How Well Do You Understand HIPAA?

By Janet Livingston

Most people in the call center industry have a general idea of what HIPAA is, but they lack an understanding of how to apply it to their healthcare call center operation. Ignorance, however, is not a sound defense for HIPAA violations.

HIPAA, the Health Insurance Portability and Accountability Act, has critical ramifications for medical call centers. Passed by the US congress in 1996, the law is now over a decade old. As far as call centers are concerned, HIPAA, among other things, requires call centers to keep personal health information private, both when stored and when moved. There are fines, as well as public embarrassment, for database breaches and employee disclosures of private healthcare information.

Though this is not comprehensive legal advice, the following recommendations do address some basic, commonsense steps to move toward HIPAA compliance by covering key risk areas that are often overlooked. Follow these quick tips now to reduce penalties and pain later.

Fortify the Building: Safeguard your call center facility with building locks, surveillance cameras, door alarms, and a secured lobby. If employees use a separate entrance, don’t overlook it. Require them to be buzzed in or provide a keypad entry lock, with individual codes for each employee. Change lock codes periodically and retire individual codes as soon as an employee no longer works at your call center.

Implement Internal Security: Not only does the call center facility need security and secured access, but internal security is also a critical issue under HIPAA. Specifically, certain areas must be restricted to unauthorized personnel and all non-personnel.

For example, the operations room should be off limits to visitors and even some ancillary staff. Only scheduled agents and relevant management should be allowed entrance into the operations room. In the event that a client or prospect wants a facility tour, allow them only to view the operation from a distance, perhaps through a window in a soundproof room overlooking the operations room. Similarly the technology hubs, such as the computer room and telecommunications center, should be under lockdown at all times and accessible only to authorized technical personnel.

Establish Technology Safeguards: As mentioned, the primary space that should have limited access is the equipment area, which houses your call center’s computers, servers, and network technology, as well as the telecommunications switches and interfaces. But this restriction doesn’t just apply to people in your facility. There should be no physical external accessible points to your telephone or internet service. Furthermore, remote access to equipment and data should be thoroughly password protected for authorized personnel and vendor use only.

Escort Visitors: Any clients, prospective clients, vendors, and nonemployees need an escort through the facility. Accompany visitors at all times. If they’re interested in viewing operations, they should do so by observing it from inside a soundproof, glassed viewing area. They must be supervised throughout their tour. Make sure they do not photograph or record anything during their visit. A best-practice policy is for them to check all electronic equipment at the front desk or leave it in their car.Paper documents must be destroyed as soon as they are no longer needed. Click To Tweet

Invest in Paper Shredders: While many dream of a truly paperless office, the reality is that despite well-meaning intentions, paper containing sensitive information will be produced. This might be through negligence, oversight, or expediency. Regardless, these paper documents must be destroyed as soon as they are no longer needed. The obvious solution is to shred such documents in a micro-cut shredder.

Deploy Shred Bins: All sensitive or potentially sensitive documents requires shredding. However, shredders are loud devices that don’t align well with the call center’s need to minimize noise. Though immediate shredding is ideal, this is sometimes impractical, in which case locked shred bins should be conveniently placed around the call center. Authorized personnel routinely shred the contents of the locked shred bin according to documented security protocols.

Enforce a Password Policy: Passwords are unpopular but necessary, yet password misuse and abuse is the weakest link in most call centers. Good passwords help keep personal health information private. A thorough password policy must be developed, taught, followed, and enforced. Putting a great plan into a document means nothing if staff isn’t instructed in what it says, and staff instruction means nothing if the enforcement is lax or altogether lacking. When given an option, most people will take whatever password shortcuts they can, not recognizing the pitfalls and risks they subject their companies to.

At minimum the password policy should mandate regular software-controlled password changes, not reusing previous passwords, and never sharing passwords with anyone regardless of the circumstances. Password policy violations remain a vulnerable area at many call centers. Education and enforcement are essential, with the consistent actions and attitudes of management establishing the perspectives of all other employees.

A lack of compliance with HIPAA regulations can result in monetary damages in the form of fines for security breaches and reputation damages in the form of negative publicity over security violations. While HIPAA only covers the healthcare industry, these security tips are emerging as call center best practices across all industries. Therefore every call center should move toward implementation.

Janet Livingston is the president of Call Center Sales Pro, a premier sales and marketing service provider and consultancy that provides custom training solutions for all levels of call center staff, both in the healthcare industry and across all verticals. Contact Janet at contactus@callcenter-salespro.com or 800-901-7706 to learn more about arranging specific training for your organization.

Gear Up for HIPAA Phase II in Your Contact Center



By Geoff Mina

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) is releasing several key updates to the Health Insurance Portability and Accountability Act (HIPAA) of 1996.

As of right now no official announcements have been made public regarding when the second round of audits, referred to as HIPAA Phase II, will take effect. However, according to a recent article from the National Law Review, the OCR has already issued between 550 and 800 pre-audit screening surveys to covered entities in America’s Health Insurance Plans and National Provider Identifier databases, as well as those of healthcare clearing houses and health plans. Upon receiving the surveys, the list will be narrowed down considerably, to about 350 covered entities, which will then be administered data requests.

What do “data requests” entail? This is where things get interesting.

One of the most important changes will impact the types of organizations being targeted by HIPAA. Phase I HIPAA only affected healthcare providers. Under Phase II, however, business associates of healthcare providers will also be subjected to random audits. This includes any third-party provider that handles patients’ personal health information through processes like billing and data management.

Of these 350 selected organizations, about 150 will be subjected to direct audits.

At first, the OCR will be on the lookout for areas with “heightened risk,” or areas that were discovered to be of non-compliance after HIPAA Phase I was completed. These areas include processes such as notifying patients and customers about privacy practices, performing timely breach notifications and incident responses, and setting up strong data access controls for employees. Other areas include risk analysis and management, workforce member training, transmission security, and device and media controls.

Eventually standards like encryption and decryption, breach reports, complaints, and facility access control will be taken into account as well. So it’s important that businesses start preparing ahead of time for these changes.

If your business is selected for an audit you will have two weeks to respond to the request and submit the required information. Audits will take place over a three-year period.

So what should organizations do to make sure they’re ready? Below are five best practices to help meet current HIPAA requirements and gear up for HIPAA Phase II.

Focus on Protected Health Information: Protected Health Information (PHI) is any individually identifiable health data that is held or maintained by a covered entity or its business associates that is transmitted or maintained in any form. This includes demographics, mental conditions (both past and present), genetic information, and payments of healthcare to an individual that is received by a healthcare provider, plan, or employer.

Contact centers must know how to identify PHI and train agents to know what to do with this information as soon as they come across it. Guidelines should be set in place for situations agents will face, as well as cases that may be out of the norm. For example, agents likely know to ask customers for their name only. However, what do they do when the customer offers up more information than the agent desires, such as how they feel, medications they’re on, and so forth? This happens more often than one may think; so it’s important that companies equip their agents with guidelines so they’re prepped on what to do if this situation arises.

Encrypt All Protected Health Information: While not currently required by HIPAA, encrypting all patient health information is a best practice that all companies should already be following – and if not, they should start immediately. It’s important to note that encryption should be done for all data – both data in transit and static data. After all, encrypting one of the two forms of data doesn’t mean both forms will be secure.

Use VPN for Offsite Agent Access: Many companies have agents that work both on-site, as well as remotely. For any employee using remote access, companies should set in place a secure VPN that must be used for access. Doing so keeps information on the company’s server without worry it’ll be accessed on another network. It’s also important for companies to ensure remote access is always via a secure VPN. Doing so will help ensure PHI information doesn’t land in the wrong hands.

Avoid Recording Sensitive Information: To avoid storing information into a database, companies should set policies in place that require agents to turn off the call recording feature when collecting customer information over the phone. For many recording systems the calls are immediately saved to a server where they can be accessed by others in the company. Depending on what was said in the call, this potentially infringes on a customer’s privacy and breaks HIPAA policy. Ensuring calls aren’t recorded from the start helps agents avoid collecting PHI information the caller offers up freely, rather than scrambling to turn off the recording when PHI information is brought up or remembering to delete the recording from the system afterward.

Enforce a Strong Password Policy: Finally, policies should be set for contact center employees to change their password every three to six months. This makes it harder for systems to be hacked or stolen passwords to be used. For added security the policy should also include a secure recovery process for agents. For example, some contact centers require agents to check in with their supervisor whenever they need to recover their password.

Conclusion: In preparation for a possible audit, it’s important to assess your contact center’s compliance as it relates to HIPAA Phase II, and implement these best practices. If you are a healthcare provider, create a list of all of your business associates’ contact information so that you are ready to provide the information to auditors.

And never operate under the assumption that your business is not liable to be audited by the OCR. Corporations and their contact centers should be prepared to handle all requests administered by the OCR in a timely fashion. By preparing ahead of time and assessing your current risk levels and areas that need improvement, you will reduce the likelihood of running into trouble.

Geoff Mina is the chief technology officer and founder of Connect First.

The Benefits of Joining the Nurse Licensure Compact

By Roy Pologe

Seven years ago at Night Nurse, one of our staff RNs encountered an after-hours triage call from a Vermont patient of a Massachusetts medical practice. Our nurse triaged the call, but noted concern for having done so. The nurse was credentialed in Massachusetts, and the call was from Vermont. Were her nurse credentials (RN) in jeopardy for having provided medical care advice across state lines? Although Medicaid, HMO, and medical insurer guidelines do not inhibit or prohibit patient care by physicians across state lines, we didn’t dismiss our nurse’s concern.

Our Massachusetts triage nurse’s encounter with the patient residing in Vermont prompted a conversation with Vermont Board of Nursing (BoN). “Your nurse was in violation of both Vermont and Massachusetts nursing regulations,” said a representative of the Vermont BoN.

“Why is that?” asked Tami Regan, Night Nurse’s director of nursing services. “We’re allowed to triage Massachusetts residents who travel out of state. What makes this situation so different? How should we have assisted the patient?” The Vermont BoN advised us to redirect Vermont patients to their own physicians for assistance.

