A call comes into my line at 5:50 pm, just 10 minutes before the call center closes, I do my greeting, and the caller requests to change his grandmother’s health plan selection.
Assuming that he is an authorized representative on file, I request the caller verify the necessary HIPAA (Health Insurance Portability and Accountability Act) elements. These include the member’s name, date of birth, complete address, and Social Security number—an action that is very familiar within a healthcare call center.
The caller can verify all these elements. I then go into the account but could not find his name listed as an authorized representative.
So, I made him aware of what I saw. He is surprised. He goes off on a rant that he sent in the documentation over a month ago and we should have it on file.
I understand. So, I asked, “Could I please speak to your grandmother to verify a few pieces of information and get verbal permission to talk to you for this call?” The caller responds that his grandmother speaks Spanish. I assured him that I can get an interpreter on the line to assist with the call.
The caller then says that his grandmother is out of the country. At this point, he is pleading with me to help him out, stating that he is the authorized representative and that he takes care of all his grandmother’s medical concerns, and he needs to change the health plan and doctor on his grandmother’s file.
I mentioned that I understand that he needs to make this change and I let him know that he can fax in the personal representative documentation or his grandmother can call in when she is available. I then provide him with both the call center’s fax number and hours of operation.
I asked if there was anything else I could assist him with, but there was no response. And he hung up on me.
Acting on my gut feeling about this call and caller I went and found out that he had called in a few times later. But my call notes helped my colleagues stick to our protocols and not break the rules due to his coercion tactics.
We later found out that his grandmother’s account was placed on a restriction program. Usually, something like this happens when a doctor or provider complains about health insurance fraud.
As a trainer, I tell the above story to every trainee that walks through my class. I also tell the class about other stories, such as when a spouse calls in and attempts to change their voice to make changes to their significant other’s health records.
We train our classes well on adhering to the call center’s information security protocols. We help them understand that the HIPAA-stipulated information is like a key that opens the lock to a member’s health records. We encourage our agents to over-verify if needed and take their time to meet this requirement.
And we also explain the consequences of not verifying or not properly verifying HIPAA. These include a call failure, remedial training, coaching, performance improvement plans, and even termination.
Our goal is not to scare our trainees but to train them right the first time, so that we do not have to meet again for coaching or remedial training due to failure to authenticate calls.
My fellow trainer David Sluss and I use instructor-led training (ILT), scenario-based training, knowledge checks, games, review sessions, role-playing, carefully selected recorded calls, and final exams to ensure our agents are aware of the security protocols in place.
Further, once the agents leave the training classes, we send them micro-learnings and make our knowledge management system available. These help with the retention of information.
Finally, and perhaps most critically, I stress the importance of security and compliance with regards to protecting our customers from harm and other crimes.
But a lot of the training on these topics that companies offer don’t seem to connect with the audiences. So, I try to use stories in the classes to get student buy-in and for them to put in the extra effort to learn about these measures to keep themselves, their loved ones, and their callers safe.
You may ask me, “why so much effort, Mark?”
I recall a coaching conversation with a previous team member. We met since he had two HIPAA fails in a month.
The agent would start talking to the caller, obtain their client ID, and then talk about their case right away. He would then remember to verify the HIPAA information, which was usually towards the end of the call.
When we met, he mentioned that he forgot to check the HIPAA elements at the start of the call.
So, I asked him “what could be done to prevent this from happening again?”
The agent replied that he could attach a sticky note next to his primary monitor, where he would look so he could remind himself to confirm the information. He also decided to make those verifications for every call to get it out of the way.
The agent then asked me to create a job aid that outlined the HIPAA elements for those calls, as the one he was provided with initially was confusing. He later went on to say that he liked his job and didn’t want this to happen again. I prefer it when agents come up with their solutions as it brings about a sense of ownership, resulting in a higher probability of implementing them.
I created the job aid for him, and he was happy. When I went to his desk I noticed that he had his sticky note on top of his primary monitor, saying, “Do HIPAA”. I followed up with him two weeks later. He said he was doing good, and his last QA score was 100%.
I took two lessons out of that coaching session. First, it led me to create an easy-to-review, at-a-glance checklist of the call center’s HIPAA elements, which is now part of our onboarding training sessions. Second, it led the call center’s training team to make call authentication a number one priority.
Another piece of security and compliance that I know many of us tend to forget is locking our workstations when away.
When we were in the office, we had small cards that the leadership team would leave on an agent’s keyboard stating that we noticed their workstation was unlocked while they were away from their desk. The leader would lock their workstation while leaving this small note: which acted as a reminder to this agent but also to the other agents when they passed by.
However, the laptops have compliance standards that automatically lock screens within less than six minutes since we are remote.
Further, our CRM locks up due to privacy concerns after about seven minutes or so of inactivity.
So, we encourage agents to take notes using either sticky notes, notepad applications, or MS Word documents.
This allows the agents to quickly copy and paste their messages from the documents to our CRM and at the same time prevents the use of a physical notepad to capture this information.
In addition to these measures, we also remind classes not to write down any protected health information (PHI) or personally identifiable information (PII) of callers.
Here is a quick summary of key points that I’ve learned from security and compliance, and I hope you can use it to help your call center, agents, and organization, and the clientele and customers.
1. Onboarding training. The training should be ILT to allow agents to get immediate feedback. The training must include scenarios that agents could encounter while taking calls. Instead of making these up, talk to your QA analyst, leadership team, and agents to identify real scenarios and what happened.
2. Guides. Create a quick reference guide (QRGs) that summarizes security and compliance standards that agents and your coaches and supervisors can turn to if there are any issues or if they have questions.
3. Performance improvement plan (PIP). Create a plan that includes remedial training, coaching, verbal warning, written warning, and removal consideration. However, we all know that there are some instances where you may need to skip levels since the situation is too grievous to warrant coaching, so add verbiage that allows leadership discretion.
4. Micro-learnings. Develop short courses using software such as Articulate Storyline or even a simple MS Sway that you send to your team to brush up on their security and compliance skills. Make sure to track those who have completed the training and follow up with those who haven’t finished it.
5. Celebrate security and compliance. Pick a week or month where you celebrate security and compliance. Some of the things to include are micro-learnings, emails with short pieces of training, quizzes with prizes, newsletters, and discussions on the consequences of non-compliance, to name a few.
6. How can IT help. Talk to your IT team about protocols that can be implemented to promote security, such as screen lock durations, password complexity, user roles that allow a person enough access to a customer account to do their job, and so on.
7. Check the desks. Ask your leadership team to walk the floor and take notice of agents who have walked away from their desks but who had forgotten to lock their screens. Lock their screen and place a reminder for them but follow up with coaching for repeat offenders. If you notice any PHI or PII lying around open, provide reminders to agents and coach repeat offenders.
8. Tailgating. If you work in a secure facility, remind agents to be mindful about badging in and avoiding anyone from tailgating behind them. Also, if they notice someone suspicious, provide a process of reporting intruders.
I can’t stress this issue enough. A few years ago, a person walked in behind an agent and was walking around the office. An employee escorted him off our floor since he mentioned that he was looking for someone on another floor. We later found out that this person was responsible for stealing money from an employee’s purse on one of the lower floors in the building.
9. Working from home. Remind new agents that they are the first line of defense to ensure data security against any threat. Before agents can take equipment home or have it mailed to them, or start working, have them sign a pledge to protect callers’ information from getting in the wrong hands.
Also, work with your IT team to get updates about agents who haven’t updated their passwords within the slotted timeframes for each system(s). Send reminders to the agents about the upcoming deadlines. Doing this ensures that agents don’t get locked out and it improves security.
I believe we all understand that not complying with the various laws or acts can lead to severe consequences. I would suggest having processes and policies to prevent and circumvent a security issue occurring.
However, if you’ve worked in this industry for a while, sometimes the most unthought-of situations arise. Do your best to develop plans for instructions in the case of a security risk occurring and make all these plans available at a centralized location for your team to view.
New U.S. Regulations and Actions
President Joseph Biden is a staunch supporter of labor rights and federal regulations that protect consumers.
It is our belief, based on cabinet level appointments, public statements, and draft legislation, that the Biden administration will be much more forceful than prior administrations regarding consumer privacy rights.
The following is a summary of significant 2021 actions at the federal level.
- The American Rescue Plan Act of 2021 includes $650 million in new funding for the cybersecurity and infrastructure agency. It also appropriated $200 million for the US Digital Service and $1 billion in new funding for the General Services Administration’s Technology Modernization Fund.
- Promoting Digital Privacy Technologies Act
- Online Privacy Act of 2021
- Social Media Privacy Protection And Consumer Rights Act of 2021
- Employee Privacy Act
- The Supreme Court ruled that the Federal Communications Commission (FCC) cannot impose financial penalties without first pursuing administrative remedies.
- The Supreme Court held that a device counts as an automatic telephone dialing system only if it stores or produces telephone numbers using a random or sequential number generator.
- A California federal court signed off on a $1 million settlement agreement against Adobe over calls that allegedly violated the Telephone Consumer Protection Act, which resulted in a $2,000 payment for each class member.
In general, the Biden administration will pursue policies and legislation that seek to unify under a federal umbrella current state rules such as privacy protection, data security, and fraud prevention.
Ongoing events such as the COVID-19 pandemic, economic conditions, politics, Ukraine, and developments not yet anticipated will impact the pace of legislative action.
--Dick Bucci, “The Compliance Guy,” Pelorus Associates