Abstract:
Today’s medical practice staff communicates remotely with patients, pharmacies, and other medical providers in new ways that go far beyond telephone calls. Patient care and communication are now being provided via telecommunications technologies, including chat/IM, screen, Skype, and other video applications. This new paradigm in patient care, known as “telehealth” or “telemedicine,” could put medical practices at risk for noncompliance with strict HIPAA and other regulations. Interaction recording encompasses these new means of communication and can help medical practice staff achieve compliance and reduce financial and liability risks while improving operations and patient care.
A paradigm shift is taking place in how physicians and their staff provide care with the advent of “telehealth” or “telemedicine,” the delivery of health-related services and information via telecommunications technologies, including chat/IM, screen, Skype, and other video solutions.
Telehealth is changing the face of medicine. No longer do physicians and staff have to meet face-to-face with patients to provide care. Telehealth enables the patient to be monitored between physician office visits, helping to significantly reduce hospitalizations and visits to the emergency department while improving the patient’s quality of life.
Telehealth goes well beyond physician–patient contact. It also includes health professionals’ communications about a patient, office staff communication with pharmacies, and the sharing of patient test results and files between medical offices and others, such as labs and physical therapists. It can be as sophisticated as performing robotic surgery via Skype for Business between facilities at different ends of the globe.
As physicians begin to utilize the concept of telehealth to consult and communicate remotely with their patients and other healthcare professionals, it’s important to ensure regulatory compliance. Since telehealth encompasses a wide variety of media modalities, including voice, video (Skype for Business and others), screen, chat, and “instant messaging” communication, it is essential to utilize interaction recording technology to comply with pertinent regulations (Figure 1).
Figure 1. Easily locate and playback calls with restricted access according to administrator restricted roles.
Using Interaction Recording for HIPAA Compliance
HIPAA requires extensive compliance as outlined in its Privacy, Security, Breach Notification, and Patient Safety rules. In addition, medical practitioners must also adhere to HIPAA’s Omnibus Final Rule. This rule expanded and more stringently defined the responsibility of “business associates” to include business consultants, accountants, trainers, hardware technicians, and software companies such as the interaction recording company. It includes any third parties who have access to the patient database. Interaction recording can help medical practices meet compliance for physicians and staff as well as their business associates by recording all interactions.
Noncompliance with HIPAA regulations is not something to be taken lightly. Noncompliance can result in fines from $50,000 to millions of dollars, and in some cases, noncompliance can result in civil and criminal charges.(1) In fact, 2014 saw the U.S. Department of Health and Human Services reach a HIPAA settlement worth $4.8 million(2)—its largest settlement ever—with New York and Presbyterian Hospital and Columbia University, stemming from a 2010 breach.(3)
Since HIPAA was enacted, more than 41 million people have had their protected health information compromised in HIPAA privacy and security breaches. According to the Department of Health and Human Services, HIPAA breaches have involved more than 500 individuals and have been reported by 1149 covered entities and business associates(4) (Figure 2).
Figure 2. A detailed user activity log provides access and event tracking.
Using Interaction Recording for PCI-DSS Compliance
HIPAA is just one of the regulations with which medical practices must comply. If a medical practice takes payments by credit card, it must also adhere to the Payment Card Industry Data Security Standard (PCI-DSS).(5) This standard includes specific requirements for masking credit card numbers and other sensitive information(6) as well as specific rules for call recording storage, security/encryption, and record purging capabilities.(7) PCI-DSS was developed and is regulated by American Express, Visa, MasterCard, Discover, and JCB International. These financial institutions have enacted their own fines for violators. For example, MasterCard and Visa fine merchants up to $25,000 for the first violation.
Deployment of an interaction recording solution can help medical practices manage risk, improve patient service, and capture valuable business intelligence while complying with HIPAA, PCI-DSS, and other privacy and security regulations via the secure recording and storage of interactions. This includes calls, screen captures, combinations of calls and screen captures, video and Skype for Business communication, and chat and IM communication.
Regulatory compliance is further ensured by controlling access to interaction recordings while enabling the secure sharing of select portions of call recordings and screen captures as allowed by the regulations. Having a comprehensive interaction recording and management system helps ensure compliance to these important rules, protecting against fines and settlements as well as damage to public image and reputation.
Using Interaction Recording to Help Reduce Liability Risks
In addition to helping ensure compliance with important regulatory requirements, interaction recordings can help medical practices reduce liability risk and improve legal protection in the case of a claim. Interaction recording can be the first line of defense against illegitimate legal claims. Legal benefits of interaction recording include:
Liability protection, by providing interaction recordings and screen captures as documentation in case of lawsuits and licensing board inquiries;
Ease of differentiating between honest oversights and false or malicious claims and accusations from dissatisfied or profit-seeking patients;
Assistance in reducing fraud and abuse;
Confident dispute resolution with insurance companies, pharmacies, specialists, and patients via the ability to share recordings; and
Reduced cost of lawsuits by providing interaction recordings and screen captures as part of the discovery process.