Certainly this patient encounter provoked questions for further discussion. Practically considered, by following Vermont BoN guidelines, the Vermont patient would have had care advice significantly delayed; alternatively the patient might have dialed 911 or gone to the emergency room. Possibly all those scenarios would have resulted in reasonably positive outcomes (aside from additional costs accrued to the practice, HMO, or government, as well as needless risk for the patient). But what if the circumstances surrounding the call were potentially life-threatening, such as symptoms akin to meningitis? Then the scenario endorsed by the Vermont BoN and deemed acceptable by the Massachusetts BoN could have resulted in serious complications or even death for the patient.

Our triaging that Vermont patient was an oddity, but it was also an eye-opener. The absurdities of Massachusetts and Vermont nursing regulations may be more self-serving than lifesaving. Regulatory authority that deters achieving good patient outcomes must be thoughtfully examined and revised. Current Massachusetts nursing regulations is antithetical to good medical practice, as stated by the Massachusetts BoN Regulations, Section 244 CMR 9.00 subsection 4/9.03, which reads in effect that triage of an out-of-state resident by a Massachusetts RN is a violation of the statute. Thought this regulation has never been tested and is open to interpretation, the safe course of action is to abide by it.

Soon after our Vermont patient encounter, we discovered unheralded legislation languishing in the Massachusetts legislature, proposing that the Commonwealth of Massachusetts join an existing “Compact” – that is, the Nurse Licensure Compact (NLC), which is similar to other reciprocal licensure agreements and allows nurses properly licensed in one state of residency to have their credentials honored in all NLC states, now numbering twenty-four.

Maine, New Hampshire, and Rhode Island have already aligned with the NLC. However, Connecticut, Massachusetts, and Vermont are not NLC states. Night Nurse services all six of these New England states, as well as seventeen other states.

Reciprocal accreditation of our staff nurses across state lines would expedite delivery of cost-efficient medical services, with benefits for all concerned. The cumulative effect of more states enlisting in the NLC would facilitate the consistent delivery of timely triage across state borders.

Disease and catastrophe do not respect state lines. In an endemic situation, nursing forces are stretched thin. During pandemic events, nurses themselves are subject to illness. Also, nurses are among first responders during emergent events. Restrictive state nursing regulations limit the flexibility for appropriate assignment of available nurses in response to weather-related disasters, as occurred in 2012 when Hurricane Sandy struck the eastern seaboard. During such emergencies, it would be highly beneficial and much more efficient to assign emergent calls to the next available nurse rather than the next available nurse with licensure matching the patient’s state of residence.

Tami Regan recently testified before the Massachusetts legislature in Boston, citing specific occurrences during a past H1N1 influenza pandemic. Our Massachusetts licensed nurses were barraged with patient and caregiver calls, while our non-Massachusetts licensed nurses were not. Although these other nurses were free to assist with call management, they were restricted from supporting our Massachusetts nurses licensed by the Massachusetts BoN. Night Nurse persevered and managed to maintain patient services throughout that H1N1 pandemic, but Massachusetts patients were subject to unnecessary risk, while competent NLC nurses were prepared and available to provide much-needed assistance.

Conversely, when NLC nurses were struggling to keep up with extraordinarily heavy call volume (H1N1 peaked in other states before arriving in Massachusetts), the Massachusetts BoN refused our request for a limited two-week waiver to allow Massachusetts staff nurses to support beleaguered nurses serving other states.

Tami Regan’s parting comment upon conclusion of her testimony in Boston in support of Massachusetts’ passage of NLC legislation was, “Boston Strong becomes Boston Stronger by Massachusetts joining the Compact.” It’s time for legislatures in Massachusetts and other non-NLC affiliate states to provide their residents with the many benefits and lessened vulnerability to disease or disaster that results from joining the NLC.

Roy Pologe is the CEO of Night Nurse Inc. Night Nurse’s staff nurses average eighteen years of clinical experience, and their primary concern is delivering competent, understandable care advice to patients of over 1,500 physicians, clinics, hospitals, and educational institutions. Since 1999 Night Nurse has triaged more than two million patient encounters without incident.

via The Benefits of Joining the Nurse Licensure Compact.

[From the April/May 2014 issue of AnswerStat magazine]

What You Need to Know About Call Recording to Meet Regulatory Compliance

By Bill Johnson

Compliance with the Health Insurance Portability and Accountability Act (HIPAA) is the reality of doing business in healthcare today. “Covered entities,” which can include healthcare providers, health plans, and healthcare clearinghouses, must meet HIPAA compliance requirements and protect the privacy and security of individually identifiable health information, but that’s not all. Healthcare organizations must also meet regulations set forth by a variety of governing agencies, including the U.S. Department of Health and Human Services, Office for Civil Rights (OCR). Healthcare organizations need to consider compliance for regulations well beyond HIPAA and OCR.

Healthcare organizations with contact centers must also comply with general contact center regulations. Those that accept payment cards via their contact centers must comply with related regulations. Contact centers operating within the healthcare domain can expect to see an ever-increasing level of tenacity from government agencies tasked with investigating and enforcing regulatory compliance, with hefty fines and penalties accompanying violations.

