Published: August 03, 2017 | Comments
You cannot work in a customer service department or contact center in the healthcare industry without being aware of the laundry list of legal restrictions. With all the restrictions that agents must abide by, it can be confusing to know why exactly each rule exists.
There are two sets of rules that are important for medical-related contact centers: HIPAA and PCI DSS. These are similar in that both exist to protect patients, but they also serve unique purposes within a contact center.
What is HIPAA?
Congress passed HIPAA (Health Insurance Portability and Accountability Act) in 1996. According to the California Department of Health Care Services, HIPAA does the following: “Provides the ability to transfer and continue health insurance coverage for millions of American workers and their families when they change or lose their jobs, reduces health care fraud and abuse, mandates industry-wide standards for health care information on electronic billing and other processes and requires the protection and confidential handling of protected health information.” HIPAA is the set of policies that require health care providers and data handlers to follow procedures that ensure that patient information is collected and stored securely on paper, when spoken, and through electronic means.
HIPAA violations are a direct breach of US federal law and can be very costly, with penalties ranging from $100 to $50,000 per infraction, affecting the entire healthcare industry.
HIPAA plays a significant role in contact centers as patients are often required to provide sensitive information over the phone. For this reason, it is essential that agents understand HIPAA laws and how to remain in compliance.
What is PCI DSS?
PCI DSS (Payment Card Industry Data Security Standard), on the other hand, is a set of security standards that exist to ensure that all companies taking payments via credit card do so within a secure environment.
PCI DSS standards apply to any organization that accepts, transmits or stores cardholder data. However, unlike with HIPAA, violations are not considered criminal charges. This does not mean that PCI DSS violations are not costly, though—a breach could cost an organization millions of dollars in fines from credit card companies, legal fees, and loss of reputation.
For the healthcare industry, PCI DSS affects anyone in billing or insurance who handles patient payment information. As with HIPAA, agents fulfilling these roles need to be aware of the consequences of failed compliance for both the organization and, potentially, the patient.
Join Art Coombs at ICMI Contact Center Demo! Register using this link to save $200.
How the Two Intersect
While both standards exist to protect the patient, HIPAA and PCI DSS are not interchangeable. An organization or contact center can be HIPAA compliant, but not PCI DSS compliant (or vice versa). The two standards protect different parts of patient information, both of which are valuable and sensitive.
Organizations that are conscientious “rule followers” are likely protecting all patient information with care, whether it falls under HIPAA or PCI DSS. However, this does not mean that an added level of vigilance is going to hurt. Agents need to understand the ramifications of not complying with both HIPAA and PCI DSS. Not only can it cost the organization a significant amount of money, but it can cost the patient, their care provider, and peace of mind.
After considering both HIPAA and PCI DSS regulations, think through how your organization strives to be compliant with both. If you are falling short, KomBea offers unique solutions to these challenges, including SecureCall and ExactCall. Feel free to comment here or reach out with any questions!