---

---

By Nicole Limpert

Despite the care most of us take to protect our credit card information, credit card fraud is the most common form of identity theft in the United States. According to a report from Javelin Strategy & Research, 15.4 million consumers were victims of identity theft or fraud, which cost U.S. consumers more than 16 billion dollars in 2016.

However, cyber criminals increasingly target electronic protected health information (ePHI), because hackers can get a premium price for this personal information on the dark web.

Sold to the Highest Bidder

Raw credit card numbers, those that are missing PIN and user information, are worth $1 or less each on the dark web. More complete credit card records that have personal information command a higher price—up to $30 each depending on the country of origin. The most valuable prize for fraudsters is someone’s medical record. Estimates vary, but in general records consistently sell for $70 to 90 each. Some hackers claim to sell blocks of thousands of records and receive over $100 per individual record.

Historically, healthcare data breaches were the result of internal staff actions (both accidental and intentional), but the Ponemon Institute’s Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data in 2015 discovered that the primary reason for healthcare data breaches was due to criminal attacks.

The report states, “Employee negligence and lost or stolen devices still result in many data breaches, according to the findings. However, one of the trends we are seeing is a shift of data breaches—from accidental to intentional—as criminals are increasingly targeting and exploiting healthcare data.”

Why ePHI is So Valuable

It is estimated that our global healthcare industry will be worth 8.7 trillion dollars by 2020. Cyber criminals are cashing in by using stolen patient data primarily for insurance fraud, medication fraud, and financial fraud.

The Identity Theft Resource Center, a U.S. non-profit that provides victim assistance and consumer education, reported there were 355 healthcare breaches in 2016 affecting 15 million records.

Information contained in a medical record is particularly useful for lucrative fraud schemes because it’s high-quality, deeply personal, and permanent. On the dark web this type of data is referred to as “fullz” (full packages of personally identifiable information). Fullz can’t easily be replaced like credit card numbers so it is more useful and provides more value to criminals.

Because the information contained in a health record is complete and comprehensive, it’s extremely versatile, and it takes much longer for fraud to be detected. The information can be used in a variety of fraud scenarios.

Sometimes personal identities are stolen to receive medical care. The Ponemon Institute provides an example where a patient learned his identity was compromised after receiving invoices for a heart procedure he hadn’t undergone. His information was also used to buy a mobility scooter and medical equipment, amounting to tens of thousands of dollars in fraud.

Why is ePHI So Vulnerable?

In response to increasing threats to patient health data and poor security, the Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted in 2009. The act provided a 27 billion dollars incentive to encourage health providers to switch from paper medical records to electronic files.

The results have been disappointing. Many healthcare organizations were slow to adopt electronic files because of struggles connecting different technologies. These disparate technologies need to work together so electronic health records (EHRs) are available to the appropriate staff.

President Obama was interviewed by Vox’s Ezra Klein and Sarah Kliff on January 6, 2017 and explained this lack of interoperability was something he and his administration didn’t expect:

“We put a big slug of money to encouraging everyone to digitalize and catch up with the rest of the world here. And it’s proven to be harder than we expected, partly because everyone has different systems. They don’t all talk to each other, it requires retraining people in how to use them effectively, and I’m optimistic that over time it’s inevitable it’s going to get better because every other part of our lives, it’s become paperless.

“But it’s a lot slower than I would have expected; some of it has to do with the fact that it’s decentralized, and everyone has different systems. In some cases, you have economic incentives against making the system better; you have service providers—people make money on keeping people’s medical records—so making it easier for everyone to access medical records means that there’s some folks who could lose business. And that’s turned out to be more complicated than I expected.”

As a result, hospitals and clinics have been operating, at least in part, with outdated technology, exposing them to the dangers of cyber-attacks.

Are Paper Medical Records Better?

It may be tempting to think paper medical records are a safer option but according to a recent study published in the American Journal of Managed Care, they found that paper and films were the most frequent location of breached data.

Verizon’s 2018 Protected Health Information Data Breach Report also found that 27 percent of data breach incidents were related to sensitive data on paper.

The Verizon report authors wrote, “Medical device hacking may be in the news, but it seems the real criminal activity is found by following the paper trail. Whether prescription information sent from clinics to pharmacies, billing statements issued by mail, discharge papers physically handed to patients, or filed copies of ID and insurance cards, printed documents are more prevalent in the healthcare sector than any other. The very nature of how PHI paperwork is handled and transferred by medical staff has led to preventable weaknesses—sensitive data being misdelivered (20 percent), thrown away without shredding (15 percent), and even lost (8 percent).”

The Future of ePHI

While the progress is slow, it appears more hospitals are using ePHI and beginning to catch up with the technological needs to protect it.

In 2017 the American Medical Informatics Association released a report using information from an American Hospital Association survey about hospital information technology. They measured “basic” and “comprehensive” EHR adoption among U.S. hospitals and found that 80.5 percent of hospitals had at least a basic EHR system.

Data breaches in the U.S. healthcare field cost around 6 billion dollars annually. Even though the latest IBM Security/Ponemon Institute study found that in the United States, healthcare data breach costs are higher than any other industry sector, the average cost per record is decreasing. The average data breach cost per record in the healthcare industry was 380 dollars in 2017, down from 402 dollars the year before.

Nicole Limpert is the marketing content writer for Amtelco and their 1Call Healthcare Division. Amtelco is a leading provider of innovative communication applications. 1Call develops software solutions and applications designed for the specific needs of healthcare organizations.

---

---

By Janet Livingston

Most people in the call center industry have a general idea of what HIPAA is, but they lack an understanding of how to apply it to their healthcare call center operation. Ignorance, however, is not a sound defense for HIPAA violations.

HIPAA, the Health Insurance Portability and Accountability Act, has critical ramifications for medical call centers. Passed by the US congress in 1996, the law is now over a decade old. As far as call centers are concerned, HIPAA, among other things, requires call centers to keep personal health information private, both when stored and when moved. There are fines, as well as public embarrassment, for database breaches and employee disclosures of private healthcare information.

Though this is not comprehensive legal advice, the following recommendations do address some basic, commonsense steps to move toward HIPAA compliance by covering key risk areas that are often overlooked. Follow these quick tips now to reduce penalties and pain later.

Fortify the Building: Safeguard your call center facility with building locks, surveillance cameras, door alarms, and a secured lobby. If employees use a separate entrance, don’t overlook it. Require them to be buzzed in or provide a keypad entry lock, with individual codes for each employee. Change lock codes periodically and retire individual codes as soon as an employee no longer works at your call center.

Implement Internal Security: Not only does the call center facility need security and secured access, but internal security is also a critical issue under HIPAA. Specifically, certain areas must be restricted to unauthorized personnel and all non-personnel.

For example, the operations room should be off limits to visitors and even some ancillary staff. Only scheduled agents and relevant management should be allowed entrance into the operations room. In the event that a client or prospect wants a facility tour, allow them only to view the operation from a distance, perhaps through a window in a soundproof room overlooking the operations room. Similarly the technology hubs, such as the computer room and telecommunications center, should be under lockdown at all times and accessible only to authorized technical personnel.

Establish Technology Safeguards: As mentioned, the primary space that should have limited access is the equipment area, which houses your call center’s computers, servers, and network technology, as well as the telecommunications switches and interfaces. But this restriction doesn’t just apply to people in your facility. There should be no physical external accessible points to your telephone or internet service. Furthermore, remote access to equipment and data should be thoroughly password protected for authorized personnel and vendor use only.

Escort Visitors: Any clients, prospective clients, vendors, and nonemployees need an escort through the facility. Accompany visitors at all times. If they’re interested in viewing operations, they should do so by observing it from inside a soundproof, glassed viewing area. They must be supervised throughout their tour. Make sure they do not photograph or record anything during their visit. A best-practice policy is for them to check all electronic equipment at the front desk or leave it in their car.

Invest in Paper Shredders: While many dream of a truly paperless office, the reality is that despite well-meaning intentions, paper containing sensitive information will be produced. This might be through negligence, oversight, or expediency. Regardless, these paper documents must be destroyed as soon as they are no longer needed. The obvious solution is to shred such documents in a micro-cut shredder.

Deploy Shred Bins: All sensitive or potentially sensitive documents requires shredding. However, shredders are loud devices that don’t align well with the call center’s need to minimize noise. Though immediate shredding is ideal, this is sometimes impractical, in which case locked shred bins should be conveniently placed around the call center. Authorized personnel routinely shred the contents of the locked shred bin according to documented security protocols.

Enforce a Password Policy: Passwords are unpopular but necessary, yet password misuse and abuse is the weakest link in most call centers. Good passwords help keep personal health information private. A thorough password policy must be developed, taught, followed, and enforced. Putting a great plan into a document means nothing if staff isn’t instructed in what it says, and staff instruction means nothing if the enforcement is lax or altogether lacking. When given an option, most people will take whatever password shortcuts they can, not recognizing the pitfalls and risks they subject their companies to.

At minimum the password policy should mandate regular software-controlled password changes, not reusing previous passwords, and never sharing passwords with anyone regardless of the circumstances. Password policy violations remain a vulnerable area at many call centers. Education and enforcement are essential, with the consistent actions and attitudes of management establishing the perspectives of all other employees.

