If you work in a pharmacy, insurance company, hospital, or any kind of healthcare practice, you know about HIPAA. The Health Insurance Portability and Accountability Act of 1996 obligates all healthcare providers or payers to safeguard the privacy and integrity of the personal health information, or PHI, of patients. You also know that it's about much more than securing digital data files: It's what obligates the pharmacy technician to ask customers in line to step back from the pickup counter; it's what requires hard copy patient records to be kept out of reach of unauthorized personnel.
Also under HIPAA's umbrella? Telephone usage.
As with oral or written information, compliance in digital voice and video is achieved through a combination of technology tools and proper practices. When you store it, (think voicemails, recorded calls) digital voice puts the "e" in ePHI (electronic personal health information) where HIPAA's more stringent security (as opposed to privacy) rules apply. Here, it's important not just to keep patient information from unauthorized persons; it's important to ensure such data is locked down or encrypted in such a way that it can't be accessed or changed.
It's no small chore to establish HIPAA compliance; that's why few hosted VoIP providers have performed the required policy and procedure improvements, documentation, employee training, ongoing monitoring, and physical security audits. Some, however—including OnSIP—have taken this step. By being certified to sign the Business Associate Agreements that HIPAA requires, providers assure customers that they take on responsibility for compliance as regards their voice and video platform. In the process, they extend to healthcare the considerable benefits of cloud communications that non-regulated industries have enjoyed for years.
Here are eight examples of how a healthcare practice can benefit from an HIPAA-compliant cloud phone system:
1. Share phone numbers, recordings, menus, and more across multiple locations.
Cloud communications can bring multiple sites under one shared administrative account. This not only saves money previously spent on individual phone lines, but also lets users dial any phone as a in-network extension, with call handling functions such as hold and transfer. OnSIP's network-wide encryption ensures that such calls cannot be tapped at any point on the IP network. (For a good example of how this works, see how Open Arms Treatment Center unified multiple office locations.)
2. Pool personnel across multiple locations to reduce calls on hold and provide foreign language assistance.
With system-wide call queuing, multi-site practices or insurance companies can pool office staff in every location to answer all incoming calls to a main number, reducing patient wait times. If they want to respond even faster, they can even recruit home-based workers. These remote staff can use personal computers or phones as extensions on the network. Organizations can also leverage, for example, the Spanish-speaking staffer in one location to handle Spanish-speaking callers to all other sites.
3. Provide staff with EHRs and patient information from PMS apps upon incoming calls.
Just as cloud phone systems are easily integrated with business CRM software to pop customer information on customer service agent screens, an integration with a PMS can pop patient info, saving office staff time in making appointments or handling insurance claims. Such integrations also makes it easier to dial out to patients, by enabling click-to-dial functionality on a computer. It further helps ensure that patients are reached through the numbers they requested to receive calls—as required by HIPAA—since it is easy to embed those clickable numbers prominently on their records.
4. Make and receive calls with professional caller ID from any phone or location.
Many cloud phone system providers offer softphone applications that run on a computer or smartphone. These apps allow users to access the phone system remotely, so doctors can answer work calls and view inbound caller ID information, no matter where they are. They can also easily transfer calls colleagues. When they need to make a work call, their outbound caller ID will display the office phone number, a favorite feature for on-call staff who may be away from the practice and carry only their personal phone.
5. See who's available across the organization to receive transferred calls.
With a clear view of coworkers' availability—available on some services—users can avoid transferring patients' calls to unattended extensions or voicemail, averting frustration. When staff are there to answer, patients can be transferred from lab results to follow-up scheduling or refill requests, accomplishing more with each call.
6. Video calling can extend physician reach to underserved areas and workplaces.
While patients are by now well acquainted with video calling, the Skype and Facetime apps they use are not HIPAA compliant. If a HIPAA-certified cloud phone service includes video calling, practitioners can leverage this richer medium for better informed (and more billable) consultations. These calls can support technician-assisted telehealth visits and remote medical device readings, extending clinicians’ reach into underserved areas. Technician-assisted medical kiosks, equipped with video calling and devices such as digital stethoscopes and blood-pressure monitors, have been installed in workplaces to encourage employees to take better care of their health.
7. Video calling aids and encourages use of online patient portals.
Since voice and video sessions can be provided through a web browser, video chat can be embedded in an online patient portal. Being able to see the medical assistant, say, answering questions, may encourage more patients to sign up for these increasingly popular portals. By logging into a secure website, patients can access personal information as well as view lab results, send secure messages to doctors, track immunization records, and schedule appointments.
8. Easily retrieve voicemails and other call recordings attached to EHRs and PMRs.
Many hosted VoIP services offer call recording, which is gaining use in healthcare settings for a variety of reasons, from documenting remote visits, to training employees, to protection from spurious malpractice suits. As a digital file containing individually identifiable health info, these recordings require encryption in transit and at rest. With a HIPAA-certified cloud service and proper policy enforcement, these recordings can be securely shared among other members of the practice group, or attached to a patient record in a similarly secured practice management or EHR system.
At the end of the day, healthcare organizations must recognize that HIPAA compliance is only one part technology. Policy establishment and documentation, training, and enforcement make up the other parts. Oral, paper, and digital media, storage strategy and messaging must be thoroughly considered.
If you’re considering a cloud phone system for your office or practice, a good place to start is by reviewing HIPAA’s privacy and security rules. Since at least 11 states add more stringent patient protections to the ones imposed federally, their rules must be reviewed as well. For this, we recommend Health Information & the Law, a project of the George Washington University's Hirsh Health Law and Policy Program and the Robert Wood Johnson Foundation. If you provide medical care, you should consult a lawyer familiar with your state’s health privacy laws. Finally, you should also commission a third-party auditor to determine what parts you may be missing before implementing a cloud-based communications solution.