HIPAA Compliance And The Contact Center: Protecting PHI


June 28, 2018 by Siobhan Climer

Congress passed the Health Insurance Portability and Accountability Act (HIPAA) in 1996. In 2013, the Final Omnibus Rule went into effect, and since then any service provider directly or indirectly processing, storing, or handling patient health information (PHI) must adhere to the standards and policies set forth in HIPAA.

For contact or call centers, this means every verified name, address, social security number, diagnosis code, provider’s name, and any other PHI data must be securely handled, whether in a recorded phone call, in a forwarded email chain, or in an appointment reminder text message. Understanding the relationship between HIPAA compliance and the contact center is essential to protecting patients and contributing to the overall patient experience.


hipaa compliance and the contact center


Are you considering a contact center transition?

Download our free eBook Customers Drive, You Navigate: Your Contact Center Roadmap to Customer Care Success.

New call-to-action


Why Do Hackers Want Medical Records?


PHI data is valuable. In fact, your electronic health record (EHR) is worth 10x a U.S. credit card number on the black market. Why is it worth so much? Hackers can use the records to create fake IDs, enabling them to buy medical equipment or drugs. Alternatively, they can use the patient data to file fake claims with insurance companies. Healthcare is expensive, and cyber criminals are taking advantage.

The other piece that makes your EHR so valuable is that it is “immutable”, according to Robert Lord, a former analytics systems designer. He joined up with Nick Culbertson, a former Special Forces operator, to create an AI system to combat PHI thefts. They then co-founded Protenus to bring this technology to the healthcare industry. If your credit card goes missing, you can cancel it. If your social security number is misused, you can change it. But your EHR is a permanent representation of your identity.


What Does HIPAA Compliance Mean?


HIPAA is the set of standards and protocols any service provider must follow when handling PHI. In the contact center, there are many ways PHI data may be shared, which makes it a challenge to oversee.

  • hipaa compliance and the contact centerBilling
  • Collections
  • Patient Communications
  • Medical Insurance
  • Dental Insurance
  • Vision Insurance
  • Medical Answering Service
  • Ambulatory Services
  • Hospitals
  • Appointment Scheduling
  • Blood Drives
  • Familial PHI data


That’s a long list. Contact centers that fall into any of these categories, and likely others, must ensure they are HIPAA compliant.

What does that mean exactly? A healthcare contact center must offer comprehensive training to their Privacy Security Compliance Officer (PSCO), a required position under HIPAA that oversees compliance. All staff must then be adequately trained in HIPAA Privacy and Security. You must also have a manual for policies, forms, and procedures. The PSCO conducts gap analysis, creates privacy and security policies, and completes contingency plans.

Next, you must implement cyber security safeguards to protect your data from hackers or ransomware attacks. Given recent data breaches at healthcare organizations, this is especially important. The cost of these breaches are tremendous, which is why it is essential to have the right disaster recovery plan. Finally, you need to monitor and remediate your networks to ensure continued compliance.


hipaa compliance and the contact center

How Is HIPAA Compliance Enforced?


The Office for Civil Rights, or the OCR, in the Department of Health and Human Services (HHS), is responsible for enforcing HIPAA compliance. The OCR investigates complaints, conducts compliance reviews, and provides education and outreach. If the OCR believes a violation has occurred, they report it to the Department of Justice (DOJ), which may then proceed with criminal filings.

For example, the OCR investigated a case where a hospital staff member called and left a message that included PHI data on a patient’s home answering service, leaving that PHI data available to anyone in the patient’s home. The entire hospital had to undergo retraining, provided specialized training to those likely to leave direct messages, and revised the privacy policy to clarify patient rights.


HIPAA Compliance And The Contact Center


hipaa compliance and the contact centerDo you record customer calls? Do you record outgoing calls? Do you take credit card information? CCV codes? Do supervisors listen in?

If you do any of these, you may not be HIPAA compliant. If you record calls, it is against PCI-DSS standards to store credit card CCV, in any way. If you record outgoing calls, both the patients the agents calling them may not know they are being recorded, which can have legal ramifications. If supervisors use ‘barge’ or ‘whisper’ to listen in on a conversation, it is important for the patient experience to let patients know this is the case.

Text messages, phone conversations, email messages, voicemails – each of these important communication strategies carries risks for HIPAA compliance.

Creating a Contact Center Roadmap is a great way to prepare for the future of your contact center. 


Solutions For Contact Centers


Recording CCV Codes: Some new tools exist that allow contact center agents to pause the recording to collect CCV codes or other protected information, thereby removing it from the recording. This is a great tool for maintaining privacy and compliance in your call center. Some tech companies are even working on developing AI that pause the call (and start it again) when PHI data might be shared.


hipaa compliance and the contact center


Recording Inbound/Outbound Calls and Supervisor Monitoring: Check to make sure the language you use in the announcement over your system alerts the patient the call is being recorded. Make sure both “record” and “monitor” are part of that message, since that covers the fact a supervisor may be listening in.

“For quality assurance and improvement purposes, this call may be recorded and monitored…” is one example of the language you can use.

hipaa compliance and the contact centerAnother helpful feature to add for HIPAA compliance and the contact center is an ‘opt-out’ feature. If patients do not wish to be recorded, some U.S. judges have ruled contact centers must provide a specific opt-out protocol for them.


Disaster Recovery Plan: To be HIPAA-compliant, your contact center must have a disaster recovery plan and ransomware protection. The PSCO works with the IT team and a managed services partner to ensure data is backed up securely and recoverable should the unthinkable occur.


In healthcare, the patient experience is paramount. By ensuring you respect and properly handle PHI data, you demonstrate to patients you have their interests in mind. Find a partner, like Mindsight, who can help you both support HIPAA compliance and the contact center, and retain and grow your business.

Contact us today to discuss how Mindsight can help support HIPAA compliance and the contact center.

Like what you read? 


About Mindsight

Mindsight, a Chicago IT services provider, is an extension of your team. Our culture is built on transparency and trust, and our team is made up of extraordinary people – the kinds of people you would hire. We have one of the largest expert-level engineering teams delivering the full spectrum of IT services and solutions, from cloud to infrastructure, collaboration to contact center. Our highly-certified engineers and process-oriented excellence have certainly been key to our success. But what really sets us apart is our straightforward and honest approach to every conversation, whether it is for an emerging business or global enterprise. Our customers rely on our thought leadership, responsiveness, and dedication to solving their toughest technology challenges.

Contact us at GoMindsight.com.

About The Author

Siobhan Climer, Science and Technology Writer for Mindsight, writes about technology trends in education, healthcare, and business. She previously taught STEM programs in elementary classrooms and museums, and writes extensively about cybersecurity, disaster recovery, cloud services, backups, data storage, network infrastructure, and the contact center. When she’s not writing tech, she’s writing fantasy, gardening, and exploring the world with her twin two-year old daughters. Find her on twitter @techtalksio.

Millennials In The Workplace: How To Capture And Keep Your Call Center’s Millennial Workforce

Related Articles

View All Blog Posts

Contact Us
close slider


Fill out the form below to get the answers you need from one of Mindsight's experts.

hbspt.forms.create({ portalId: "99242", formId: "dfd06c5c-0392-4cbf-b2cb-d7fb4e636b7f" });