The Health Insurance Portability and Accountability Act (HIPAA) is a set of federal standards to protect the privacy of patients' medical records and other health information maintained by covered entities: health plans, which include many governmental health programs, such as the Veterans Health Administration, Medicare and Medicaid; most doctors, hospitals and many other health care providers; and health care clearinghouses. These standards provide patients with access to their medical records and with significant control over how their personal health information is used and disclosed. The Security Rule specifies a series of administrative, physical, and technical safeguards for covered entities and their business associates to use so they can assure the confidentiality, integrity, and availability of electronic protected health information (PHI).
PHI generally includes individually identifiable health information including demographic data, that relates to:
- The individual’s past, present or future physical or mental health or condition,
- The provision of health care to the individual, or
- The past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual.
- Individually identifiable health information including name, address, birth date, Social Security Number etc.
By law, the HIPAA Privacy Rule applies to covered entities- health plans, healthcare clearinghouses, and certain healthcare providers and business associates. A business associate is a person or entity that performs certain functions or activities that involve the use of the PHI on behalf of a covered entity.
How can you make your use of the CallTrackingMetrics call platform compliant with the HIPAA Privacy and Security Rules?
- You must be on the Advanced, Elite or Enterprise plan: You can check your plan and change your plan at the top of the Account Settings page.
- Individual Logins: Each individual user accessing HIPAA accounts must have their own unique login for CTM.
- User Security: Within Agency Settings, navigate to "Security" area and configure the following:
- Logout users automatically after no more than 15 minutes of idle connection,
- Enable two factor authentication to ask for verification code every time or every 30 days, and
- Check the box to require a user login to access call recordings.
- Limit Use of Call Notifications: Post call notifications trigger emails each time a call comes in that matches certain criteria you have set. The emails often include links to listen to the audio recording for the call. Be sure to remove the following fields from your notifications if you are using them: Recordings (unless the login required option has been turned on per item above), Transcriptions, Name, Phone number, E-mail address, Call Notes, any other field containing PHI for your particular use case (tags for example etc).
- Limit use of Call Log Export: When exporting the call log, you must remove the following fields from the exported file: Recordings unless the login required option has been turned on per item above), Transcriptions, Name, Phone number, E-mail address, Call Notes, and any other field containing PHI for your particular use case (tags for example etc).
- Encrypted Call Recordings: If recording phone calls, you must enable the following in account settings:
- Encrypted call recordings - Encrypted call recordings cost an additional $.005 cents per minute.
- Encrypted call recording storage - Encrypted call recording storage costs an additional $.0005 cents per minute.
The list above is not meant to be comprehensive or replace the official HIPAA standards and guidelines. As always, we recommend that customers seek guidance from their legal counsel if they have any compliance questions concerning their use of CallTrackingMetrics.