A lack of compliance with HIPAA regulations can result in monetary damages in the form of fines for security breaches and reputation damages in the form of negative publicity over security violations. While HIPAA only covers the healthcare industry, these security tips are emerging as call center best practices across all industries. Therefore every call center should move toward implementation.

Janet Livingston is the president of Call Center Sales Pro, a premier sales and marketing service provider and consultancy that provides custom training solutions for all levels of call center staff, both in the healthcare industry and across all verticals. Contact Janet at contactus@ccsp.us or call 800-901-7706 to learn more about arranging specific training for your organization.

---

---

By Geoff Mina

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) is releasing several key updates to the Health Insurance Portability and Accountability Act (HIPAA) of 1996.

As of right now no official announcements have been made public regarding when the second round of audits, referred to as HIPAA Phase II, will take effect. However, according to a recent article from the National Law Review, the OCR has already issued between 550 and 800 pre-audit screening surveys to covered entities in America’s Health Insurance Plans and National Provider Identifier databases, as well as those of healthcare clearing houses and health plans. Upon receiving the surveys, the list will be narrowed down considerably, to about 350 covered entities, which will then be administered data requests.

What do “data requests” entail? This is where things get interesting.

One of the most important changes will impact the types of organizations being targeted by HIPAA. Phase I HIPAA only affected healthcare providers. Under Phase II, however, business associates of healthcare providers will also be subjected to random audits. This includes any third-party provider that handles patients’ personal health information through processes like billing and data management.

Of these 350 selected organizations, about 150 will be subjected to direct audits.

At first, the OCR will be on the lookout for areas with “heightened risk,” or areas that were discovered to be of non-compliance after HIPAA Phase I was completed. These areas include processes such as notifying patients and customers about privacy practices, performing timely breach notifications and incident responses, and setting up strong data access controls for employees. Other areas include risk analysis and management, workforce member training, transmission security, and device and media controls.

Eventually standards like encryption and decryption, breach reports, complaints, and facility access control will be taken into account as well. So it’s important that businesses start preparing ahead of time for these changes.

If your business is selected for an audit you will have two weeks to respond to the request and submit the required information. Audits will take place over a three-year period.

So what should organizations do to make sure they’re ready? Below are five best practices to help meet current HIPAA requirements and gear up for HIPAA Phase II.

Focus on Protected Health Information: Protected Health Information (PHI) is any individually identifiable health data that is held or maintained by a covered entity or its business associates that is transmitted or maintained in any form. This includes demographics, mental conditions (both past and present), genetic information, and payments of healthcare to an individual that is received by a healthcare provider, plan, or employer.

Contact centers must know how to identify PHI and train agents to know what to do with this information as soon as they come across it. Guidelines should be set in place for situations agents will face, as well as cases that may be out of the norm. For example, agents likely know to ask customers for their name only. However, what do they do when the customer offers up more information than the agent desires, such as how they feel, medications they’re on, and so forth? This happens more often than one may think; so it’s important that companies equip their agents with guidelines so they’re prepped on what to do if this situation arises.

Encrypt All Protected Health Information: While not currently required by HIPAA, encrypting all patient health information is a best practice that all companies should already be following – and if not, they should start immediately. It’s important to note that encryption should be done for all data – both data in transit and static data. After all, encrypting one of the two forms of data doesn’t mean both forms will be secure.

Use VPN for Offsite Agent Access: Many companies have agents that work both on-site, as well as remotely. For any employee using remote access, companies should set in place a secure VPN that must be used for access. Doing so keeps information on the company’s server without worry it’ll be accessed on another network. It’s also important for companies to ensure remote access is always via a secure VPN. Doing so will help ensure PHI information doesn’t land in the wrong hands.

Avoid Recording Sensitive Information: To avoid storing information into a database, companies should set policies in place that require agents to turn off the call recording feature when collecting customer information over the phone. For many recording systems the calls are immediately saved to a server where they can be accessed by others in the company. Depending on what was said in the call, this potentially infringes on a customer’s privacy and breaks HIPAA policy. Ensuring calls aren’t recorded from the start helps agents avoid collecting PHI information the caller offers up freely, rather than scrambling to turn off the recording when PHI information is brought up or remembering to delete the recording from the system afterward.

Enforce a Strong Password Policy: Finally, policies should be set for contact center employees to change their password every three to six months. This makes it harder for systems to be hacked or stolen passwords to be used. For added security the policy should also include a secure recovery process for agents. For example, some contact centers require agents to check in with their supervisor whenever they need to recover their password.

Conclusion: In preparation for a possible audit, it’s important to assess your contact center’s compliance as it relates to HIPAA Phase II, and implement these best practices. If you are a healthcare provider, create a list of all of your business associates’ contact information so that you are ready to provide the information to auditors.

