate. 

Covered entities will notify the Secretary by visiting the HHS website and filling out and electronically submitting a breach report form. 

Contact centers have to notify covered entities of the security breach within 60 days. They need to, if possible, provide covered entities with the identification of each individual affected by the breach, and any additional information on affected individuals. 

Privacy Rule: The HIPAA Privacy Rule details the uses and disclosures of PHI. We have previously discussed the permitted and unpermitted uses of PHI above. Essentially, you have specific guidelines on how you are allowed to use PHI and patients have a right to access their PHI under the Privacy Rule. 

Minimum Necessary Standard: The HIPAA Privacy Rule includes minimum necessary standards, such as commonsense confidentiality codes and practices. It primarily states that you do not share PHI if you do not need to. 

What Can Contact Center Solutions Do To Comply?

Contact centers, and any solutions they adopt, need to protect any PHI that is recorded, received, maintained, or transmitted. While general best practices include providing employee training on Privacy Rule policies, and ensuring your processes meet the Minimum Necessary Standard, there is currently no certification program or formal checklist from the HHS for contact centers or contact center solutions that could "prove" compliance with HIPAA. This means that contact center solutions each have their own different ways of ensuring compliance. 

For reference, MiaRec undergoes self-audits to ensure we are following HIPAA regulations. Other companies may choose to do third-party audits instead. Either way is acceptable. Regardless, there is a chance that any company could be audited by the government. If you are found to not be compliant when it is your turn to be audited, there will be severe consequences.

How Will I Know If My Contact Center Solution Is HIPAA-compliant? 

All entities that follow HIPAA must enter Business Associate Agreements (BAAs), also known as Business Associate Contracts, with any third-party that handles their PHI.  A BAA is a legal document required by law to clarify what PHI is being provided to the business associate and how the PHI can or cannot be used. 

The HIPAA Omnibus Rule amended HITECH to ensure that business associates (which includes contact centers and the Voice Analytics solutions they adopt) are directly liable for any noncompliance fees or associated fines.  It also describes how business associates are expected to maintain PHI security. 

The Privacy Rule requires contact centers to obtain satisfactory assurances from their contact center solutions that they will safeguard any PHI they create or receive from the contact center. Satisfactory assurances must be given in writing. A BAA is the written agreement that outlines each party’s responsibility when it comes to securing and maintaining PHI.

The BAA often includes safeguard measures, risk mitigation methods, data access controls, and more. The full list of what a BAA should include can be viewed at 45 CFR 164.504(e) under “Standard: Business associate contracts”.  It also prevents contact center solutions from using or disclosing PHI other than permitted or required by the BAA or by law. 

The HHS has provided a sample BAA that you can view here.

What Are The Consequences For Breaking HIPAA? 

Most HIPAA violations are punished with fines. Fines are issued by the Department of Health and Human Services’ Office for Civil Rights (OCR) and/or state attorney generals. The severity of your punishment will depend on intent, severity, what existing security measures you already had in place, and more. Review the table below to see how much your contact center could pay in fines. 

Image: Table shared by The HIPAA Journal. Please note it has yet to have been updated for the 2023 cost-of-living rates, as the new penalty amount for 2023 has not yet been finalized by the HHS.

In addition to being fined by the government, you could have to pay additional civil court fees if breach victims decide to sue. The table also does not include the additional time you will need to take to refine your security strategy, nor does it measure your damaged reputation or the amount of time it will take for patients to trust you again. 

Employees could also face jail time. Depending on the severity of the violation, negligence could lead to a year in jail time, aggregated identity theft could result in two years of jail time, falsely obtaining protected health information is up to five years in jail, and malicious intent for personal gain could be up to 10 years in jail. 

What Can My Contact Center Do To Be HIPAA-compliant?

Adopting a HIPAA-compliant solution does not make your entire contact center HIPAA-compliant. Your contact center still needs to have its own safeguards in place to secure your client’s e-PHI. You should have a security and compliance strategy that anticipates and prevents unauthorized use of your PHI. 

We have previously shared five tips to ensure your contact center is HIPAA compliant:

1. Implement privacy procedures and conduct on-going training for employees to ensure you fully comply with HIPAA.
2. Encrypt all electronic files, containing protected health information, including call recording files.
3. Enforce a strong password policy. Make sure agent workstations are secured with strong passwords and call recordings with patient information can be accessed by authorized employees only.
4. Regularly conduct security assessments. This ensures that your contact center does not have any gaps in data security.
5. Have a disaster recovery plan. Set up back-up policies, so that all patient’s data can be restored and retrieved in case of hardware failure or catastrophic events.

These best practices still apply. Additional initiatives could include assigning a designated HIPAA privacy security officer to conduct HIPAA-specific security assessments, having measures in place that allow employees to share feedback on existing compliance policies, or adopting a Voice Analytics solution.

How Can Voice Analytic Solutions Support Your HIPAA-compliance Strategy?

Adopting a Voice Analytics solution can make it easier to comply with HIPAA. Voice Analytics solutions for contact centers gather insights from call data. They may be HIPAA-compliant through data encryption, password protection, or role-based access. 

For reference, MiaRec offers 2FA, role-based access, password protection, and auto data redaction. It provides 256-bit encryption so that contact centers have a secure method of backing up their data. It also includes an audit log to keep employees accountable and track user activity on the MiaRec platform.

