HIPAA Introduction

Industry Content Supporter:
Steven Cramer
Sr. Vice President Operations

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 was enacted on August 21, 1996 and everyone knows it as HIPAA. The goal of HIPAA is to protect the health information of patients.

HIPAA is made up of three rules: Privacy Rule, Security Rule and Electronic Data Exchange. Electronic Data Exchange defines the format between providers and payers to carry out billing, coding and verifications to provide a standard. The Security Rule defines access, storage and confidentially of electronically protected health information. Privacy Rule determines how patient information is used and disclosed. The Privacy and Security rules apply most of the time to contact center agents as they access and use electronic Protected Health Information (ePHI) daily.
What types of HIPAA Information is Protected? Any individually identifiable health information is information, including demographic information, that relates to:
– The individual’s past, present, or future physical or mental health or condition.
– The provision of health care to the individual.
– The past, present, or future payment for the provision of health care to the individual.

In addition, individually identifiable health information identifies the individual or there is a reasonable basis to believe it can be used to identify the individual. For example, a medical record, laboratory report, or hospital bill would be Protected Health Information (PHI) if information contained therein includes a patient’s name and/or other identifying information.
Contact centers in the healthcare and insurance industries handle patient calls and work with their personal health information. Contact centers are responsible for handling patient data within the confines of the law or face the consequences, which are quite expensive. Companies employ a range of physical, operational, systems, and network safeguards to help ensure that information is protected.

How does HIPAA Impact the Contact Center?

What is a privacy policy?

A privacy policy is a statement or a legal document that discloses some of or all of the ways a party gathers, uses, discloses, and manages a customer or client’s data. It fulfills a legal requirement to protect a customer or client’s privacy. Many times, owners and managers take short cuts and think they are the only ones who need HIPAA training. This is where violations occur. It is the agent’s responsibility to abide by the HIPAA rules as well as anyone who has contact with the patient. Taking the time to insure every employee is familiar with HIPAA and understands how it applies to them will help eliminate costly fines.
For example, agents like to “peek” at client information – this happens with well-known people more commonly out of curiosity and this “peeking” is a violation – which results in the agent’s termination. A tele-nurse was let go for sharing a famous NFL player’s surgery information at the dinner table. That story later found itself on social media and the rest is history. If the agent doesn’t have a business reason to be reviewing client information it is an opportunity for a citation, especially if private information lands on a social media page. If your organization is the information source, then you are liable for large fines and lawsuits. Unless a patient is a dependent, or Power of Attorney has been obtained, it is illegal to release Personal Health Information (PHI), even to family members. To protect patients, contact center staff may only discuss patient information with the patient or someone authorized by the patient.

Contact Center Technology and Compliance

Industry Content Supporter:
Stephen Paskel
VP, Senior Technology & Global Operations Manager

The Health Insurance Portability and Accountability Act (HIPAA) Security Rule establishes a national set of minimum security standards for protecting all electronic Protected Health Information (ePHI) that is created, received, maintained, or transmitted. The Security Rule contains the administrative, physical, and technical safeguards that must be put in place to secure ePHI.

The most common HIPAA violations are lost devices that are not password protected, hackers, and employee dishonesty. Lack of passwords is usually found on laptops and other handheld devices and this can be an issue with work-at-home agents. Your compliance policy should include that all devices are required to be password protected with password changes on a regular basis.
Employee dishonesty is a tough one to monitor as we saw from the tele-nurse. Contact Centers use call-recording features to ensure compliance as well as a Quality Assurance group that monitors calls for compliance. While not all calls are listened to, all calls are recorded and stored to legal requirements. See this link for details: http://www.hhs.gov/hipaa/. Calls can be retrieved for any reason easily from the storage bank. The most secure storage of these private conversations is to encrypt the audio files. While the HIPAA Omnibus Ruling does NOT require encryption of data, Health and Human Services (HHS) has been levying stiff fines against businesses that don’t properly protect information.
While encryption is not required, why wouldn’t you insure the highest level of protection? Can you be “over” compliant with your client’s personal information? With a comprehensive contact center platform, these capabilities are built into the platform. This makes it easy and inexpensive to add an extra layer of security. Encryption is an easy tool for making information unusable, unreadable, and undecipherable when lost, or hacked by unauthorized access.


1. Be proactive and act to protect customers and your company. Don’t wait for an incident.

2. Think ahead. Ask yourself, “What is one more step that we can take towards a higher level of security?”


HIPAA has been around now for 20 plus years and organizations still get hit with compliance violations. Everyone who interacts with clients and uses client data must know and understand the Security Rule and Privacy Rule at a minimum. Knowing what types of data and how to handle it safely is the key to avoiding costly fines and protecting client information. Contact centers more and more are not only providing health care billing, claims support and benefits information they are now employing nurses and doctors who are diagnosing and prescribing treatments. Contact Centers are getting more sophisticated every day. The loss of trust and the loss of clients these organizations face when violations occur is expensive. Remember, implementing HIPAA isn’t only about avoiding violations and fines, it’s about protecting your patients and your business.

HIPAA Training and Compliance

Understanding and recognizing HIPAA data and how to handle it is 90% of compliance. Anytime you come in contact with patient information or any PHI that is written, spoken or electronically stored, YOU become involved with some facet of the privacy and security regulations.

Information in the health record, such as:
– Encounter/visit documentation
– Lab results
– Appointment dates/times
– Invoices
– Radiology films and reports
– History and physicals (H/Ps)
– Patient Identifiers

What Are Some Examples of Patient Identifiers?
– Names
– Medical Record Numbers
– Social Security Numbers
– Account Numbers
– License/Certification numbers
– Vehicle Identifiers/Serial numbers/License plate numbers
– Internet protocol addresses
– Health plan numbers
– Full face photographic images and any comparable images
– Web universal resource locaters (URLs)
– Any dates related to any individual (date of birth)
– Telephone numbers
– Fax numbers
– Email addresses
– Biometric identifiers including finger and voice prints
– Any other unique identifying number, characteristic or code



Company 1

Company 2

Company 3



NACSMA brings together like-minded professionals focused on advancing the customer contact industry and creating career growth.


Management of a best-in-class contact center sites require the continuous review of Agent Sourcing Models, Organizational Training and Management Development Programs.


NACSMA is a professional, non-profit association whose members represent customer contact organizations and the vendors who support them. 


When a contact center organization expands to an additional site or requires new space, the steps to properly implement are unique to each organization but do have standard phases.