Do you work with accounts that require HIPAA compliance?

The short answer is, yes.

HIPAA applies to covered entities and business associates. According to the U.S. Department of Health & Human Services ( HHS), “the individuals, organizations, and agencies that meet the definition of a covered entity under HIPAA must comply with the Rules' requirements to protect the privacy and security of health information and must provide individuals with certain rights with respect to their health information.”

In this article we'll discuss:

Businesses that must be HIPAA compliant

If your business is any of the following, you must be HIPAA compliant:

  • Doctors
  • Clinics
  • Psychologists
  • Dentists
  • Chiropractors
  • Nursing Homes
  • Pharmacies

...but only if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard.
 
A Health Plan

This includes:

  • Health insurance companies
  • HMOs
  • Company health plans
  • Government programs that pay for health care, such as Medicare, Medicaid, the military and veterans’ health care programs.

HIPAA Checklist

This includes entities that process nonstandard health information received from another entity into a standard (i.e., standard electronic format or data content), or vice versa.
 
HHS states that, “If a covered entity engages a business associate to help it carry out its health care activities and functions, the covered entity must have a written business associate contract or other arrangement with the business associate that establishes specifically what the business associate has been engaged to do and requires the business associate to comply with the Rules’ requirements to protect the privacy and security of protected health information. In addition to these contractual obligations, business associates are directly liable for compliance with certain provisions of the HIPAA Rules.”

Specialty Answering Service is considered a business associate. We are HIPAA Compliant and PCI Compliant. If your place of business requires HIPAA compliance, then SAS will provide you with our business associate agreement to retain for your records.

To that end, when you work with our service, Protected Health Information (PHI) cannot be transmitted via any electronic means. To ensure this, you'll need to abide by the following checklist:

1
Call Recordings: Accounts that require HIPAA compliance cannot record calls. The URL for each call recording is public, making it possible (though highly unlikely) to access outside of your portal.
2
Forward SMS Messages to Email: Accounts that require HIPAA compliance cannot have this feature activated within Number Settings. 
3
Message Delivery: Because the caller's phone number, which is PHI, would automatically be included in Non-Message Call notification, accounts requiring HIPAA compliance cannot have Non-Message Calls active in any Profile. The "Customized message" option must be checked within any Profile for other types of messages. The following standard, compliant language is to be included: "You have a new message. Please sign in to your account at https://flexclient.sasdesk.com for details." This prevents any PHI from being sent electronically. Additionally, you cannot call in and ask an agent for your messages. They can only be retrieved via your SAS mobile app or online portal.
4
On-Call: We suggest using the Text-to-Speech Reach message option, which will ensure that no PHI is sent electronically. Though we do not recommend using an SMS Reach for HIPAA compliant accounts, if an SMS Reach is used, the "Customized message" option must be checked to maintain compliance, where standard language is added - "You have a new message. Please sign in to your account at https://flexclient.sasdesk.com for details." The Recording option will not work, as call recordings are not turned on for HIPAA accounts.
5
SAS Email App: Accounts that require HIPAA compliance cannot utilize the "Send to the email provided by the caller" option within the SAS Email App. The user may configure the SAS Email App to alert staff members about new calls as long as both of the following conditions are met: A. A static email address is used; B. The email template contains a standard message with no merge fields - "You have a new message. Please sign in to your account at https://flexclient.sasdesk.com for details." This prevents any PHI from being sent electronically.
6
SAS SMS App: Accounts that require HIPAA compliance cannot utilize the SAS SMS App. 
7
Premium Add-Ons: Accounts that require HIPAA compliance cannot activate the Queue Voicemail or Transcription add-ons.
8
Advanced IVR: Accounts that require HIPAA compliance cannot activate the Voicemail option within an Advanced IVR. 
9
Texting via the Portal: Users should not text callers from the portal, as our SMS text message architecture does not meet the requirements for HIPAA compliance.
For questions regarding HIPAA and your account, please contact our customer service team at 866-688-8912.
Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Contact Us Contact Us