Some solutions, such as MiaRec, may include AI-driven Automated Data Redaction, which automatically removes PHI from call transcripts and audios. Even if this feature is not required to be HIPAA-compliant, it can streamline your contact center’s HIPAA compliance process. Having agents manually pause and resume calls to prevent PHI from being recorded means agents will forget to pause recordings. Adopting an Auto Data Redaction solution to do it prevents human errors and their resulting HIPAA fines. 

Monitoring Call Compliance With Agent Scoring And Topics Analysis

Some Voice Analytics solutions offer Topic Analysis, which allows you to organize calls by your preferred keywords or key phrases. For example, you could organize your calls to track if prohibited language was used, whether agents can answer customer questions, and more. 

Image: Screenshot of MiaRec Topics. You can also separate calls by appointment cancellations, hospital billings, and other reasons for calling. 

Voice Analytics platforms offer Automated Call Scoring solutions that can score 100% of your contact center calls. When your contact center handles hundreds of calls daily, there are more viable solutions than manually listening and scoring every call. Automating your call scoring process to grade every call by agent performance ensures that you accurately understand whether your agents are following company policies. 

Image: Screenshot of MiaRec Agent Scorecard

Automated Call Scoring solutions grade calls by customizable scorecards (see image above). You can customize these scorecards to reflect your healthcare contact center’s needs by asking questions such as, “Did the agent state the call would be recorded?” 

Using Topics Analysis and Automated Call Scoring together can make it easy to ensure agents are complying with HIPAA. For example, you could organize calls by an agent’s lack of knowledge to see if agents can explain to customers how their PHI will be used, if agents are up to date on company policies, and more. These insights make it easier to understand whether your agents need additional HIPAA-compliance training and catch compliance problems before they escalate.

Image: Screenshot of a graded MiaRec transcript. You can review the transcripts alongside the scorecard to review the agent’s attitude, if they correctly repeated company policies, and more.

Conclusion

Violating HIPAA could mean severe fines, a damaged reputation, and even jail time, depending on the severity of the crime. Contact centers in the healthcare industry need to follow HIPAA guidelines by using their best judgment when considering who has access to their PHI. 

While there is no standardized way to be HIPAA compliant, a government auditor will review your company’s security and compliance strategy to ensure you are protecting your patients’ PHI. Both your contact center and your contact center’s solutions need to have safeguards in place to prevent the misuse of PHI from employees and cybercriminals. Contact center solutions will each have their own way of ensuring HIPAA compliance, so be sure to ask them what their security and compliance measures are before you adopt. 

As a healthcare contact center your PHI likely includes credit cards and other payment-related information. We recommend reading our article on PCI-DSS compliance to ensure you are following all necessary security guidelines to avoid any fines or other punishments. 

FAQ: Defining PHI And Who Has To Comply With HIPAA

What Is Considered Protected Health Information?

To understand what is considered patient health information (PHI), we need to define what individually identifiable health information first. The HIPAA Administrative Simplification Regulations describe health information as any information that relates to an individual’s past, present, or future physical or mental health condition or payment for the provision of health care. 

Health information can be created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse. Essentially, health information is any information that relates to a patient’s physical or mental health.

Individually identifiable health information is health information that identifies the individual or could be used to identify the individual. Identifiable health information could include, but is not limited to, full names of the individual, phone numbers, SSINs, health insurance beneficiary numbers, vehicle identifiers, and more. 

The Administrative Simplification Regulations goes on to state that PHI is any individually identifiable health information that is transmitted and maintained via electronic media or any other form or medium. PHI excludes individually identifiable health information in employment records that are held by a covered entity if the covered entity is the employer.

For example:

Health Information: Someone has had knee surgery.

Identifiable Health Information: Sarah Smith has had knee surgery

PHI: A covered entity has recorded that Sarah Smith has had knee surgery. This information is now available for record-keeping or sharing purposes.

Covered entities can utilize PHI without the individual's authorization for the following purposes or situations: 

• Disclosure to the individual who is the subject of the information
• For treatment, payment, and healthcare operations
• To ask the individual to agree or object to the disclosure of PHI
• Incidental use and disclose
• For national priority purposes
• Limited data set, typically for research, health care operations, or public health purposes

Who Has To Follow HIPAA?

According to the US Department of Health and Human Services (HHS), covered entities that have to follow HIPAA include health plans, healthcare clearinghouses, and healthcare providers who conduct certain healthcare transactions electronically.

Per the CDC, healthcare providers include every healthcare provider who electronically transmits health information in connection with certain transactions. for certain transactions, including claims, benefit eligibility inquiries, referral authorization requests, and/or other transactions for which the HHS has established standards under the HIPAA transactions rule. 

Health plans include Health, dental, vision, and prescription drug insurers, health maintenance organizations (HMOs), Medicare, Medicaid, Medicare+Choice, Medicare supplement insurers, Long-term care insurers (excluding nursing home fixed-indemnity policies), employer-sponsored group health plans, government- and church-sponsored health plans, and multiemployer health plans.

Healthcare clearinghouses that provide services such as, as described in the HHS, billing services, repricing companies, community health management information systems, and value-added networks and switches if these entities perform clearinghouse functions. 

Business associates, who are often a person or organization separate from the covered entity’s workforce that use or disclose individually identifiable health information to perform or provide services for the covered entity, such as claims processing, data analysis, utilization review, and billing.