CTM Blog


CallTrackingMetrics HIPAA Compliance Program

by Laure Fisher

CallTrackingMetrics software gives businesses the ability to map calls back to particular advertising campaigns, to manage the performance of sales and support staff, and to efficiently route calls to their teams — so that they can maximize conversions and revenue.  Healthcare providers need a way to track calls just like other businesses, but they also need to protect the sensitive information being collected. CallTrackingMetrics offers a set of features that allow healthcare customers to maintain compliance with the regulations of HIPAA/HITECH while still being able to leverage the critical data for their marketing and sales departments. 

HIPAA and CallTrackingMetrics

CallTrackingMetrics provides customers the ability to record, transcribe, route, document, annotate, and generally report on everything going on in and around phone calls. In the case of a healthcare business, these calls may involve the discussion of personal medical issues (“PHI”) and documentation about the call by agents may refer to PHI that was discussed.

Audio recordings and transcriptions are the most obvious source of PHI for a medical business using CallTrackingMetrics. In addition, the notes that agents take about a call, the advertising information associated to the call, and the demographic information collected about the caller can also be a source of PHI so those need to be considered as well.

Key Features of CallTrackingMetrics HIPAA Compliance Program

The Business Associate Agreement: A Business Associate Agreement needs to be in place between CallTrackingMetrics (the Business Associate) and the Customer (the Subcontractor or Covered Entity to document the requHIPAA-Image-2irements of that relationship as it relates to HIPAA. Our BAA will reference the particular account ID’s that need to be HIPAA compliant and detail the responsibilities of each party. 

HIPAA compliant features are available on the Advanced or Elite plans: Unlike other providers, we do not require that customers move to a special HIPAA plan, but rather we provide the security options needed to ensure compliance within these existing plans. 

Dedicated Servers: In order to maintain HIPAA compliance, CallTrackingMetrics uses dedicated servers for all portions of the platform that may handle PHI.

Encrypted Data in Transit: All access to the CallTrackingMetrics platform is encrypted using Transport Layer Security (TLS) which is the successor to Secure Sockets Layer (SSL).

Encrypted Storage of Call Recordings: This is an optional feature that needs to be enabled within “Call Settings” (small additional fee per minute)

Logging: All access and modifications to PHI (including listening to call recordings) is logged by user, timestamp and IP address. Within Agency Settings, Administrators should enable the optional feature to require a user to be logged into CallTrackingMetrics to listen to any call recordings. This protects links to call recordings that may be in emails and also creates a log of the playback by that user. 

Secure Notifications: Email and text notifications are very popular features as they allow Customers to stay up to date on call volume, campaign performance, and to monitor agent performance from anywhere. Customers can still use notifications, however several fields need to be removed in order to protect PHI from being in the emails. We detail those fields in the BAA.

Secure Access: Each user will have their own login to access the CallTrackingMetrics platform. All plans allow for an unlimited number of users as well as a variety of access levels so that you can choose the level of access appropriate for each person. Administrators need to enable several optional security features in order to further protect data such as user sessions to terminate after no more than 15 minutes of idle connection and Two factor authentication enabled.

Please contact our team to discuss setting up your HIPAA compliant account or to migrate your existing CTM account.