HIPAA, HITECH, and Your Call Center

By Charlene Glorieux

April/May 2010

For contact centers dealing with medical transactions, significant changes are occurring.  Not only is ARRA (the “Stimulus Act”) pumping millions of dollars into healthcare for electronic health records (EHR), but also HIPAA (the Health Insurance Portability and Accountability Act) has dramatically changed, imposing new rules on covered entities (CE) and business associates (BA).  Call centers that handle protected health information (PHI) to provide services to clients will have to change the way they do business.  This has generated a recent flurry of business associate contract (BAC) activity. 

In addition, the HITECH (Health Information Technology for Economic and Clinical Health) Act addresses CEs and BAs.  Gone are the days when the CE had all the responsibility and liability for disclosures of PHI breaches.  BAs are now directly responsible and liable for failures on their part – even for knowing about a breach within the CE and not reporting it.  Call centers handling medical calls need to be HIPAA/HITECH-compliant.

The Details: HIPAA imposes greater requirements on CEs than BAs, though both face similar penalties.  CEs under HIPAA are health plans, healthcare clearinghouses, and healthcare providers that transmit health information electronically.  To be considered a BA, call centers must be using PHI to provide a service to a client.  Under HIPAA, PHI is information that identifies an individual and relates to the following:

• the individual’s past, present, or future physical or mental health

• the provision of healthcare to the individual

• the past, present, or future payment for healthcare 

Information is deemed to identify an individual if it includes their name or other information that could enable someone to identify them. 

If your call center is a BA, then you must have a detailed BAC with your client CE.  The BAC must comply with the requirements of HIPAA.  A BAC is a new term that replaces the business associate agreement (BAA).  The BAC should include only the language that is required under HIPAA/HITECH.  None of what is included in the BAC should create obligations on the BAs part (that is, the call center) in excess of what HIPAA requires, but it must include the additional HITECH Act requirements.  The biggest changes are:

1.  The HIPAA safeguards now apply to the BA in nearly the same manner as the CE.

2.  BAs have mandatory breach reporting requirements and liability for breaches, including exposure to civil suits for breaches.

3.  BAs are now subject to the same criminal and civil penalties as CEs for breaches of unsecured PHI.

4.  The specific applicable security requirements of the HIPAA security rule must be incorporated into the BAC between a CE and its BA.

The HITECH Act requires BAs to revise and document policies and procedures to comply with the HIPAA privacy and security rules.  Items to be covered include systems and network security, data storage practices, privacy practices, accounting for disclosures, breach reporting, and remote operations. 

Training Requirements: Call centers handling PHI must train staff in HIPAA privacy and security, including ongoing training to keep abreast of changes as HIPAA and HITECH requirements evolve.  Verifiable, ongoing, and correct training that adapts to these changes will be necessary.  Managers will require training to ensure that they are knowledgeable about the myriad of requirements that have now been imposed directly upon BA by ARRA and HITECH.  A compliance officer will be necessary to track and document these issues.

Breach Notification and Reporting Requirements: Unsecured PHI is PHI that is not secured via standards approved by the Secretary of Health and Human Services.  A breach is defined as “the unauthorized acquisition, access, use, or disclosure of protected health information which comprises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.” 

A breach of unsecured PHI must be reported to the client CE “without unreasonable delay.”  However, if the specified technologies and methodologies approved by the secretary are in place, then unsecured PHI does not exist.  Only breaches of unsecured PHI require notification.

HHS (the Department of Health and Human Services) is required under HITECH to conduct periodic audits of CEs and BAs to ensure HIPAA compliance, and affected call centers will need to have systems in place to provide them with periodic reports.

Technical and Security Concerns: According to HHS, information access management and control are the most commonly violated provisions of the HIPAA Security Rule, which covers data movement, storage, use, and disposal.  Information containing PHI sent by email or cell phone involves routes that are open to interception or misdirection.  Data storage includes databases, file systems, flash drives, memory, backup storage, and laptops – all of which are vulnerable to breaches.  Remote agents are also an issue, so proper controls must be in place at remote locations.  

HHS urges that all PHI be encrypted.  Encryption keys should be stored on a separate device from the data.  If the ability to encrypt is not feasible, then firewalls and access controls must be stringent enough to prevent incursions from unauthorized individuals.  Storage and destruction policies need to adequately protect PHI.  Shred disks and printed materials containing PHI, and wipe clean or remove the hard drive when disposing of a computer.

Penalties: HITECH requires mandatory penalties for violations of HIPAA that are due to “willful neglect.”  Civil penalties are based upon the level of intent and neglect.  Violations determined to be without knowledge start at $100 per violation to a maximum of $25,000.  Violations based on reasonable cause start at $1,000 per violation to a maximum of $100,000.  Willful neglect violations start at $50,000 to a maximum of $1.5 million.

HITECH also allows private right of action.  Call centers handling PHI can be sued or named as a party in a suit by an individual whose PHI has been disclosed.  Such legal liability can be minimized by ensuring that the proper BACs, insurance, training, data protection, policies, and procedures are in place.

Outsourcing Implications: Security measures must be in place to protect unsecured PHI at the central location, remote locations, and in transit between locations.  Call centers that outsource calls involving PHI must ensure that those businesses are also HIPAA/HITECH-compliant.  This includes overflowing calls, traffic sharing, offshore outsourcing, and using hosted services.  Contracts must be in place to address these issues.

It’s the Call Center’s Responsibility to Be Ready: HIPAA/HITECH has arrived; be ready for it.  First, do a risk assessment.  Determine if PHI is used when providing services for a client.  If so, identify all areas with a potential for PHI disclosure and rate these areas for their level of vulnerability.  Next, develop a plan to respond to these areas with the proper security procedures.

Be sure that all technology is adequate for the task.  Access controls, firewalls, encryption, and data safety are critical at the main call center and at remote locations.  Create and follow policies for every aspect of PHI use.  Be sure that the means for reporting breaches and potential disclosures to CEs have been adequately developed.

Develop and conduct training programs.  The entire workforce needs ongoing security training.  Update BACs to include the required security and privacy rule clauses, but avoid anything that would provide obligation beyond the basic statutory requirements.

Review insurance polices to ensure coverage against the new exposures brought by HITECH.  Also, include the proper protection in vendor contracts to ensure compliance.  A breach that occurs at an overflow or hosted site is your responsibility.

Charlene Glorieux is the executive vice president for ATSI, which has done extensive work in guiding call centers in these new regulations.

Definitions used in this article:

ARRA: American Recovery & Reinvestment Act (aka the Stimulus Bill)

BA (business associate): any entity that engages in health information exchanges or provides data transmission of PHI

BAC: business associate contract

Breach: the unauthorized acquisition, access, use, or disclosure of protected health information that compromises the security or privacy of the PHI

CE (covered entity): health plans, healthcare clearinghouses, or healthcare providers that transmit any health information electronically in connection with a covered transaction

EHR: electronic health record

EPHI: electronic protected health information

HIPAA: Health Insurance Portability and Accountability Act

HITECH: Health Information Technology for Economic and Clinical Health Act

PHI (protected health information): individually identifiable health information that is transmitted or maintained in any form or medium, including electronic information.  Unsecured PHI – protected health information that is not secured through the use of a technology or methodology specified by the HHS secretary in guidance.