As a provider of healthcare services, protecting patients’ private information in the contact center is one of the most important responsibilities that you have. When customers submit personal information—names, social security numbers and contact information—they do so trusting that healthcare organizations will enforce every possible safeguard to prevent data from falling into the hands of unauthorized third parties.
Protecting consumers in the $3 trillion U.S. healthcare industry is the Health Insurance Portability and Accountability Act (HIPAA), which is a set of standards for the collection and storage of personal health information (PHI) that providers must meet in order to avoid hefty penalties and fines.
HIPAA Phase II
HIPAA Phase II was originally set to take place in the summer of 2014. However, due to technical difficulties surrounding the HIPAA customer portal, the program was put on hold indefinitely. On March 16, 2015, at the annual HIPAA Summit in Washington, D.C., it was revealed that Phase II will begin in the near future.
One of the most important changes will impact who is being targeted by HIPAA. As it stands, HIPAA currently only affects healthcare providers. Under Phase II, business associates of healthcare providers will be subjected to random audits as well. This includes any third-party provider that handles patients’ personal health information through processes like billing and data management.
According to PWC, HIPAA will also be on the lookout for areas with “heightened risk” such as notification of privacy practices, breach notification and incident response, among others.
It is expected that between 500 and 800 U.S. organizations will be audited under Phase II. To protect yourself, it’s critical to understand the risks and responsibilities.
5 Best Practices
- Understand that all identifiable patient data is considered PHI: HIPAA’s privacy rule states that all individually identifiable information held or transmitted by a HIPAA-covered entity or business associate needs to be protected. This includes every form of media including paper, electronic and voice. It also includes contact or demographic information.
- Encrypt all PHI: Encrypting PHI essentially devalues it to hackers because it renders the data unusable without a key to unlock it. Encryption is not required by HIPAA, but is considered a best practice that all healthcare organizations should enforce.
- Avoid recording sensitive information: One of the easiest ways to prevent theft of data is to not record PHI over the phone. Set a policy requiring agents to turn off call recording when collecting payment information over the phone to avoid storing it in your database.
- Enforce a strong password policy: Make sure that agent workstations and mobile devices are secured with the latest digital security safeguards like strong passwords, biometric checkpoints and security questions. This will prevent unauthorized users from logging in and stealing sensitive data.
- Partner with a HIPAA-compliant hosting provider: Partnering with a cloud-based contact center provider will prevent you from having to update your legacy network infrastructure to stay in compliance with HIPAA regulations. A cloud provider will ensure that all data runs through network infrastructure that is up to date with the latest software patches to ensure safety and stability.
Need Personalized Advice and Help?
Geoff Mina is the CEO of contact center platform technology provider Connect First which has achieved Level 1 PCI Certification. Connect First and partner Compliance Point work closely with customers deploying cloud-based contact center platforms to evaluate and implement strategies to help meet PCI requirements.
You can also access an archive of a webinar with Geoff and Compliance Point with more hints for PCI management with cloud platforms at: