servion logo Crafting CX Solutions

Get the Servion Blog updates in your inbox.

Your ultimate CX destination

Do you know that over 25% of all data breaches that occur in a year target hospitals and healthcare facilities? The second most at-risk type of data after social security numbers, health information continues to be a treasure trove for cybercriminals. In 2019, nearly 32 million medical records were exposed in June alone.

Why do hackers target healthcare data? There are many reasons hackers are so interested in accessing healthcare facility and patient information. First, unlike banks and financial networks, most hospitals and medical facilities are lagging in introducing security measures, making them easy and vulnerable to attack. Medical devices connected healthcare delivery systems, and mobile healthcare devices (e.g., wearables, monitoring devices) are also an easy entry point for attackers.

Second, health records and other patient-related information have massive demand in the darknet. The high value of medical records on the dark web has surpassed that of social security and credit card numbers. These records can sell for up to $1,000 online, depending on the completeness of the information contained within.

Third, health records not only consist of health information, but pictures, medical records, addresses, demographic data (namely names, birth dates, and other personal identifiers) and even sensitive financial data that could compromise patients’ privacy and financial security. Fraudsters can easily use this information for fraudulent activities, stalking, and harassment. They can even create fake IDs to buy drugs and weapons, and file fake claims with insurance companies.

To protect the processing, storing, and handling of patient health information (PHI), Congress passed the Health Insurance Portability and Accountability Act (HIPAA) in 1996. In 2013, the HIPAA Omnibus Rule came into effect with significant updates and clarifications on previous definitions, expanding its reach and cover over more individuals and organizations, like subcontractors, consultants, and storage companies.

HIPAA requires all covered entities to adhere to and verify their compliance with the HIPAA Security Rule. It protects the patients’ privacy and health information by giving more control and setting boundaries for the use and release of confidential health information. It also holds the violators accountable with civil and criminal penalties.

For contact centers, HIPAA changes the way they answer customer calls and store information. To understand the relationship between HIPAA compliance and the contact center, we have summarized some of the vital HIPAA requirements when handling PHI during all outbound and inbound communications related to billing, collections, medical insurance, ambulatory services, and appointment scheduling.

  • Contact centers should secure all health information via encryption, making it unreadable if intercepted by a public Wi-Fi, or a device, used for calls, is misplaced or lost. It means that PHI must be secure in all communications, be it a phone call, forwarded email chain, or an appointment reminder.
  • All call recordings should be 100% secure and optional.
  • Contact centers require patient consent for call recording. They should not record calls by default and should switch off call recordings if needed.
  • Contact centers should ensure voluntary consent and caller (patient) verification.
  • Patient authorization should verify at least two identifiers, such as date of birth, address, or contact number. For billing questions, the patients should confirm the most recent date of service or invoice number.
  • Contact centers need written consent from the patients to make outbound calls from an auto-dialer.
  • Even though the patient has given consent for calls, the agents can make outbound calls only for:
    • post-discharge follow-up calls
    • intimations on prescriptions
    • home healthcare instructions
    • hospital pre-registration instructions
    • provision of treatment
    • health checkup
    • appointments and reminders
    • test reports and pre-operative instructions
  • During a call, the agents should reveal their names and contact details to the patients.
  • The users should automatically logout from the system following inactivity for a stipulated period.
  • Protected information cannot be copied and pasted from an external network to any external device.
  • Patient health information should be accessible only to authorized users.
  • Texting solutions should have access only to authorized personnel with a secure login.
  • Test messages should not exceed 160 characters, and messages can be sent just once in a day.
  • Text messages for appointments or medication refills should contain no personal identifiers.
  • Calls should be short and precise. Contact centers cannot call patients two to three times a week.

Besides, the contact center must offer comprehensive training to its agents and Privacy Security Compliance Officer (PSCO), a required position under HIPAA that oversees compliance.