By Geoff Mina
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) is releasing several key updates to the Health Insurance Portability and Accountability Act (HIPAA) of 1996.
As of right now no official announcements have been made public regarding when the second round of audits, referred to as HIPAA Phase II, will take effect. However, according to a recent article from the National Law Review, the OCR has already issued between 550 and 800 pre-audit screening surveys to covered entities in America’s Health Insurance Plans and National Provider Identifier databases, as well as those of healthcare clearing houses and health plans. Upon receiving the surveys, the list will be narrowed down considerably, to about 350 covered entities, which will then be administered data requests.
What do “data requests” entail? This is where things get interesting.
One of the most important changes will impact the types of organizations being targeted by HIPAA. Phase I HIPAA only affected healthcare providers. Under Phase II, however, business associates of healthcare providers will also be subjected to random audits. This includes any third-party provider that handles patients’ personal health information through processes like billing and data management.
Of these 350 selected organizations, about 150 will be subjected to direct audits.
At first, the OCR will be on the lookout for areas with “heightened risk,” or areas that were discovered to be of non-compliance after HIPAA Phase I was completed. These areas include processes such as notifying patients and customers about privacy practices, performing timely breach notifications and incident responses, and setting up strong data access controls for employees. Other areas include risk analysis and management, workforce member training, transmission security, and device and media controls.
Eventually standards like encryption and decryption, breach reports, complaints, and facility access control will be taken into account as well. So it’s important that businesses start preparing ahead of time for these changes.
If your business is selected for an audit you will have two weeks to respond to the request and submit the required information. Audits will take place over a three-year period.
So what should organizations do to make sure they’re ready? Below are five best practices to help meet current HIPAA requirements and gear up for HIPAA Phase II.
Focus on Protected Health Information: Protected Health Information (PHI) is any individually identifiable health data that is held or maintained by a covered entity or its business associates that is transmitted or maintained in any form. This includes demographics, mental conditions (both past and present), genetic information, and payments of healthcare to an individual that is received by a healthcare provider, plan, or employer.
Contact centers must know how to identify PHI and train agents to know what to do with this information as soon as they come across it. Guidelines should be set in place for situations agents will face, as well as cases that may be out of the norm. For example, agents likely know to ask customers for their name only. However, what do they do when the customer offers up more information than the agent desires, such as how they feel, medications they’re on, and so forth? This happens more often than one may think; so it’s important that companies equip their agents with guidelines so they’re prepped on what to do if this situation arises.
Encrypt All Protected Health Information: While not currently required by HIPAA, encrypting all patient health information is a best practice that all companies should already be following – and if not, they should start immediately. It’s important to note that encryption should be done for all data – both data in transit and static data. After all, encrypting one of the two forms of data doesn’t mean both forms will be secure.
Use VPN for Offsite Agent Access: Many companies have agents that work both on-site, as well as remotely. For any employee using remote access, companies should set in place a secure VPN that must be used for access. Doing so keeps information on the company’s server without worry it’ll be accessed on another network. It’s also important for companies to ensure remote access is always via a secure VPN. Doing so will help ensure PHI information doesn’t land in the wrong hands.
Avoid Recording Sensitive Information: To avoid storing information into a database, companies should set policies in place that require agents to turn off the call recording feature when collecting customer information over the phone. For many recording systems the calls are immediately saved to a server where they can be accessed by others in the company. Depending on what was said in the call, this potentially infringes on a customer’s privacy and breaks HIPAA policy. Ensuring calls aren’t recorded from the start helps agents avoid collecting PHI information the caller offers up freely, rather than scrambling to turn off the recording when PHI information is brought up or remembering to delete the recording from the system afterward.
Enforce a Strong Password Policy: Finally, policies should be set for contact center employees to change their password every three to six months. This makes it harder for systems to be hacked or stolen passwords to be used. For added security the policy should also include a secure recovery process for agents. For example, some contact centers require agents to check in with their supervisor whenever they need to recover their password.
Conclusion: In preparation for a possible audit, it’s important to assess your contact center’s compliance as it relates to HIPAA Phase II, and implement these best practices. If you are a healthcare provider, create a list of all of your business associates’ contact information so that you are ready to provide the information to auditors.
And never operate under the assumption that your business is not liable to be audited by the OCR. Corporations and their contact centers should be prepared to handle all requests administered by the OCR in a timely fashion. By preparing ahead of time and assessing your current risk levels and areas that need improvement, you will reduce the likelihood of running into trouble.
Geoff Mina is the chief technology officer and founder of Connect First.