And never operate under the assumption that your business is not liable to be audited by the OCR. Corporations and their contact centers should be prepared to handle all requests administered by the OCR in a timely fashion. By preparing ahead of time and assessing your current risk levels and areas that need improvement, you will reduce the likelihood of running into trouble.

Geoff Mina is the chief technology officer and founder of Connect First.

---

---

By Roy Pologe

Seven years ago at Night Nurse, one of our staff RNs encountered an after-hours triage call from a Vermont patient of a Massachusetts medical practice. Our nurse triaged the call, but noted concern for having done so. The nurse was credentialed in Massachusetts, and the call was from Vermont. Were her nurse credentials (RN) in jeopardy for having provided medical care advice across state lines? Although Medicaid, HMO, and medical insurer guidelines do not inhibit or prohibit patient care by physicians across state lines, we didn’t dismiss our nurse’s concern.

Our Massachusetts triage nurse’s encounter with the patient residing in Vermont prompted a conversation with Vermont Board of Nursing (BoN). “Your nurse was in violation of both Vermont and Massachusetts nursing regulations,” said a representative of the Vermont BoN.

“Why is that?” asked Tami Regan, Night Nurse’s director of nursing services. “We’re allowed to triage Massachusetts residents who travel out of state. What makes this situation so different? How should we have assisted the patient?” The Vermont BoN advised us to redirect Vermont patients to their own physicians for assistance.

Certainly this patient encounter provoked questions for further discussion. Practically considered, by following Vermont BoN guidelines, the Vermont patient would have had care advice significantly delayed; alternatively the patient might have dialed 911 or gone to the emergency room. Possibly all those scenarios would have resulted in reasonably positive outcomes (aside from additional costs accrued to the practice, HMO, or government, as well as needless risk for the patient). But what if the circumstances surrounding the call were potentially life-threatening, such as symptoms akin to meningitis? Then the scenario endorsed by the Vermont BoN and deemed acceptable by the Massachusetts BoN could have resulted in serious complications or even death for the patient.

Our triaging that Vermont patient was an oddity, but it was also an eye-opener. The absurdities of Massachusetts and Vermont nursing regulations may be more self-serving than lifesaving. Regulatory authority that deters achieving good patient outcomes must be thoughtfully examined and revised. Current Massachusetts nursing regulations is antithetical to good medical practice, as stated by the Massachusetts BoN Regulations, Section 244 CMR 9.00 subsection 4/9.03, which reads in effect that triage of an out-of-state resident by a Massachusetts RN is a violation of the statute. Thought this regulation has never been tested and is open to interpretation, the safe course of action is to abide by it.

Soon after our Vermont patient encounter, we discovered unheralded legislation languishing in the Massachusetts legislature, proposing that the Commonwealth of Massachusetts join an existing “Compact” – that is, the Nurse Licensure Compact (NLC), which is similar to other reciprocal licensure agreements and allows nurses properly licensed in one state of residency to have their credentials honored in all NLC states, now numbering twenty-four.

Maine, New Hampshire, and Rhode Island have already aligned with the NLC. However, Connecticut, Massachusetts, and Vermont are not NLC states. Night Nurse services all six of these New England states, as well as seventeen other states.

Reciprocal accreditation of our staff nurses across state lines would expedite delivery of cost-efficient medical services, with benefits for all concerned. The cumulative effect of more states enlisting in the NLC would facilitate the consistent delivery of timely triage across state borders.

Disease and catastrophe do not respect state lines. In an endemic situation, nursing forces are stretched thin. During pandemic events, nurses themselves are subject to illness. Also, nurses are among first responders during emergent events. Restrictive state nursing regulations limit the flexibility for appropriate assignment of available nurses in response to weather-related disasters, as occurred in 2012 when Hurricane Sandy struck the eastern seaboard. During such emergencies, it would be highly beneficial and much more efficient to assign emergent calls to the next available nurse rather than the next available nurse with licensure matching the patient’s state of residence.

Tami Regan recently testified before the Massachusetts legislature in Boston, citing specific occurrences during a past H1N1 influenza pandemic. Our Massachusetts licensed nurses were barraged with patient and caregiver calls, while our non-Massachusetts licensed nurses were not. Although these other nurses were free to assist with call management, they were restricted from supporting our Massachusetts nurses licensed by the Massachusetts BoN. Night Nurse persevered and managed to maintain patient services throughout that H1N1 pandemic, but Massachusetts patients were subject to unnecessary risk, while competent NLC nurses were prepared and available to provide much-needed assistance.

Conversely, when NLC nurses were struggling to keep up with extraordinarily heavy call volume (H1N1 peaked in other states before arriving in Massachusetts), the Massachusetts BoN refused our request for a limited two-week waiver to allow Massachusetts staff nurses to support beleaguered nurses serving other states.