To maximize the value of interaction recording, medical practices should record all interactions, including:
Physician–patient phone consultations;
Physician consultations with other health professionals;
Pharmacy phone orders;
Phone orders to services such as labs;
Airlift, paramedic, and emergency department communication;
Appointment scheduling; and
Collections.
Using Interaction Recording to Help Reduce Financial Risks
Interaction recording can help reduce financial risk by providing support for:
Collections and payments, by providing proof of conversations and the ability to share them to ensure payment;
Conflict resolution with patients, insurance companies, hospitals, pharmacies, and specialists via the ability to share interaction recordings and screen shots;
Billing, coding, and audit support with documented recordings of interactions; and
Assistance in avoiding fraud and abuse by having the ability to share interaction recordings and screen captures with appropriate individuals.
Using Interaction Recording to Help Improve Patient Care
Patient care and communication can be improved with interaction recordings in part because it is easier to share electronic medical records (EMRs) rather than paper documents—and is now required by law.
Being able to review and share interaction recordings with patients, other physicians, and healthcare providers can also help support collaboration and treatment accuracy, which can improve patient care.
Internal review of interaction recordings can help train staff to deliver exceptional patient service and care. In addition to supervisor evaluations of staff, staff members can review themselves to correlate how they think they are performing compared with their actual performance. Reviewing recordings helps reveal and resolve gaps in staff performance and also can help resolve misunderstandings and disputes. With most interaction recording solutions, interactions can be monitored live so issues can be handled as they occur (Figure 3).
Figure 3. User dashboards display enhanced quality management metrics and call activity.
For smaller medical practices with outsourced contact center services, as well as larger medical groups and healthcare providers with embedded contact centers, interaction recordings can improve agent training by helping supervisors understand the needs of agents as well as the needs of patients interacting with the contact center.
Using Interaction Recording to Meet Managed Healthcare Requirements
Using interaction recording, medical practices can integrate with call center online counseling for wellness and chronic illness, including government-funded programs, which must provide proof of service. Recordings can serve as a base for coaching and consulting and also can be used to verify that agents have provided appropriate guidance and followed approved scripts.
Using Interaction Recording to Improve Operations
Interaction recording helps medical practices improve operations by taking advantage of technology, including the ability to:
Access valuable data live with a click;
Access collections and payments information;
Record all interactions with patients, third parties, and others;
Record appointment scheduling to avoid conflicts with patients;
Resolve disputes by being able to quickly search for the recordings relevant to the situation;
Verify important patient information captured in the recordings, such as diagnoses, prescriptions, and care instructions;
Help ensure accurate patient prescriptions with pharmacies and provide liability protection by having verifiable prescriptions;
Improve organization for EMRs;
Use quality management tools to create templates and scorecards to help track agent conduct and performance based on feedback and records of previous interactions; Integrate with third-party applications such as customer relationship management (CRM);
Improve search functions by tagging with CRM, which labels each recording with a patient number, allowing staff to quickly and easily search for related recordings by the patient number. This is less expensive than paying for programming to create an application programming interface (API) to integrate; and
Customize where necessary by using an API to integrate recordings into patient records, prescriptions, and compatible unified communications platforms.
Using Interaction Recording to Manage and Protect Your Reputation
Having a plan for regular review of interaction recordings will help manage and protect the reputation of the medical practice. Listening to and viewing interaction recordings enables supervisors to instantly see what’s working and what’s not in terms of patient care. A regular audit of interactions can help medical practices head off issues before they go public (Figure 1).
Costs to Implement Interaction Recording
The cost to implement call recording varies greatly by what is being recorded, the type of media modalities being recorded (e.g., voice, screen, video, chat, instant message), the type of integrations with your telephone system and other applications, and, most of all, the size of the solution. Interaction recording solutions are available for practices with five to thousands of users and can be used with outsourced contact centers.
While expensive fines, financial and liability protection, and avoiding damage to the practice’s reputation are strong motivators to stay compliant, the best motivation for using interaction recording is the peace of mind that comes from knowing that you are protecting your medical practice, patients, staff, and partners.
References
EMR and HIPAA. www.emrandhipaa.com . Accessed October 30, 2015.
HIPAA violations and enforcement. American Medical Association. www.ama-assn.org/ama/pub/physician-resources/solutions-managing-your-practice/coding-billing-insurance/hipaahealth-insurance-portability-accountability-act/hipaa-violations-enforcement.page? Accessed October 30, 2015.
Vogel D. Top 10 HIPAA data breaches of 2014. Datapipe. January 28, 2015; www.datapipe.com/blog/2015/01/28/top-10-hipaa-data-breaches-of-2014/. Accessed October 30, 2015.
HIPAA breaches: The list keeps growing. Healthcare IT News. March 12, 2015; www.healthcareitnews.com/news/list-biggest-hipaa-data-breaches-2009-2015 . Accessed October 30, 2015.
