How Well Do You Understand HIPAA?

By Janet Livingston

Most people in the call center industry have a general idea of what HIPAA is, but they lack an understanding of how to apply it to their healthcare call center operation. Ignorance, however, is not a sound defense for HIPAA violations.

HIPAA, the Health Insurance Portability and Accountability Act, has critical ramifications for medical call centers. Passed by the US congress in 1996, the law is now over a decade old. As far as call centers are concerned, HIPAA, among other things, requires call centers to keep personal health information private, both when stored and when moved. There are fines, as well as public embarrassment, for database breaches and employee disclosures of private healthcare information.

Though this is not comprehensive legal advice, the following recommendations do address some basic, commonsense steps to move toward HIPAA compliance by covering key risk areas that are often overlooked. Follow these quick tips now to reduce penalties and pain later.

Fortify the Building: Safeguard your call center facility with building locks, surveillance cameras, door alarms, and a secured lobby. If employees use a separate entrance, don’t overlook it. Require them to be buzzed in or provide a keypad entry lock, with individual codes for each employee. Change lock codes periodically and retire individual codes as soon as an employee no longer works at your call center.

Implement Internal Security: Not only does the call center facility need security and secured access, but internal security is also a critical issue under HIPAA. Specifically, certain areas must be restricted to unauthorized personnel and all non-personnel.

For example, the operations room should be off limits to visitors and even some ancillary staff. Only scheduled agents and relevant management should be allowed entrance into the operations room. In the event that a client or prospect wants a facility tour, allow them only to view the operation from a distance, perhaps through a window in a soundproof room overlooking the operations room. Similarly the technology hubs, such as the computer room and telecommunications center, should be under lockdown at all times and accessible only to authorized technical personnel.

Establish Technology Safeguards: As mentioned, the primary space that should have limited access is the equipment area, which houses your call center’s computers, servers, and network technology, as well as the telecommunications switches and interfaces. But this restriction doesn’t just apply to people in your facility. There should be no physical external accessible points to your telephone or internet service. Furthermore, remote access to equipment and data should be thoroughly password protected for authorized personnel and vendor use only.

Escort Visitors: Any clients, prospective clients, vendors, and nonemployees need an escort through the facility. Accompany visitors at all times. If they’re interested in viewing operations, they should do so by observing it from inside a soundproof, glassed viewing area. They must be supervised throughout their tour. Make sure they do not photograph or record anything during their visit. A best-practice policy is for them to check all electronic equipment at the front desk or leave it in their car.

Invest in Paper Shredders: While many dream of a truly paperless office, the reality is that despite well-meaning intentions, paper containing sensitive information will be produced. This might be through negligence, oversight, or expediency. Regardless, these paper documents must be destroyed as soon as they are no longer needed. The obvious solution is to shred such documents in a micro-cut shredder.

Deploy Shred Bins: All sensitive or potentially sensitive documents requires shredding. However, shredders are loud devices that don’t align well with the call center’s need to minimize noise. Though immediate shredding is ideal, this is sometimes impractical, in which case locked shred bins should be conveniently placed around the call center. Authorized personnel routinely shred the contents of the locked shred bin according to documented security protocols.

Enforce a Password Policy: Passwords are unpopular but necessary, yet password misuse and abuse is the weakest link in most call centers. Good passwords help keep personal health information private. A thorough password policy must be developed, taught, followed, and enforced. Putting a great plan into a document means nothing if staff isn’t instructed in what it says, and staff instruction means nothing if the enforcement is lax or altogether lacking. When given an option, most people will take whatever password shortcuts they can, not recognizing the pitfalls and risks they subject their companies to.

At minimum the password policy should mandate regular software-controlled password changes, not reusing previous passwords, and never sharing passwords with anyone regardless of the circumstances. Password policy violations remain a vulnerable area at many call centers. Education and enforcement are essential, with the consistent actions and attitudes of management establishing the perspectives of all other employees.

A lack of compliance with HIPAA regulations can result in monetary damages in the form of fines for security breaches and reputation damages in the form of negative publicity over security violations. While HIPAA only covers the healthcare industry, these security tips are emerging as call center best practices across all industries. Therefore every call center should move toward implementation.

Janet Livingston is the president of Call Center Sales Pro, a premier sales and marketing service provider and consultancy that provides custom training solutions for all levels of call center staff, both in the healthcare industry and across all verticals. Contact Janet at or call 800-901-7706 to learn more about arranging specific training for your organization.