Tami Regan’s parting comment upon conclusion of her testimony in Boston in support of Massachusetts’ passage of NLC legislation was, “Boston Strong becomes Boston Stronger by Massachusetts joining the Compact.” It’s time for legislatures in Massachusetts and other non-NLC affiliate states to provide their residents with the many benefits and lessened vulnerability to disease or disaster that results from joining the NLC.

Roy Pologe is the CEO of Night Nurse Inc. Night Nurse’s staff nurses average eighteen years of clinical experience, and their primary concern is delivering competent, understandable care advice to patients of over 1,500 physicians, clinics, hospitals, and educational institutions. Since 1999 Night Nurse has triaged more than two million patient encounters without incident.

via The Benefits of Joining the Nurse Licensure Compact.

[From the April/May 2014 issue of AnswerStat magazine]

---

---

By Bill Johnson

Compliance with the Health Insurance Portability and Accountability Act (HIPAA) is the reality of doing business in healthcare today. “Covered entities,” which can include healthcare providers, health plans, and healthcare clearinghouses, must meet HIPAA compliance requirements and protect the privacy and security of individually identifiable health information, but that’s not all. Healthcare organizations must also meet regulations set forth by a variety of governing agencies, including the U.S. Department of Health and Human Services, Office for Civil Rights (OCR). Healthcare organizations need to consider compliance for regulations well beyond HIPAA and OCR.

Healthcare organizations with contact centers must also comply with general contact center regulations. Those that accept payment cards via their contact centers must comply with related regulations. Contact centers operating within the healthcare domain can expect to see an ever-increasing level of tenacity from government agencies tasked with investigating and enforcing regulatory compliance, with hefty fines and penalties accompanying violations.

For example, Health Data Management reported that Cignet Health was fined $4.3 million in February 2011 for not complying with HIPAA’s privacy regulations. Even though Cignet had fewer than 60 records breached, the fact that it did not cooperate with the Office for Civil Rights resulted in this significant fine

Furthermore, according to SC Magazine, Blue Cross was fined $1.5 million by the OCR for a 2009 security breach that affected more than a million members. In the fall of 2009, 576 unencrypted computer hard drives were stolen from a data storage closet in Chattanooga, Tennessee, during a move to a new facility. The data included audio recordings of customer support calls and screenshots of what the call center staff saw when handling the calls.

Security violations are also a common area of non-compliance that has plagued many healthcare organizations, often resulting in substantial financial penalties. For example, Healthcare IT News reported that Health Net agreed to pay a fine of $250,000 and implement corrective actions for failing to secure private patient medical records and financial information on nearly a half million Connecticut enrollees in 2010. This fine also includes failing to promptly notify consumers endangered by the breach.

It becomes even more complex when healthcare contact centers, such as online pharmacies and health plans, accept credit cards. Contact centers that accept payment cards, whether they are in healthcare or any other industry, must comply with regulations set forth by the Payment Card Industry Data Security Standard (PCI-DSS), which was developed and is regulated by American Express, Visa, MasterCard, Discover, and JCB International. These financial institutions have enacted their own fines for violators. For example, MasterCard and Visa fine merchants up to $25,000 for the first violation. More information on this is available from the PCI Security Standards Council and PCI Standard.

While call recording has become a great tool for supporting quality assurance and dispute resolution, it has its own inherent share of regulatory compliance issues of which to be mindful. Conversations and screen captures associated with recordings must also adhere to HIPAA standards and other regulations. To comply, contact centers must ensure that all their data is securely stored, and they must strictly control access to and usage of the recorded conversations and supplementary data.

For compliance of both written and recorded data, there are seven key areas to consider in choosing a call recording solution for your compliant contact center:

1) Flexibility to develop customized policies and procedures for your unique needs: Look for solutions that offer variable data lifecycle management functionality, allowing organizations to tailor how call recordings are stored, staged, and purged based on a variety of criteria, such as account code, extension, and caller ID. In addition, for the most secure system, make sure access to private information can be restricted by using a combination of assigned permissions, call data, account code, and other criteria.

2) Secure storage for call and screen recordings: Have call recordings stored, organized, and preserved in a secure central repository, whether it is on-site, remote, in the cloud, or a hybrid model. Then, take advantage of variable data lifecycle management, which allows customizable storing, staging, and purging of recordings based on a variety of unique business requirements.

Next, employ an archival database for targeted recording data relocation while still providing instant search and access functionality to authorized users. Also, use encryption options on the computers, smartphones, and all other devices that contain private patient information to help prevent information from being accessed by hackers or due to an accidental breach of the computer’s basic security system.

3) Ease of access for authorized users: Provide the ability for authorized users to easily access, search, and save call recordings using a familiar file management system, similar to email organization in Microsoft Outlook.

