What You Need to Know About Call Recording to Meet Regulatory Compliance

By Bill Johnson

Compliance with the Health Insurance Portability and Accountability Act (HIPAA) is the reality of doing business in healthcare today. “Covered entities,” which can include healthcare providers, health plans, and healthcare clearinghouses, must meet HIPAA compliance requirements and protect the privacy and security of individually identifiable health information, but that’s not all. Healthcare organizations must also meet regulations set forth by a variety of governing agencies, including the U.S. Department of Health and Human Services, Office for Civil Rights (OCR). Healthcare organizations need to consider compliance for regulations well beyond HIPAA and OCR.

Healthcare organizations with contact centers must also comply with general contact center regulations. Those that accept payment cards via their contact centers must comply with related regulations. Contact centers operating within the healthcare domain can expect to see an ever-increasing level of tenacity from government agencies tasked with investigating and enforcing regulatory compliance, with hefty fines and penalties accompanying violations.

For example, Health Data Management reported that Cignet Health was fined $4.3 million in February 2011 for not complying with HIPAA’s privacy regulations. Even though Cignet had fewer than 60 records breached, the fact that it did not cooperate with the Office for Civil Rights resulted in this significant fine

Furthermore, according to SC Magazine, Blue Cross was fined $1.5 million by the OCR for a 2009 security breach that affected more than a million members. In the fall of 2009, 576 unencrypted computer hard drives were stolen from a data storage closet in Chattanooga, Tennessee, during a move to a new facility. The data included audio recordings of customer support calls and screenshots of what the call center staff saw when handling the calls.

Security violations are also a common area of non-compliance that has plagued many healthcare organizations, often resulting in substantial financial penalties. For example, Healthcare IT News reported that Health Net agreed to pay a fine of $250,000 and implement corrective actions for failing to secure private patient medical records and financial information on nearly a half million Connecticut enrollees in 2010. This fine also includes failing to promptly notify consumers endangered by the breach.

It becomes even more complex when healthcare contact centers, such as online pharmacies and health plans, accept credit cards. Contact centers that accept payment cards, whether they are in healthcare or any other industry, must comply with regulations set forth by the Payment Card Industry Data Security Standard (PCI-DSS), which was developed and is regulated by American Express, Visa, MasterCard, Discover, and JCB International. These financial institutions have enacted their own fines for violators. For example, MasterCard and Visa fine merchants up to $25,000 for the first violation. More information on this is available from the PCI Security Standards Council and PCI Standard.

While call recording has become a great tool for supporting quality assurance and dispute resolution, it has its own inherent share of regulatory compliance issues of which to be mindful. Conversations and screen captures associated with recordings must also adhere to HIPAA standards and other regulations. To comply, contact centers must ensure that all their data is securely stored, and they must strictly control access to and usage of the recorded conversations and supplementary data.

For compliance of both written and recorded data, there are seven key areas to consider in choosing a call recording solution for your compliant contact center:

1) Flexibility to develop customized policies and procedures for your unique needs: Look for solutions that offer variable data lifecycle management functionality, allowing organizations to tailor how call recordings are stored, staged, and purged based on a variety of criteria, such as account code, extension, and caller ID. In addition, for the most secure system, make sure access to private information can be restricted by using a combination of assigned permissions, call data, account code, and other criteria.

2) Secure storage for call and screen recordings: Have call recordings stored, organized, and preserved in a secure central repository, whether it is on-site, remote, in the cloud, or a hybrid model. Then, take advantage of variable data lifecycle management, which allows customizable storing, staging, and purging of recordings based on a variety of unique business requirements.

Next, employ an archival database for targeted recording data relocation while still providing instant search and access functionality to authorized users. Also, use encryption options on the computers, smartphones, and all other devices that contain private patient information to help prevent information from being accessed by hackers or due to an accidental breach of the computer’s basic security system.

3) Ease of access for authorized users: Provide the ability for authorized users to easily access, search, and save call recordings using a familiar file management system, similar to email organization in Microsoft Outlook.

Implement automatic storage and purging based on unique individual criteria to ensure uniform practices, rather than requiring tedious and inefficient manual review. Also, use media management functionality, such as call slicing, merging, redacting, and call segment exporting, that allows users to further restrict and control information contained within individual call recordings on an as-needed basis to ensure instance-by-instance regulatory compliance. Finally, create custom archiving rules based on call data.

4) Authorized access and secure sharing of call recordings: Access to administrative functions and to individual voice documents should be permissions-based, with recordings inaccessible to outsiders, unless granted permission by an authorized user. These permissions should be limited to prevent further sharing and set to expire after a specified time. For the highest level of security, recordings should be shared as secure media files via link distribution using encrypted streaming, rather than simply emailed as attachments.

Consider call-recording solutions that utilize digital watermarking, which provides the ability to verify and prove that files have not been altered. This is essential in legal situations.

5) Ongoing regulatory compliance training for contact center staff: Contact center management and staff should receive ongoing regulatory compliance training. Staying up-to-date on current practices and regulations requires continuous dedication to training and personnel development. Be sure to choose a call recording solution that enables easy review of agent interactions to verify compliance with communications processes and various adherence mechanisms. This is especially vital in environments dealing with sensitive data that requires strict identification verification, such as medical call centers.

6) A solid disaster recovery plan: Should a catastrophic event affect the contact center, a properly conceived disaster recovery plan can help ensure that all data pertaining to your organization and patients will remain secure and can be restored and retrieved. Consider a call recording solution that can be deployed with advanced fault tolerance and data protection capabilities, as well as an archival database designed to easily and efficiently archive call records for reliable, secure, and instant access. Then, regularly conduct security and compliance assessments to ensure that your contact center is not at risk for regulatory compliance infractions.

7) Management for an audit-ready and compliant-evident state at all times: Have procedures in place so that your contact center managers can quickly access and accurately produce required data in the event of an investigation. Demonstrating effective compliance management policies and procedures in an investigation can result in the issue being resolved faster. If investigators can see that you are compliant, it may help to avoid additional fines during the investigation process.

Help support and improve the ease of proving compliance with additional search and mobility features. For example, speech search provides the ability to quickly search for specified key words and phrases within the call recordings. As well, mobile access via a secure Web-based application makes it fast, easy, and secure for authorized users to access documents when they are away from their desks.

Conclusion: In addition to meeting important regulatory compliance requirements, call recordings can help organizations monitor the quality of agent calls, support agent training, enable agent self-evaluations, and help resolve disputes by providing a verifiable account of an interaction.

While stiff fines and bad publicity are strong motivators to stay compliant, the best motivation for maintaining regulatory compliance is the peace of mind that comes from knowing that you are protecting your organization, patients, partners, and vendors.

Bill Johnson is the director of client services & channel programs at Oaisys Inc. Contact him at bill_johnson@oaisys.com.

[From the August/September 2013 issue of AnswerStat magazine]