For example, Health Data Management reported that Cignet Health was fined $4.3 million in February 2011 for not complying with HIPAA’s privacy regulations. Even though Cignet had fewer than 60 records breached, the fact that it did not cooperate with the Office for Civil Rights resulted in this significant fine

Furthermore, according to SC Magazine, Blue Cross was fined $1.5 million by the OCR for a 2009 security breach that affected more than a million members. In the fall of 2009, 576 unencrypted computer hard drives were stolen from a data storage closet in Chattanooga, Tennessee, during a move to a new facility. The data included audio recordings of customer support calls and screenshots of what the call center staff saw when handling the calls.

Security violations are also a common area of non-compliance that has plagued many healthcare organizations, often resulting in substantial financial penalties. For example, Healthcare IT News reported that Health Net agreed to pay a fine of $250,000 and implement corrective actions for failing to secure private patient medical records and financial information on nearly a half million Connecticut enrollees in 2010. This fine also includes failing to promptly notify consumers endangered by the breach.

It becomes even more complex when healthcare contact centers, such as online pharmacies and health plans, accept credit cards. Contact centers that accept payment cards, whether they are in healthcare or any other industry, must comply with regulations set forth by the Payment Card Industry Data Security Standard (PCI-DSS), which was developed and is regulated by American Express, Visa, MasterCard, Discover, and JCB International. These financial institutions have enacted their own fines for violators. For example, MasterCard and Visa fine merchants up to $25,000 for the first violation. More information on this is available from the PCI Security Standards Council and PCI Standard.

While call recording has become a great tool for supporting quality assurance and dispute resolution, it has its own inherent share of regulatory compliance issues of which to be mindful. Conversations and screen captures associated with recordings must also adhere to HIPAA standards and other regulations. To comply, contact centers must ensure that all their data is securely stored, and they must strictly control access to and usage of the recorded conversations and supplementary data.

For compliance of both written and recorded data, there are seven key areas to consider in choosing a call recording solution for your compliant contact center:

1) Flexibility to develop customized policies and procedures for your unique needs: Look for solutions that offer variable data lifecycle management functionality, allowing organizations to tailor how call recordings are stored, staged, and purged based on a variety of criteria, such as account code, extension, and caller ID. In addition, for the most secure system, make sure access to private information can be restricted by using a combination of assigned permissions, call data, account code, and other criteria.

2) Secure storage for call and screen recordings: Have call recordings stored, organized, and preserved in a secure central repository, whether it is on-site, remote, in the cloud, or a hybrid model. Then, take advantage of variable data lifecycle management, which allows customizable storing, staging, and purging of recordings based on a variety of unique business requirements.

Next, employ an archival database for targeted recording data relocation while still providing instant search and access functionality to authorized users. Also, use encryption options on the computers, smartphones, and all other devices that contain private patient information to help prevent information from being accessed by hackers or due to an accidental breach of the computer’s basic security system.

3) Ease of access for authorized users: Provide the ability for authorized users to easily access, search, and save call recordings using a familiar file management system, similar to email organization in Microsoft Outlook.

Implement automatic storage and purging based on unique individual criteria to ensure uniform practices, rather than requiring tedious and inefficient manual review. Also, use media management functionality, such as call slicing, merging, redacting, and call segment exporting, that allows users to further restrict and control information contained within individual call recordings on an as-needed basis to ensure instance-by-instance regulatory compliance. Finally, create custom archiving rules based on call data.

4) Authorized access and secure sharing of call recordings: Access to administrative functions and to individual voice documents should be permissions-based, with recordings inaccessible to outsiders, unless granted permission by an authorized user. These permissions should be limited to prevent further sharing and set to expire after a specified time. For the highest level of security, recordings should be shared as secure media files via link distribution using encrypted streaming, rather than simply emailed as attachments.

Consider call-recording solutions that utilize digital watermarking, which provides the ability to verify and prove that files have not been altered. This is essential in legal situations.

5) Ongoing regulatory compliance training for contact center staff: Contact center management and staff should receive ongoing regulatory compliance training. Staying up-to-date on current practices and regulations requires continuous dedication to training and personnel development. Be sure to choose a call recording solution that enables easy review of agent interactions to verify compliance with communications processes and various adherence mechanisms. This is especially vital in environments dealing with sensitive data that requires strict identification verification, such as medical call centers.

6) A solid disaster recovery plan: Should a catastrophic event affect the contact center, a properly conceived disaster recovery plan can help ensure that all data pertaining to your organization and patients will remain secure and can be restored and retrieved. Consider a call recording solution that can be deployed with advanced fault tolerance and data protection capabilities, as well as an archival database designed to easily and efficiently archive call records for reliable, secure, and instant access. Then, regularly conduct security and compliance assessments to ensure that your contact center is not at risk for regulatory compliance infractions.

7) Management for an audit-ready and compliant-evident state at all times: Have procedures in place so that your contact center managers can quickly access and accurately produce required data in the event of an investigation. Demonstrating effective compliance management policies and procedures in an investigation can result in the issue being resolved faster. If investigators can see that you are compliant, it may help to avoid additional fines during the investigation process.

