The Health Insurance Portability and Accountability Act (HIPAA) is a set of federal standards to protect the privacy of patients’ medical records and other health information maintained by covered entities: health plans, which include many governmental health programs, such as the Veterans Health Administration, Medicare, and Medicaid; most doctors, hospitals, and many other health care providers; and healthcare clearinghouses. These standards provide patients with access to their medical records and with significant control over how their personal health information is used and disclosed. The Security Rule specifies a series of administrative, physical, and technical safeguards for covered entities and their business associates to use so they can assure the confidentiality, integrity, and availability of electronic protected health information (PHI).
PHI generally includes individually identifiable health information including demographic data, that relates to:
The individual’s past, present or future physical or mental health or condition,
The provision of health care to the individual, or
The past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual.
Individually identifiable health information including name, address, birth date, Social Security Number, etc.
By law, the HIPAA Privacy Rule applies to covered entities: health plans, healthcare clearinghouses, and certain healthcare providers and business associates. A business associate is a person or entity that performs certain functions or activities that involve the use of the PHI on behalf of a covered entity.
CallTrackingMetrics offers a number of features and configurations to allow customers to use our system and maintain HIPAA compliance. The checklist below is meant to serve as a guide of required features for most use cases that can help you maintain compliance with HIPAA while using CallTrackingMetrics and is not a substitute for legal advice. You may need to make additional adjustments in your account based on your particular use case. Find more information on the HIPAA website.
Required Tools and Settings
You must be on the Contact Center, Marketing, Advanced, or Enterprise plan. You can check your plan and change your plan at the top of the Account Settings page.
We need to have a Business Associate Agreement in place with you. Please contact us at firstname.lastname@example.org to request a BAA.
Individual Logins: Each individual user accessing HIPAA accounts must have their own unique login for CTM.
User Security: Within Agency Settings, navigate to “Security” area and configure the following:
Logout users automatically after no more than 15 minutes of idle connection,
Enable two factor authentication to ask for verification code every time or every 30 days, and
Check the box to require a user login to access call recordings.
Encrypted Call Recordings: If recording phone calls, you must enable the following in account settings:
Encrypted call recordings – Encrypted call recordings cost an additional $.005 cents per minute.
Encrypted call recording storage – Encrypted call recording storage costs an additional $.0005 cents per minute.
Avoid configuring triggers, notifications, or exports that move PHI out of CallTrackingMetrics into emails or text messages. If choosing to use any of these features, it is your responsibility to ensure security of the information once it leaves CallTrackingMetrics.
For example, post call notifications trigger emails each time a call comes in that matches certain criteria you have set. The emails often include links to listen to the audio recording for the call. Be sure to remove fields that could contain unsecured PHI from your notifications such as: Recordings (unless the login required option has been turned on per item above), Transcriptions, Name, Phone number, E-mail address, Call Notes, and any other field containing PHI for your particular use case (such as tags).
When using SMS services on CTM, you cannot include PHI in the body of your text messages.
Another example would be exporting your call log. When exporting the call log, you would need to remove any fields that contain unsecured access to PHI such as Recordings (unless the login required option has been turned on per item above), Transcriptions, Name, Phone number, E-mail address, Call Notes, and any other field containing PHI for your particular use case (such as tags).
If you expect sensitive information such as Social Security numbers or personal phone numbers to be exchanged, you should enable Secure Call Transcriptionswhich will automatically detect the presence of that information in your interactions and will redact them from your recordings and transcriptions.
Consider turning off Caller ID in Call Settings if you do not need to collect the name or location of your callers.
Enable automatic redaction on your account to manage how much and how long information is being stored.
Redaction removes personal information from records of calls, texts, and forms in your account.
Redaction can be configured to occur daily, every 30 days, every 60 days, or every 90 days.
Redaction can also be done manually for an individual call or text in the Call or Text Log.
At this time, our Live Chat service is not HIPAA compliant so HIPAA compliant customers should not use it. We will keep customers posted as we roll out our encrypted chat service in late 2019, which will be HIPAA compliant.
MMS enables exchange of attachments and picture messages between mobile phones over the carrier network without requiring a separate mobile app. This capability cannot be used in conjunction with SMS for workflows requiring HIPAA compliance at this time.
The list above is not meant to be comprehensive or replace the official HIPAA standards and guidelines. As always, we recommend that customers seek guidance from their legal counsel if they have any compliance questions concerning their use of CallTrackingMetrics.