Implement automatic storage and purging based on unique individual criteria to ensure uniform practices, rather than requiring tedious and inefficient manual review. Also, use media management functionality, such as call slicing, merging, redacting, and call segment exporting, that allows users to further restrict and control information contained within individual call recordings on an as-needed basis to ensure instance-by-instance regulatory compliance. Finally, create custom archiving rules based on call data.

4) Authorized access and secure sharing of call recordings: Access to administrative functions and to individual voice documents should be permissions-based, with recordings inaccessible to outsiders, unless granted permission by an authorized user. These permissions should be limited to prevent further sharing and set to expire after a specified time. For the highest level of security, recordings should be shared as secure media files via link distribution using encrypted streaming, rather than simply emailed as attachments.

Consider call-recording solutions that utilize digital watermarking, which provides the ability to verify and prove that files have not been altered. This is essential in legal situations.

5) Ongoing regulatory compliance training for contact center staff: Contact center management and staff should receive ongoing regulatory compliance training. Staying up-to-date on current practices and regulations requires continuous dedication to training and personnel development. Be sure to choose a call recording solution that enables easy review of agent interactions to verify compliance with communications processes and various adherence mechanisms. This is especially vital in environments dealing with sensitive data that requires strict identification verification, such as medical call centers.

6) A solid disaster recovery plan: Should a catastrophic event affect the contact center, a properly conceived disaster recovery plan can help ensure that all data pertaining to your organization and patients will remain secure and can be restored and retrieved. Consider a call recording solution that can be deployed with advanced fault tolerance and data protection capabilities, as well as an archival database designed to easily and efficiently archive call records for reliable, secure, and instant access. Then, regularly conduct security and compliance assessments to ensure that your contact center is not at risk for regulatory compliance infractions.

7) Management for an audit-ready and compliant-evident state at all times: Have procedures in place so that your contact center managers can quickly access and accurately produce required data in the event of an investigation. Demonstrating effective compliance management policies and procedures in an investigation can result in the issue being resolved faster. If investigators can see that you are compliant, it may help to avoid additional fines during the investigation process.

Help support and improve the ease of proving compliance with additional search and mobility features. For example, speech search provides the ability to quickly search for specified key words and phrases within the call recordings. As well, mobile access via a secure Web-based application makes it fast, easy, and secure for authorized users to access documents when they are away from their desks.

Conclusion: In addition to meeting important regulatory compliance requirements, call recordings can help organizations monitor the quality of agent calls, support agent training, enable agent self-evaluations, and help resolve disputes by providing a verifiable account of an interaction.

While stiff fines and bad publicity are strong motivators to stay compliant, the best motivation for maintaining regulatory compliance is the peace of mind that comes from knowing that you are protecting your organization, patients, partners, and vendors.

[From the August/September 2013 issue of AnswerStat magazine]

---

---

By Perrie Weiner, Edward Totino, Joshua Briones, and Ana Tagvoryan

A company’s success hinges on the quality and efficiency of its customer service. For organizations, such as hospitals and healthcare call centers, that provide service to customers by telephone, ensuring quality customer service often depends upon the ability to evaluate calls, either live through call monitoring or after the fact by listening to recordings. However, while call monitoring and recording aids in agent training, quality assurance, and quality control, these methods can expose an organization to legal liability, costing hundreds of millions of dollars if call monitoring is not implemented in accordance with local law.

In the United States, federal and state regulations govern the monitoring and recording of telephone conversations. Many of these laws are found in the penal statutes that forbid eavesdropping, wiretapping, and monitoring communications. While these laws may originally have been aimed at nefarious activities, like secretly tapping another person’s telephone line, amendments have expanded these laws to cover innocent activity, such as a company monitoring its telephone calls for quality assurance.

Although the federal law makes one party’s consent to the recording of a telephone conversation a defense to a claim of unlawful recording or monitoring, many state laws require all parties to the conversation to have consented to the recording or monitoring, or at least be notified that the call may be monitored or recorded.

To avoid liability for monitoring or recording, a business handling customer calls to and from different states in the United States should implement procedures to ensure compliance with every state’s monitoring and recording regulations. Only such universal procedures will provide a bulletproof defense to any claim of unlawful monitoring or recording.

Potential Risks for Monitoring or Recording Without Consent: Many state laws provide for criminal sanctions against companies that monitor or record telephone calls without notice, as well as give a private right of action in civil courts against such companies to the person whose “privacy” rights are violated. Moreover, many of the states that allow for civil actions expressly provide for the recovery of fixed statutory damages on a per call basis, even in the absence of any actual damages. Minimum statutory damages vary depending on the state, but several states require $1,000 for each recording. In California, the minimum is $5,000 for each recording. Many of these statutes also allow for the recovery of punitive damages and attorneys’ fees.