Help support and improve the ease of proving compliance with additional search and mobility features. For example, speech search provides the ability to quickly search for specified key words and phrases within the call recordings. As well, mobile access via a secure Web-based application makes it fast, easy, and secure for authorized users to access documents when they are away from their desks.

Conclusion: In addition to meeting important regulatory compliance requirements, call recordings can help organizations monitor the quality of agent calls, support agent training, enable agent self-evaluations, and help resolve disputes by providing a verifiable account of an interaction.

While stiff fines and bad publicity are strong motivators to stay compliant, the best motivation for maintaining regulatory compliance is the peace of mind that comes from knowing that you are protecting your organization, patients, partners, and vendors.

Bill Johnson is the director of client services & channel programs at Oaisys Inc. Contact him at bill_johnson@oaisys.com.

[From the August/September 2013 issue of AnswerStat magazine]

A Multimillion-Dollar Trap: Recording Customer Service Calls

By Perrie Weiner, Edward Totino, Joshua Briones, and Ana Tagvoryan

A company’s success hinges on the quality and efficiency of its customer service. For organizations, such as hospitals and healthcare call centers, that provide service to customers by telephone, ensuring quality customer service often depends upon the ability to evaluate calls, either live through call monitoring or after the fact by listening to recordings. However, while call monitoring and recording aids in agent training, quality assurance, and quality control, these methods can expose an organization to legal liability, costing hundreds of millions of dollars if call monitoring is not implemented in accordance with local law.

In the United States, federal and state regulations govern the monitoring and recording of telephone conversations. Many of these laws are found in the penal statutes that forbid eavesdropping, wiretapping, and monitoring communications. While these laws may originally have been aimed at nefarious activities, like secretly tapping another person’s telephone line, amendments have expanded these laws to cover innocent activity, such as a company monitoring its telephone calls for quality assurance.

Although the federal law makes one party’s consent to the recording of a telephone conversation a defense to a claim of unlawful recording or monitoring, many state laws require all parties to the conversation to have consented to the recording or monitoring, or at least be notified that the call may be monitored or recorded.

To avoid liability for monitoring or recording, a business handling customer calls to and from different states in the United States should implement procedures to ensure compliance with every state’s monitoring and recording regulations. Only such universal procedures will provide a bulletproof defense to any claim of unlawful monitoring or recording.

Potential Risks for Monitoring or Recording Without Consent: Many state laws provide for criminal sanctions against companies that monitor or record telephone calls without notice, as well as give a private right of action in civil courts against such companies to the person whose “privacy” rights are violated. Moreover, many of the states that allow for civil actions expressly provide for the recovery of fixed statutory damages on a per call basis, even in the absence of any actual damages. Minimum statutory damages vary depending on the state, but several states require $1,000 for each recording. In California, the minimum is $5,000 for each recording. Many of these statutes also allow for the recovery of punitive damages and attorneys’ fees.

The creation of a private right of action, as well as the fixed damages provisions of these statutes, create an incentive for actions to be brought for violation of the statutes on behalf of a class of plaintiffs (i.e., class actions).

Such class actions are often brought on behalf of a class of consumers who engaged in telephone conversations with companies that are alleged to have deficient procedures for providing notification of monitoring or recording or that experienced a technical breakdown in their automated systems for recording or monitoring.

In such cases, actual damages are minimal or simply do not exist, but each consumer, nevertheless, may be entitled to the minimum statutory damages for each illegal recording. For companies that have hundreds or thousands of calls per month, the potential liability can easily reach enormous proportions in the multibillion dollar range. Indeed, under California law, recording or monitoring only 200,000 calls without the required notice or consent can result in aggregate statutory damages of $1 billion. This is true even if no one suffered any actual damages.

Interstate Recording and Monitoring: Twelve states have statutes that in some form or another require all parties to a telephone call to be notified or give consent to recording or monitoring. When one of the parties to a telephone conversation is in a state that requires all parties to consent to recording, complex choice-of-law issues arise.

A comprehensive analysis of both states’ laws will determine whether the party doing the recording can take cover under available safe harbor provisions. For example, some states have an exception that allows recording that takes place in another state, or a choice-of-law provision or interpretation that only applies the law to recordings done in the state. Other states have an exception that allows recording without notice for business or customer service purposes.

Businesses that take customer-facing calls from many different states must be wary of the recording laws in the states in which they do the recording and the states from which they receive or to which they make calls.

In 2006, the California Supreme Court decided to apply California Penal Code section 632 – which requires that both parties be notified of, or consent to, monitoring or recording – to calls in which any of the parties are located in California, even if the recording or monitoring took place in a state that allowed recording or monitoring without notice or consent (see Kearney v. Salomon Smith Barney, Inc., 39 Cal. 4th 95, 2006). The safest approach is to always provide notification of monitoring or recording on every call. Even then, there may be issues of whether the type of notification given was sufficient to obtain consent to recording.