PCI SSC data security standards overview. PCI Security Standards Council. www.pcisecuritystandards.org/security_standards/index.php . Accessed October 30, 2015.
PCI FAQs. PCI ComplianceGuide.org . www.pcicomplianceguide.org/pci-faqs-2/ . Accessed October 30, 2015.
PCI Data Storage Do’s and Don’ts. PCI Security Standards Council. www.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf . Accessed October 30, 2015.
Five Tips for Using Interaction Recording to Help Ensure Compliance
Choose the right interaction recording solution for your practice.
Implement the interaction recording solution in a controlled manner.
Ensure that appropriate access rights are given to the appropriate people. Make sure that all HIPAA-related protections regarding the network the recorder is installed on are adhered to.
Update who has access to recordings every time there is a change in staff to ensure former staff members cannot access the system.
Maintain an audit-ready state at all times by ensuring that your solution provider includes proactive monitoring, confirming that the system stays live and is recording.
Ten Keys to Choosing an Interaction Recording Solution
Choosing an interaction recording solution doesn’t have to be daunting, but it is an important decision. Here are the top 10 criteria for choosing an interaction recording solution that will meet the needs of most medical practices. The regulation-compliant call recording solution must have:
Compliance with HIPAA, PCI-DSS and other required regulations: Evaluate the solution to ensure it provides the appropriate masking capabilities, storage and access security, and other requirements to meet HIPAA, PCI-DSS, and any other regulations with which your practice must comply.
Secure, private storage of interaction recordings: Recordings should be stored, organized and preserved in a secure central repository, whether it is on-site, remote, in the cloud, or a hybrid model. Employ an archival database for targeted recording data relocation while still providing instant search and access functionality to authorized users. Utilize encryption options on the computers, smartphones, and all other devices that contain private patient information to help prevent information from being accessed by hackers or due to an accidental breach of a computer’s basic security system.
The ability to integrate call recordings into patients’ EMRs and your CRM solution via an application programming interface: Check to make sure the call recording solution has an API to connect to your EMR systems and CRM solution so all information is integrated. If it does not, ask the solution provider if there is a way to ensure related information can easily be accessed in either system.
Intuitive interface for ease of access for authorized users, whether it is local, remote, or mobile: The system should provide the ability for authorized users to easily access, search, and save call recordings. Implement automatic storage or purging based on unique individual criteria to ensure uniform practices rather than requiring tedious and inefficient manual review. Implement media management functionality that allows users to further restrict and control information contained within individual call recordings on an as-needed basis to ensure instance-by-instance regulatory compliance. Create custom archiving rules based on recordings.
Proactive site monitoring solution to ensure maximum uptime: Provide the ability to view the efficiency levels of the solution to ensure that it is operating at optimal levels. It should include an early warning system in the case that system performance should fall below specified parameters, notifying authorized parties. This tool helps users be proactive in detecting and rectifying issues that can affect system performance before major problems arise.
Ability to implement a solid disaster recovery plan: Should a catastrophic event affect the contact center, a properly conceived disaster recovery plan can help ensure that all data pertaining to your organization and patients will remain secure and can be restored and retrieved. Consider an interaction recording solution that can be deployed with advanced fault tolerance and data protection capabilities as well as an archival database designed to easily and efficiently archive call records for reliable, secure and instant access. Regularly conduct security and compliance assessments to ensure that your contact center is not at risk for regulatory compliance infractions.
Ability to help the medical practice maintain an audit-ready and compliant-evident state at all times: Have procedures in place so that practice management can quickly and accurately access and produce required data in the event of an investigation. Demonstrating effective compliance management policies and procedures in an investigation can result in an issue being resolved more quickly. If investigators can see compliance, it may help to avoid additional fines during the investigation process. Help support and improve the ease of proving compliance with additional search and mobility features.
Training and technical support from the call recording solution provider: The call recording solution provider should offer adequate training and technical support to ensure the solution is being used in a way that meets regulatory compliance. Consider whether the cost of the solution includes ongoing technical support or if there will be additional fees. Choose a call recording solution that enables easy review of staff interactions to verify compliance with communications processes and regulations. This is especially vital in environments dealing with sensitive data that requires strict identification verification, such as medical contact centers.
Scalability to grow with you as your practice grows: The interaction recording solution should be able to grow with you as your practice grows so that all interactions are recorded and stored in compliance with applicable regulations.
Compatibility with your UC/PBX system and the ability to migrate to other UC/PBX platforms as your needs change. Choosing a solution that is integrated with your current UC/PBX system as well as other platforms gives you the flexibility to make changes as your practice grows and needs change.
Topics
People Management
Technology Integration
Performance
Related
Moving Beyond ESGEmotional Intelligence and Character Strength for the Healthcare LeaderHealthcare Industry’s Impact on Climate Change