The creation of a private right of action, as well as the fixed damages provisions of these statutes, create an incentive for actions to be brought for violation of the statutes on behalf of a class of plaintiffs (i.e., class actions).

Such class actions are often brought on behalf of a class of consumers who engaged in telephone conversations with companies that are alleged to have deficient procedures for providing notification of monitoring or recording or that experienced a technical breakdown in their automated systems for recording or monitoring.

In such cases, actual damages are minimal or simply do not exist, but each consumer, nevertheless, may be entitled to the minimum statutory damages for each illegal recording. For companies that have hundreds or thousands of calls per month, the potential liability can easily reach enormous proportions in the multibillion dollar range. Indeed, under California law, recording or monitoring only 200,000 calls without the required notice or consent can result in aggregate statutory damages of $1 billion. This is true even if no one suffered any actual damages.

Interstate Recording and Monitoring: Twelve states have statutes that in some form or another require all parties to a telephone call to be notified or give consent to recording or monitoring. When one of the parties to a telephone conversation is in a state that requires all parties to consent to recording, complex choice-of-law issues arise.

A comprehensive analysis of both states’ laws will determine whether the party doing the recording can take cover under available safe harbor provisions. For example, some states have an exception that allows recording that takes place in another state, or a choice-of-law provision or interpretation that only applies the law to recordings done in the state. Other states have an exception that allows recording without notice for business or customer service purposes.

Businesses that take customer-facing calls from many different states must be wary of the recording laws in the states in which they do the recording and the states from which they receive or to which they make calls.

In 2006, the California Supreme Court decided to apply California Penal Code section 632 – which requires that both parties be notified of, or consent to, monitoring or recording – to calls in which any of the parties are located in California, even if the recording or monitoring took place in a state that allowed recording or monitoring without notice or consent (see Kearney v. Salomon Smith Barney, Inc., 39 Cal. 4th 95, 2006). The safest approach is to always provide notification of monitoring or recording on every call. Even then, there may be issues of whether the type of notification given was sufficient to obtain consent to recording.

Notification and Consent: What’s the Right Way? There are many different ways that a company may attempt to provide notice of, or obtain a consumer’s consent to, monitoring or recording. For example, a company can give written notification of telephone monitoring or recording in their customer account agreements, email communications, or invoices. A company may also provide automated notification of recording before a call is routed to an agent or by using automatic beep tones during a call. A company may even instruct its customer service agents to inform customers of the possibility of monitoring or recording at the beginning of each call.

Whether any of these methods is sufficient to constitute “consent” under the statutes requiring all parties’ consent to recording depends on the state’s law. No statute is specific with regard to the manner in which a person may comply with its provisions. In addition, no statute is specific in regard to the manner in which consent may be implied or confidentiality defeated, although some states do have regulations on the subject. The issue is mainly explored and analyzed through court interpretations, support for which is derived from regulations promulgated by public utility commissions and tariffs of telephone communication carriers.

For example, the California Supreme Court has discussed the effect of verbal warnings, stating directly that “[a] business that adequately advises all parties to a telephone call, at the outset of the conversation, of its intent to record the call would not violate the [Statute]” (Kearney v. Salomon Smith Barney, Inc., 39 Cal. 4th 95, 118, 2006). The rationale is that “if, after being so advised, another party does not wish to participate in the conversation, he or she simply may decline to continue the communication” (Ibid., emphasis omitted). Thus, if the party then continues with the call, he or she no longer can have a reasonable expectation that the call was not being recorded, thereby implying consent to the recording.

In California, courts that have interpreted the statute have not had the occasion to analyze or decide whether tone warnings may defeat confidentiality under the statute. However, one court has mentioned such a circumstance in passing.

Courts have also opined that several existing legal protections for communications could support the conclusion that a person did or did not possess a reasonable expectation of privacy in a conversation.

One such existing protection is found in the regulations of the Public Utilities Commission of the State of California. General Order 107-B, for example, provides that notice of recordingshall be given “by an automatic tone warning device” or “by verbal announcement by the operator of monitoring equipment to the parties to the communication that their communication is being monitored.” However, whether compliance with CPUC Regulation establishes immunity from a suit under the California Penal Code has not been decided.

Even if notifications of monitoring or recording were provided, it would be wise to have a system that creates and maintains proof that such notification was given. Accurate records should also be kept of the dates the recordings started, backup procedures, storage of recordings, and software that can accurately quantify and capture call volumes, caller identifying information (including phone numbers), and other data.