Notification and Consent: What’s the Right Way? There are many different ways that a company may attempt to provide notice of, or obtain a consumer’s consent to, monitoring or recording. For example, a company can give written notification of telephone monitoring or recording in their customer account agreements, email communications, or invoices. A company may also provide automated notification of recording before a call is routed to an agent or by using automatic beep tones during a call. A company may even instruct its customer service agents to inform customers of the possibility of monitoring or recording at the beginning of each call.

Whether any of these methods is sufficient to constitute “consent” under the statutes requiring all parties’ consent to recording depends on the state’s law. No statute is specific with regard to the manner in which a person may comply with its provisions. In addition, no statute is specific in regard to the manner in which consent may be implied or confidentiality defeated, although some states do have regulations on the subject. The issue is mainly explored and analyzed through court interpretations, support for which is derived from regulations promulgated by public utility commissions and tariffs of telephone communication carriers.

For example, the California Supreme Court has discussed the effect of verbal warnings, stating directly that “[a] business that adequately advises all parties to a telephone call, at the outset of the conversation, of its intent to record the call would not violate the [Statute]” (Kearney v. Salomon Smith Barney, Inc., 39 Cal. 4th 95, 118, 2006). The rationale is that “if, after being so advised, another party does not wish to participate in the conversation, he or she simply may decline to continue the communication” (Ibid., emphasis omitted). Thus, if the party then continues with the call, he or she no longer can have a reasonable expectation that the call was not being recorded, thereby implying consent to the recording.

In California, courts that have interpreted the statute have not had the occasion to analyze or decide whether tone warnings may defeat confidentiality under the statute. However, one court has mentioned such a circumstance in passing.

Courts have also opined that several existing legal protections for communications could support the conclusion that a person did or did not possess a reasonable expectation of privacy in a conversation.

One such existing protection is found in the regulations of the Public Utilities Commission of the State of California. General Order 107-B, for example, provides that notice of recordingshall be given “by an automatic tone warning device” or “by verbal announcement by the operator of monitoring equipment to the parties to the communication that their communication is being monitored.” However, whether compliance with CPUC Regulation establishes immunity from a suit under the California Penal Code has not been decided.

Even if notifications of monitoring or recording were provided, it would be wise to have a system that creates and maintains proof that such notification was given. Accurate records should also be kept of the dates the recordings started, backup procedures, storage of recordings, and software that can accurately quantify and capture call volumes, caller identifying information (including phone numbers), and other data.

Conclusion: There are additional factors that may come into play regarding the liability analysis for recording calls. For example, some states, like California, make it illegal to record a telephone conversation only when the conversation is “confidential” – meaning that one of the parties has a reasonable expectation that the call would not be overheard or recorded. Because of the complexity of the analysis for any given case, companies would be wise to engage experienced attorneys to analyze and offer recommendations on their monitoring and recording practices. Otherwise, they may find themselves defending a “bet the company” class-action lawsuit.

Perrie Weiner, Edward Totino, Joshua Briones, and Ana Tagvoryan are with the law firm DLA Piper.

[From the February/March 2013 issue of AnswerStat magazine]

Protecting Patient Information Within The Cloud

By Rich Sadowski

Companies across the healthcare industry have started collaborating with virtual contact centers in an attempt to operate more efficiently while still offering the highest quality customer care. Known as “homeshoring,” using home-based customer care professionals has already helped many healthcare organizations remain competitive in the current economic climate. These virtual companies have shown they can deliver better service than traditional brick and mortar centers with results such as higher customer satisfaction, faster issue resolution, and greater patient empathy. Yet, information privacy concerns and strict security regulations are still preventing some executives from exploring the use of home-based employees.

Preventing Unauthorized Access: Misuse of patient information is one of the most dreaded threats for any healthcare organization. For this reason, any virtual contact center that works with healthcare clients must be extra diligent when implementing security systems and processes to help prevent unauthorized access to sensitive data. The following are a few recommendations for network security within a virtual environment:

  • Firewalls: A firewall configuration, known as the firewall sandwich, is used by many virtual contact centers to protect both the Web application servers and the back-end systems. This configuration is particularly important when back-to-back firewalls exist at the boundaries of the service provider and enterprise network infrastructures.
  • Authentication: Multi-factor authentication processes are used to ensure that users are who they say they are. It is advisable for any log-on process to require the user to input something he or she knows, like a password, along with inserting something unique that the user has, such as a onetime token code from a security device. Additionally, contextual information can also be used to help confirm a user’s identity, such as if the employee is scheduled to work during the period of the log-on attempt.
  • Authorization: Once users are authenticated, they should then be authorized to access only certain resources. Handling the authorization controls is the job of a triple-A (authentication, authorization, and accounting) server using policy-based management rules.
  • Virtual Private Networks: To reduce the risk of hackers attempting to “tap” into sessions or pretending to be a legitimate user, cloud-based contact centers should utilize a virtual private network (VPN). VPNs establish encrypted “tunnels” through the public network by encapsulating traffic in special packets. The use of strong encryption, such as that afforded by the 256-bit Advanced Encryption Standard (AES), makes it virtually impossible for hackers to snoop or hijack virtual private network traffic.

