Yesterday we published a detailed post on Call Tracking, what it is, and how it can provide valuable business intelligence. As health care practices emerge from the COVID-19 slowdown of elective procedures, many are increasing their marketing efforts. Since call tracking is often a component of these efforts, we thought it would be essential to cover the importance of HIPAA compliance in call tracking.
The creation of the Health Insurance Portability and Accountability Act (HIPAA) is to protect private health information (PHI) of individuals from misuse and unauthorized disclosure. The Office for Civil Rights (OCR) in the Department of Health and Human Services (HHS) oversees enforcement, in addition to state attorneys general (AGs).
HIPAA serves two purposes:
- Protect health insurance coverage for workers
- Set a standard to improve communication with regards to health care
With the rise of electronic communications, health care would be made more efficient. Covered entities such as health care providers, HMOs, and health care clearinghouses would be able to share information efficiently. A nationally accepted standard of regulations was needed to protect medical information and keep it confidential.
Medical practitioners market themselves to try and attract new customers and patients. Therefore, in 2009, HIPAA was updated so that business associates were required to uphold the law, known as The Health Information Technology for Economic and Clinical Health Act (HITECH). It states that companies are not allowed to sell personal health information (PHI) of a patient without consent.
The HIPAA Benefits
HIPAA allows for faster access for covered entities to share patient information. For example, it is easier for a hospital to get a patient’s medical history from a doctor to send a prescription. However, none of this is possible without the authorization of the patient.
Important Terminology
Covered entity
A covered entity is any health care plan, clearinghouse, or provider who transmits health information in the electronic form connected with a transaction.
Business associate
A business associate is any person or entity performing certain functions or activities that involve the use or disclosure of protected health information. Usually on behalf of, or providing services to, a covered entity.
Omnibus Updates
The 2013 updates increased penalties for privacy & security violations, expanded HIPAA’s reach to business associates. It set new rules for notifying patients & the public of security breaches.
Breach Notification Rule
A “security breach” occurs under HIPAA if there is an unauthorized disclosure of electronic PHI, such as a computer hacking or loss or theft of a laptop containing unencrypted PHI. HIPAA requires that covered entities adopt a formal policy that specifies how they’ll deal with a breach.
Resolution Agreement
A settlement agreement signed by HHS and a covered entity or business associate agreeing to perform certain obligations. The obligation includes reporting to HHS, generally for a period of three years.
What is Call Tracking?
Call tracking is the process of capturing information from a phone call. By collecting this information, businesses can learn when peak times for callers are most likely to occur, improve customer service, and improve marketing efforts.
Call tracking reports will provide the phone number, location, and time of the call. Some call tracking reports may include a recording of the conversation or the name and address of a caller.
Call Tracking and the Significance to HIPAA and PHI
While call tracking reports can provide significant benefits for marketing and training purposes, a documentation of the call itself links an individual to medical practices and the treatment the practice offers. As a result, these records may contain personal health information (PHI), a potential HIPAA liability.
Health care organizations, and other covered entities, that want to utilize call tracking must keep this in mind since such entities must keep PHI secure and confidential.
Call tracking ties calls to PHI; therefore, your call tracking vendor is a Business Associate under HIPAA. They are under obligation to guarantee the privacy and security of PHI information. Also, they’re required to use appropriate technical safeguards to prevent unauthorized use or disclosure of PHI.
Privacy, Security, and the Law
The HIPAA Privacy Rule: This rule established the standards to protect PHI and the medical history of an individual and allow the individual to set limitations as to who had access to this information. The rule covers both written and oral communication.
The HIPAA Security Rule: The Security Rule works with the HIPAA Privacy rule and establishes the appropriate safeguards for PHI and Medical Records in electronic form. The security rule protects the PHI of an individual while improving the quality and efficiency of medical care.
The HIPAA Enforcement Rule: Contains provisions relating to compliance and investigations, the imposition of civil money penalties for violations of the HIPAA Rules, and procedures for hearings.
In several ways, OCR enforces the Privacy and Security Rules by investigating complaints filed with it, conducting compliance reviews, and performing education and outreach.
OCR can enforce HIPAA against a wide array of entities – from small doctors’ offices to large hospitals and health systems. OCR can enforce against private & public sector bodies as well. OCR also can directly enforce HIPAA against business associates – and any subcontractors of business associates.
HIPAA Compliant Call Tracking
IVR Technology Group offers specific, measurable ways of cutting costs and maximizing our customers’ efforts in the healthcare industry. We believe every medical group deserves technological solutions that maximize their time and productivity while saving money.
We understand the gravity of keeping sensitive PHI secure and maintain HIPAA compliance through robust access controls. We authenticate the identity of anyone accessing client information. We audit all applicable activity via logging mechanisms, and we maintain confidentiality through network security and encryption.
Firewalls, anti-virus software, secure encryption, and intrusion detection systems protect our network and sensitive client information contained therein from the outside world.
We also utilize formal data backup and disaster recovery plans that use data centers in different geographies within the United States.
Finally, our diagnostic systems ensure our infrastructure is running smoothly and notify dedicated personnel of all unexpected problems and prevent unauthorized access.
If it’s time to consider call tracking for your practice, contact us to learn more about how we can help, and maintain your compliance.