Conclusion: There are additional factors that may come into play regarding the liability analysis for recording calls. For example, some states, like California, make it illegal to record a telephone conversation only when the conversation is “confidential” – meaning that one of the parties has a reasonable expectation that the call would not be overheard or recorded. Because of the complexity of the analysis for any given case, companies would be wise to engage experienced attorneys to analyze and offer recommendations on their monitoring and recording practices. Otherwise, they may find themselves defending a “bet the company” class-action lawsuit.

Perrie Weiner, Edward Totino, Joshua Briones, and Ana Tagvoryan are with the law firm DLA Piper.

[From the February/March 2013 issue of AnswerStat magazine]

---

---

By Rich Sadowski

Companies across the healthcare industry have started collaborating with virtual contact centers in an attempt to operate more efficiently while still offering the highest quality customer care. Known as “homeshoring,” using home-based customer care professionals has already helped many healthcare organizations remain competitive in the current economic climate. These virtual companies have shown they can deliver better service than traditional brick and mortar centers with results such as higher customer satisfaction, faster issue resolution, and greater patient empathy. Yet, information privacy concerns and strict security regulations are still preventing some executives from exploring the use of home-based employees.

Preventing Unauthorized Access: Misuse of patient information is one of the most dreaded threats for any healthcare organization. For this reason, any virtual contact center that works with healthcare clients must be extra diligent when implementing security systems and processes to help prevent unauthorized access to sensitive data. The following are a few recommendations for network security within a virtual environment:

• Firewalls: A firewall configuration, known as the firewall sandwich, is used by many virtual contact centers to protect both the Web application servers and the back-end systems. This configuration is particularly important when back-to-back firewalls exist at the boundaries of the service provider and enterprise network infrastructures.
• Authentication: Multi-factor authentication processes are used to ensure that users are who they say they are. It is advisable for any log-on process to require the user to input something he or she knows, like a password, along with inserting something unique that the user has, such as a onetime token code from a security device. Additionally, contextual information can also be used to help confirm a user’s identity, such as if the employee is scheduled to work during the period of the log-on attempt.
• Authorization: Once users are authenticated, they should then be authorized to access only certain resources. Handling the authorization controls is the job of a triple-A (authentication, authorization, and accounting) server using policy-based management rules.
• Virtual Private Networks: To reduce the risk of hackers attempting to “tap” into sessions or pretending to be a legitimate user, cloud-based contact centers should utilize a virtual private network (VPN). VPNs establish encrypted “tunnels” through the public network by encapsulating traffic in special packets. The use of strong encryption, such as that afforded by the 256-bit Advanced Encryption Standard (AES), makes it virtually impossible for hackers to snoop or hijack virtual private network traffic.

Preventing Information Misuse: The other security factor that must be considered when outsourcing to a virtual call center is the procedures that are in place to help prevent the misuse of information. After employees are approved, securing their home-office environment requires applying comparable layers of security as found in a physical call center but in different ways. Below are some best practices for making the work at-home arrangement as secure as possible:

• Virtual Agents: Efforts to prevent the misuse of confidential information should begin with hiring the right people. Before an employee attempts to access an organization’s network, he or she should be thoroughly vetted prior to hire. At a minimum, this process should include background and criminal checks.
• Computer Controls: It is strongly recommended that an at-home agent’s home computer be “locked” when in use for work. This can be accomplished using a special security application and typically prevents any information from being copied, logged, transmitted, or otherwise retained.
• Software Updates: A best practice is to have a patch cycle that regularly installs system and security software patches and updates. This helps ensure the security software used is up-to-date with the latest version.
• Host Integrity Checks: When working in a cloud-based environment, it is important to make sure all operating systems, applications, and security software are installed correctly and operating properly. This is done by through an endpoint HIC (host integrity check) performed every time an employee logs on. The HIC also validates the registry settings, confirms that no unauthorized application is currently installed, and verifies that the agent is attempting access at a scheduled time and via an authorized network.
• Telephone Keypad Entry: Another best practice is to protect personally identifiable data by having customers enter sensitive information directly via the telephone keypad. “At the tone, please enter your credit card number.” The identifying information is then associated with the caller’s entire session, but it is masked on every screen so as not to be visible to the agent.

By following these security provisions, a cloud-based contact center can be made just as secure as a physical brick-and-mortar facility. To help select the right at-home contact center partners, it is strongly recommended to work with an organization has been able to achieve third-party validated compliance of HIPAA, HI TECH Act, and Payment Card Industry Data Security Standards (PCI- DSS) Level 1 certification.

Rich Sadowski is vice president of Solutions Engineering for Alpine Access, Inc., a provider of employee-based virtual contact center solutions and services. Alpine Access was recently named the best contact center and CRM outsourcer for client satisfaction by Datamonitor’s Black Book of Outsourcing.\

[From the June/July 2012 issue of AnswerStat magazine]