Are Your Call Recordings HIPAA-Compliant?
The call recordings of just a single medical practice contain incredible amounts of sensitive patient data. HIPAA or the Health Insurance Portability and Accountability Act is not new. You’ve probably noticed that every time you visit your physician, you’re handed a HIPAA disclosure to sign. It’s a law that has evolved over the past 20 years and every medical practice is subject to it.
Clearly, healthcare businesses need to protect their data and written records, but what about their conversations? Calls to healthcare organizations are directly impacted by HIPAA compliance because medical practices share patient data over the phone. Failing HIPAA regulations is expensive and can even result in jail time.
Compliance Failure Causes
Security breaches account for 60% of data theft of protected health information. But brewing in the background is a greater threat: medical professionals using personal mobile devices and unprotected Wi-Fi networks. Cloud security innovator Peter Martini, defined Shadow IT as:
…the use of any software or program that has not been developed by or reviewed by a company’s security team. This threat poses obvious risks as it opens the door to attacks that an IT department might not be prepared for.
Does your medical practice or organization record calls? Is your business failing key HIPAA compliance standards because your staff is unaware of compliance procedures? Are you at risk of allowing a data breach? Above all, how will you manage all the threats that could potentially cost your company millions? Let’s get into it.
Call Recording and HIPAA, What You Need to Know
All compliance regulations, put simply, enforce security, safeguard privacy, and raise service quality. Notably, the healthcare industry handles more personal data than almost any other industry. The key to compliance with HIPAA boils down to two main components: Encryption and policy enforcement.
Step 1: Encryption
Each customer account your organization keeps produces a considerable data trail. Account logs, medical files, phone conversations, transcripts, and even fax records continue to grow your storage center. Every time a doctor, administrator, or phone agent pulls up a customer account, customer data is at risk.
Thankfully, most of these risks you’ll mitigate with good policy and administrative follow-through (covered a bit later). But what about storing that data, or sending it? Stored data must be heavily encrypted and kept in a hardened environment.
How You Encrypt Matters
Cloud storage is increasingly popular, but not a guarantee for safety. Without exception, your Cloud platform should be redundantly backed up, regularly penetration-tested, and should store all data with 256-bit encryption. With those safeties engaged, sending also becomes safer as you can keep your patient data in one place and send it securely from there as well.
To be clear, gone are the days of using email with loose data cloning itself into every location it bounced off of. Un-secured mail servers and gateways are exactly the kinds of vulnerable places thieves crack into hoping to find consumer data to exploit.
Leverage Your Other Compliance Needs
No matter what compliance law you’re trying to meet, complying with PCI-DSS regulations protects your customers and your company. Stolen data that has all the critical data (phone, credit card, and social security numbers) already removed is useless to thieves.
Step 2: Policy Enforcement
There is only so much your technology can do for you before you hit the human error wall. You’ve encrypted your data, secured your storage, and set procedures for your call staff, bravo. But then, one of your employees decides to do some work offsite in a cafe with an unsecured WiFi network. Or maybe one of your staffers that works from home can’t figure out the VPN you sent them. And then it happens, some malicious party targets your risk-taking employee and steals a metric ton of patient data off their laptop or mobile device.
In a recent interview with CloudCo, we at CallCabinet learned that many businesses still don’t consider data security, especially for recorded calls, a major issue:
Security is extremely important, as you mention, but most of the customers aren’t even considering it, to be honest. We bring it up. They say “oh, wow! I didn’t realize that, especially when it comes to compliance”. Most of the customers don’t realize that it’s a security compliance issue to record or store those phone calls on a non-compliant system. —Mike Evanisko, CloudCo Partner
If having a clearly defined remote tech policy isn’t part of your operations, time to make it one. Your CIO needs to document and enforce a security-forward method for your remote folks. Many companies have mobile agents use a remote desktop over VPN platform which is effective at preventing data theft.
What the Fax?
Sorry for the pun, I’ll explain.
If you work in healthcare, you probably know that there are pieces of information providers can neither give you over the phone nor email you. They can, however, Fax them to you. And since Faxing is still faster than other means of data transmittal, faxing is not only still in use, it may even increase.
Online faxing has become a defining component of many UCaaS platforms, which means there’s an image file generated and stored every time an online Fax is sent. Naturally, that means millions of image files with vulnerable patient data are sitting in storage, and they’re just as important to secure as your transcripts and call recordings.
Two puns in a single post is probably the legal limit—but there is a reason to rejoice. HIPAA, like any regulation, makes extra work for a company, but it also proves effective at protecting patients. Legally speaking, protecting customer data protects your medical enterprise, and so the extra work is worth it. HIPAA’s best results help caregivers provide to patients and keep the courts clear.
The simple fact is the cost of becoming HIPAA-compliant pales in comparison to the compounded costs of data breaches and lawsuits. Of course, any COO is going to try to cut costs when looking for a way to secure transcripts, call recordings and Fax records. Our Atmos platform does all that, and our Cloud storage network is penetration tested regularly, so definitely check it out right now.
Brian is a freelance technology writer and media editor based out of Central New Jersey. He’s logged 20 years of experience in the Telecom industry and side-hustles in the record industry. Brian started his career in technology at a company that made analog modems. He migrated to a marketing career in the call recording industry where he learned exactly how and why calls are monitored for quality assurance. These days Brian fuses his skills together to deliver his researched observations about telephony and compliance laws in polished articles and videos. He’s also composed the music for a long list of big Hollywood trailers. He does not miss the sound of analog modems but he is endlessly fascinated with phones.