Preventing Information Misuse: The other security factor that must be considered when outsourcing to a virtual call center is the procedures that are in place to help prevent the misuse of information. After employees are approved, securing their home-office environment requires applying comparable layers of security as found in a physical call center but in different ways. Below are some best practices for making the work at-home arrangement as secure as possible:

  • Virtual Agents: Efforts to prevent the misuse of confidential information should begin with hiring the right people. Before an employee attempts to access an organization’s network, he or she should be thoroughly vetted prior to hire. At a minimum, this process should include background and criminal checks.
  • Computer Controls: It is strongly recommended that an at-home agent’s home computer be “locked” when in use for work. This can be accomplished using a special security application and typically prevents any information from being copied, logged, transmitted, or otherwise retained.
  • Software Updates: A best practice is to have a patch cycle that regularly installs system and security software patches and updates. This helps ensure the security software used is up-to-date with the latest version.
  • Host Integrity Checks: When working in a cloud-based environment, it is important to make sure all operating systems, applications, and security software are installed correctly and operating properly. This is done by through an endpoint HIC (host integrity check) performed every time an employee logs on. The HIC also validates the registry settings, confirms that no unauthorized application is currently installed, and verifies that the agent is attempting access at a scheduled time and via an authorized network.
  • Telephone Keypad Entry: Another best practice is to protect personally identifiable data by having customers enter sensitive information directly via the telephone keypad. “At the tone, please enter your credit card number.” The identifying information is then associated with the caller’s entire session, but it is masked on every screen so as not to be visible to the agent.

By following these security provisions, a cloud-based contact center can be made just as secure as a physical brick-and-mortar facility. To help select the right at-home contact center partners, it is strongly recommended to work with an organization has been able to achieve third-party validated compliance of HIPAA, HI TECH Act, and Payment Card Industry Data Security Standards (PCI- DSS) Level 1 certification.

Rich Sadowski is vice president of Solutions Engineering for Alpine Access, Inc., a provider of employee-based virtual contact center solutions and services. Alpine Access was recently named the best contact center and CRM outsourcer for client satisfaction by Datamonitor’s Black Book of Outsourcing.\

[From the June/July 2012 issue of AnswerStat magazine]

New Regulations on Pre-recorded Messages

Michele Shuster, of MacMurray, Petersen & Shuster LLP, reminds call centers that on September 1, 2009 the FTC’s prohibition against sending prerecorded solicitation messages without the express written consent of the call recipient became effective.

This new requirement, contained in the FTC’s amended Telemarketing Sales Rule (TSR), does not apply to healthcare messages, as well as purely informational messages or calls made by entities exempt from the TSR.

[Posted by Peter DeHaan for AnswerStat magazine, a medical healthcare publication from Peter DeHaan Publishing Inc.]

FCC Limits Robo Calls

Effective September 1, pre-recorded calls (robo calls) to consumers require written authorization if they are to be made legally.  Even having an existing business relationship does not negate the need to obtain prior approval in writing.  According to the FTC, calls of an “informational” nature are not affected, as are political calls, non-profits, and “certain healthcare messages.”

The earlier December 2008 regulation, aimed to curb abuse and public outrage, requiring an opt-out option on all pre-recorded calls was deemed cumbersome and ineffective in curtailing their use.

Fines for non-compliance with the requirement of written authorization are up to $16,000 per call.

[Posted by Peter DeHaan for AnswerStat magazine, a medical healthcare publication from Peter DeHaan Publishing Inc.]

Email Protocol for the Call Center

By Dr. Julie Miller


TeamHealth Medical Call Center


Information is the blessing and the curse of the digital revolution. Between email, instant messaging, text messaging, cell phones, Blackberries, and the Internet, we are drowning in data overload. Moreover, the constant interruptions cost the U.S. economy an estimated $558 billion annually. This staggering number does not add in the cost of poorly written emails that land companies and employees in hot legal trouble, destroy long-term client relationships, and ruin reputations – just review Mike Brown’s emails (former FEMA chief) as Hurricane Katrina raged and you will understand. Add to this mix a lack of civility and common sense and you have an explosive brew.

How can the problem be addressed? For starters, begin treating email writing not as casual conversation. Whether words are written in the sky, sent by carrier pigeon, or via the email, words must connect with the reader. Good writing allows this to happen; poor writing does not. Currently, writing online is still, as author Patricia O’Conner writes, “…in its Wild West stage…with everybody shooting from the hip and no sheriff in sight.”

Therefore, establish some law and order by developing an email protocol, whether you are a multi-national operation or a single station call center. Simply stated, it’s “the way we do business around here” in terms of communicating via email with co-workers and customers. It is a code of behavior, a set of standards as to how you will frame your words, manage your inbox, and even extend your brand.

Below is a short list of questions to address at your next staff meeting. Your answers could be the beginning of a company-wide document.

