The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for the healthcare industry to protect confidential and sensitive patient data, like medical and billing records. HIPAA rules regulate the daily activities and tools of many healthcare and related companies, including common business phone systems.
HIPAA compliance is obviously required for healthcare providers like hospitals, clinics, and individual practitioners, but your small business may also fall under required HIPAA compliance. If your company is a private sector vendor or third-party administrator that accesses, collects or transmits protected health information over the phone, you're required to adhere to HIPAA's guidelines.
Phone System Requirements Physical and network security measures, as described in HIPAA guidelines, require that business phone systems can process patient health information safely over telephone lines. Consider a common medical office scenario: the administrator on the phone taking patient's medical or billing information writes it down on a piece of paper and, after a busy day of multitasking, misplaces the note or, even worse, shuffles it in with other patient information. The patient's personal information is at risk.
A secure business phone system ensures HIPAA compliance and protects your office from penalties and criminal prosecution. So how do you know the phone system you use in-house is HIPAA compliant?
Among other rules, HIPAA standards require:
- Access control
- Audit controls
- Person or office authentication
- Transmission security
- Workstation security
- Device and media controls
- Security management process
If you use VoIP, understand that anything transmitted across the web-based platforms is not guaranteed to be secure, and carries a higher risk of violating the recommended guidelines. As such, tools like Skype are generally not recommended. Instead, opt for other secure landline telephone systems that offer audit trails and backup capabilities, breach notifications, and encrypted transmission of voice communications.
Using Your Phone System Properly When it comes to adhering to guidelines, it's less about the actual business phone system, and more about the behavior around transmitting data through voice communications. It's been said that "technology itself can't be HIPAA compliant; hospitals, clinics, and other healthcare-related businesses must be HIPAA compliant."
First, it's important to note that your phone must be in a secure location that prevents unauthorized access. You must also assure that any voicemail where sensitive information could be stored has access restrictions, ensuring a secure password and a policy around retention of the voice message.
You should also have a plan or policy around recording voice conversations. Installing such a recording system ensures sufficient accountability in terms of tracking and accessing information. These systems can store audio files electronically to be accessed in the future by the proper personnel.
The Consequences So what happens if you find your phone system -- or how you use it -- is not compliant? An act supplemental to HIPAA was passed in 2009 to address this - the Health Information Technology for Economic and Clinical Health Act (HITECH). The HITECH Act was formed in response to health technology development and the increase in use, storage, and transmittal of health information electronically.
There are four categories of violations that coincide with increasing levels of liability. Each level has a corresponding penalty that culminates in a maximum penalty of $1.5 million for all violations. The Secretary of the Department of Health and Human Services (HHS) reviews all reported violations, and determines the amount of the penalty based on the nature and extent of the violation and the potential harm caused to patients by the violation. There is no "one size fits all" penalty for each violation. In most cases, you have opportunity to right the wrong when notified of your non-compliance; your business won't incur a penalty immediately, but rather you'd have 30 days to fix the circumstances.
Photo source: healthcarelawmatters.com