June 2024 update: A June 20th federal court ruling held parts of the December 2022 Bulletin issued by the U.S. Department of Health & Human Services (“HHS”) about online tracking technologies invalid. HHS is now considering its next steps following the order. With the uncertainty surrounding this 18-month saga, healthcare providers can rely on CallRail to understand patient privacy risks and support HIPAA compliance. CallRail's Healthcare plans offer providers confidence in attracting new patients while ensuring that their patients' data is secure.
Can patient privacy and marketing data coexist? It may seem counterintuitive, but March 2024 guidance from the U.S. Department of Health and Human Services (HHS) outlined how healthcare providers can use the insights gained from call tracking and still maintain HIPAA compliance.
This new guidance creates clear guidelines for how technology services can create a safe partnership with healthcare providers, using security measures and business associate agreements (BAA). Let’s take a look at the steps you need to take so that call tracking can safely fit within your HIPAA-compliant practice while still delivering valuable marketing insights.
Make it easy to stay in compliance with HIPAA. Download this information as a checklist.
1. Educate your staff
The burden of HIPAA compliance falls squarely on your staff’s shoulders, so education should be your first priority. HIPAA training should be a key component of your onboarding, and all staff should be required to complete mandatory continuing education. Regulations are constantly evolving and growing to meet privacy challenges, so equip your staff with all the information they need to maintain HIPAA compliance.
This includes knowing who is covered by HIPAA, when the obligation to maintain privacy begins (hint: it’s before they’re actually a patient), and the potential consequences if any rules are violated. Not only should your staff know the ins and outs of HIPAA, but they should be aware of how all of their tech partners fit into the patient privacy puzzle.
2. Only work with vendors that will sign business associate agreements
HIPAA compliance is your responsibility, but the tech partners you choose will play a big role in helping you maintain it. In March 2024, HHS instructed healthcare providers to only work with tech partners that are willing to sign a business associate agreement. This agreement allows the tech provider to collect and store patient health information (PHI) on your behalf and obligates them to take certain steps to support HIPAA compliance.
CallRail will sign a BAA for any healthcare provider using a Healthcare Plan. With a BAA in place, we are obligated to comply with HIPAA controls within our service offerings, ensuring that your call tracking doesn’t expose you to potential fines or litigation.
3. Update your CallRail plan to a Healthcare Plan
CallRail always believes that security should be a top priority, but our Healthcare Plan offers another layer of security. Exclusively designed to meet the unique needs of our healthcare clients, our Healthcare Plan starts with a BAA and includes a suite of features tailor-made for healthcare providers. Features include redacting important PHI in transcripts and call summaries, enforcing obligatory log-outs to prevent PHI from becoming public, and full audit trail logging.
4. Never share user and log-in credentials
A healthcare practice has a lot of moving parts, and under HIPAA, not all employees need access to PHI. Luckily, CallRail’s Healthcare Plan features unique logins and credentials for every user. With this feature in place, only the people who need to see PHI will have access to it. Using individual logins eliminates the potential for PHI to be accidentally exposed to employees who don’t need access to that information.
For example, your nurses may need to see a patient’s name and birthdate to update a chart. Their login would allow them to see a full transcript of a call. But your marketing director only needs to see how a patient was treated on the phone. In that case, the marketing director’s credentials would allow them to see a redacted version of a phone call, rather than the full transcript that provides PHI.
5. Keep detailed records in case of an audit
A HIPAA audit can be extremely laborious–that is unless you partner with CallRail. Our advanced record-keeping policies and audit trail logging create an easy roadmap of who has accessed PHI, when, and why. You’ll have a detailed record by user, timestamp, and URL, plus any playback, tags, or changes to calls, making an audit an annoyance, not a catastrophe.
Let’s look at an audit example: If an inspector is looking for who has accessed call records for a two month period, it’s easy to pull up your logging trail. Simply set your search parameters for the time period and search by user name and/or URL. With a report at your fingertips, you’ll be able to satisfy audit requirements quickly and sufficiently and get back to your true focus–patient care.
6. Export data with caution
CallRail ensures that any information collected using our Healthcare Plan maintains HIPAA rules, but we can’t promise that with other vendors. To keep your patients’ PHI secure, use our redaction option to remain compliant if you need to export information. But remember, the only way to keep patient information completely private is to export only to other partners that have also signed a BAA.
7. Disclose only ‘need-to-know’ PHI for non-treatment purposes
If you’re working with another fully HIPAA-compliant provider to coordinate treatment, sharing PHI is likely a necessity. But for everyone outside the sphere of treatment, PHI should be on a need-to-know basis. Use auto redaction to share important details without exposing your patients to security risks.
Billing and scheduling are two places where auto-redaction can be particularly valuable. This feature allows you to use the information you need–billing codes and identification–without exposing provider notes on specifics of patient care.
8. Check your integrations
As a modern healthcare practice, your tech stack is the engine that runs your business. But it only takes one non-compliant partner to destroy the closed circuit of patient privacy and put you at risk for litigation. To stay safe, check every tech integration to ensure that they will also maintain HIPAA rules. Better yet, only work with partners that will sign a BAA.
9. Plan for human error
It’s a common problem–a staff member steps away for a cup of coffee or starts a conversation with a coworker while looking at patient information. Despite your best efforts, human error can lead to exposed information. That’s why CallRail’s Healthcare Plan features 30-minute auto timeouts for all access. This tool safeguards your staff against the most ubiquitous threat for all of us–human error.
This is especially valuable in the front office, where numerous job functions work in tandem or staff members are wearing multiple hats. With billing, scheduling, and patient care in close quarters, it’s easy to forget to log out. Auto timeouts guard against the most common denominator–human error.
10. Reap the benefits
The new guidance clearly outlines a pathway for healthcare providers to use Call Tracking to enhance their understanding of their patients and keep their information safe. With CallRail’s Healthcare Plan, you can confidently use call summaries, transcripts, and recordings to gain insights into what your patients want, how your staff can perform better, and whether your marketing is hitting the mark.
CallRail’s Healthcare Plans aren’t just secure; they’re extremely valuable – giving you unique insights into your marketing campaigns and what’s working and what’s not. To leverage these insights and keep your practice safe and patient information secure, upgrade to a CallRail Healthcare Plan today.
Make it easy to stay in compliance with HIPAA–download this information as a handy checklist.