  • How do you greet and close messages? Companies are putting together a series of key phrases used solely for openings and closings. Remember, you would never call on the telephone without greeting someone. Why would you not greet people in your emails?
  • What does your email signature say about your company? It should be an extension of your company’s brand. It should be professional, with no cutesy sayings, but it should also contain all contact information. Establish a standard for font style and size. Also, because you have limited real estate, consider placing your signature block horizontal rather than vertical.
  • What is the company policy about blind copies? Some companies only use them for email blasts; others say they are strictly verboten. Discuss why, when, and how you use them.
  • Do you have a message for the “out of office” auto-responder, and when do you turn it on? After four hours? For one day or longer? One company requires that if an employee is immersed in an important project, it must be turned on if he or she is gone from the office for more than one hour.
  • How often do you check emails? Some companies set their programs so emails are only called up hourly, thus reducing down time and increasing productivity.
  • How soon do you return emails? Within four hours? Inside of 24 hours? Some companies’ policy state all emails need to be answered within the same business day.
  • Do you use emoticons? Buzzing bees, dancing bears, smiley faces, and the like may be cute, but they have no place in business communications. Heartily rule against it.
  • How many emails do you send before you pick up the phone? The rule of thumb seems to be three. If the issues are not resolved, pick up the phone or walk down the hall.
  • What are your company’s policies about writing business letters, accessing confidential information, and handling racial or sexual harassment? Your email policy should be compatible with these policies.
  • How will you insure employees understand your protocol? For example, who is the contact person when questions arise? How will updates be handled? Will you schedule training meetings?

Email has become the biggest productivity drain in businesses today. Getting a handle on this daily data dump by establishing procedures – email etiquette, if you will – will make you and your call center stand above the crowd. This will possibly bring law and order to the untamed world of Internet communication.

Dr. Julie Miller, founder of Business Writing That Counts, is a national consultant and trainer who helps professionals reduce their writing time while still producing powerful documents. She and her team work with executives who want to hone their writing skills and professionals who want to advance their careers. For more information, call 425-485-3221.

[From the October/November 2007 issue of AnswerStat magazine]

Is That Hold Music Legal?

By Mike Wilson, J.D.

Music so permeates our culture that we take for granted the right to play it. However, performing rights organizations like ASCAP, SESAC, and BMI do not take it for granted. They know, and so should you, that a licensing agreement is required to legally play copyrighted works.

It does not matter if you own the CD that is playing for your callers on hold. It does not matter that it is really the radio station that is broadcasting the songs you have piped in as your “on hold” music. It does not even matter if you are a non-profit organization. Licensing is required. If you think music copyrights are a non-issue, all you need to do is look at the fervor over Napster.

Exemptions are limited: Music during church services or in face-to-face teaching in a classroom does not require a license. There are some other narrowly defined exemptions in Section 110(5) of the Copyright Act. Playing a TV or radio in public may be okay in certain circumstances. For example, if there is no charge and the radio or TV are of the “kind commonly used in homes” and there’s no retransmission to the general public, it is permissible. In addition, there are other restrictions on the size and type of establishment, the number of speakers or TVs in each room, and so on. Unless you fall within an exemption, licensing will be required or you will be guilty of copyright infringement. Other countries, of course, have copyright laws as well and penalties for violating them.

What If You Fail To Get A License? If you fail to license the music you are playing, perhaps nothing will happen. Due to the difficulty of monitoring the millions of performances of copyrighted music that take place every day, perhaps you will not be caught. However, increasingly representatives from ASCAP, BMI, and SESAC are contacting businesses that use music to determine whether the music has been licensed. Even more worrisome is that a disgruntled employee or aggressive competitor might “report” you to these organizations.

Instead of asking whether you will be caught, ask what can be the consequences? Actual damages as well as statutory damages of up to $20,000 can be awarded for each copyrighted song performed without a license. The damages can be up to $100,000 if the infringement is willful. Those who willfully infringe on a copyright for commercial advantage or private gain can be fined up to $25,000, be sentenced to jail time of up to a year, or both.

Obtaining a License: There are many different types of licensing agreements intended to serve different needs. You may contact the performance rights organizations yourself to see what is offered. ASCAP, SESAC, and BMI license performance rights for most of the music copyright holders in the United States. Also, a music clearance and licensing company can help you determine your licensing needs and assist in the process of obtaining the kind of license you need. In addition, some professional and business associations may negotiate a group rate with one or more of the performance rights organizations. It is common for businesses to license the right to use all of the works represented by a particular performance rights organization like BMI for one flat annual fee instead of attempting to license individual songs.

The cost of licensing is not prohibitive and is certainly worth the money in light of the potential downside of steep fines and damages. An easy solution is to contact a company that provides music-on-hold or on-hold programs. Generally, they will handle the licensing for you. This will be included in the cost of their services.

Whichever method you select, be sure to obtain documentation so that you can prove your on-hold music is licensed in the event ASCAP, SESAC, or BMI ever come knocking on the door of your call center.

Mike Wilson is an attorney and author. He teaches at Sullivan University in Lexington, KY.

[ASCAP is the American Society of Composers, Authors and Publishers; SESAC is the Society of European Authors and Composers; BMI is Broadcast Music, Inc.]

[From the December 2006/January 2007 issue of AnswerStat magazine]