CallRail Healthcare Marketing. HIPAA and HITECH Compliance for Covered Entities using Call Analytics Software

Similar documents
The CIO s Guide to HIPAA Compliant Text Messaging

Leveraging Dedicated Servers and Dedicated Private Cloud for HIPAA Security and Compliance

HIPAA Security Alert

Healthcare Compliance Solutions

HIPAA Information. Who does HIPAA apply to? What are Sync.com s responsibilities? What is a Business Associate?

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

MANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE

HIPAA Privacy & Security White Paper

Medical Privacy Version Standard. Business Associate Agreement. 1. Definitions

HIPAA/HITECH Compliance Using VMware vcloud Air

How Managed File Transfer Addresses HIPAA Requirements for ephi

White Paper. BD Assurity Linc Software Security. Overview

Develop HIPAA-Compliant Mobile Apps with Verivo Akula

HIPAA Compliance Guide

How to use the Alertsec Service to Achieve HIPAA Compliance for Your Organization

My Docs Online HIPAA Compliance

efolder White Paper: HIPAA Compliance

WISHIN Pulse Statement on Privacy, Security and HIPAA Compliance

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

Account Restrictions Agreement [ARA] - Required by LuxSci HIPAA Accounts

HIPAA: In Plain English

Privacy Policy and Notice of Information Practices

VMware vcloud Air HIPAA Matrix

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

PierianDx - Clinical Genomicist Workstation Software as a Service FAQ s

This form may not be modified without prior approval from the Department of Justice.

HIPAA Compliance and the Protection of Patient Health Information

HIPAA BUSINESS ASSOCIATE AGREEMENT

Datto Compliance 101 1

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

HIPAA: Bigger and More Annoying

HIPAA BUSINESS ASSOCIATE AGREEMENT

Collection and Use of Information

MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE

Retention & Destruction

UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C

If you have any questions about our privacy practices, please refer to the end of this privacy policy for information on how to contact us.

MYACCLAIM PRIVACY POLICY

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness

WHITE PAPER. Support for the HIPAA Security Rule RadWhere 3.0

SOOKASA WHITEPAPER HIPAA COMPLIANCE.

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

The Basics of HIPAA Privacy and Security and HITECH

White Paper. Support for the HIPAA Security Rule PowerScribe 360

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

PRIVACY, SECURITY AND THE VOLLY SERVICE

CHIS, Inc. Privacy General Guidelines

GFI White Paper: GFI FaxMaker and HIPAA compliance

LogMeIn HIPAA Considerations

Table of Contents INTRODUCTION AND PURPOSE 1

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

Security and Managed Services

8.03 Health Insurance Portability and Accountability Act (HIPAA)

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

Ensuring HIPAA Compliance with AcclaimVault Online Backup and Archiving Services

Southern Law Center Law Center Policy #IT0014. Title: Privacy Expectations for SULC Computing Resources

Oracle Eloqua HIPAA Advanced Data Security Add-on Cloud Service

HIPAA Compliance Guide

The Health Insurance Portability and Accountability Act - HIPAA - Using BeAnywhere on a HIPAA context

Georgia Institute of Technology Data Protection Safeguards Version: 2.0

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS

Secure Configuration Guide

HIPAA COMPLIANCE AND

An Oracle White Paper December Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance

The Impact of HIPAA and HITECH

FACT SHEET: Ransomware and HIPAA

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

Dissecting New HIPAA Rules and What Compliance Means For You

ONLINE PRIVACY POLICY

Introduction. Purpose. Reference. Applicability. HIPAA Policy 7.1. Safeguards to Protect the Privacy of PHI

HIPAA, PHI and . How to Ensure your and Other ephi are HIPAA Compliant.

We may collect the following types of information during your visit on our Site:

Hang Seng HSBCnet Security. May 2016

OCR UPDATE Breach Notification Rule & Business Associates (BA)

Building Trust and Confidence in Healthcare Information. How TrustNet Helps

OCR s Anatomy: HIPAA Breaches, Investigations, and Enforcement

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Security and Privacy: An Introduction to HIPAA

ACCESS TO ELECTRONIC HEALTH RECORDS AGREEMENT

DATA SECURITY AGREEMENT. Addendum # to Contract #

Transcription:

CallRail Healthcare Marketing HIPAA and HITECH Compliance for Covered Entities using Call Analytics Software Healthcare 2015

HIPAA and HITECH Compliance for Covered Entities using Call Analytics Software

CONTACT CallRail 100 Peachtree Street NE (888) 907-4718 sales@callrail.com LEGAL DISCLAIMER: The materials in this white paper are provided for informational purposes only and do not constitute legal advice. Transmission of the information is not intended to create, and the receipt does not constitute, an attorney-client relationship between sender and receiver. The information is offered only for general informational and educational purposes and does not constitute legal advice or legal opinions. You should not act or rely on any information contained in this white paper without first seeking the advice of an attorney. All risk of loss or damage is solely that of the user and the company disclaims any liability thereof.

Contents Introduction......................................... 5 Why HIPAA Compliant Call Tracking is Necessary................. 6 What The Law Requires.................................. 7 Who Can Provide HIPAA Compliant Call Tracking................. 9 CallRail s HIPAA Implementation........................... 10 Conclusion........................................ 13 Frequently Asked Questions............................. 16 4 CallRail Healthcare Marketing

Introduction Like most businesses, many medical practitioners market themselves to potential new customers and patients. It s no secret that call tracking provides key insights into which marketing campaigns and online ads are providing the highest-quality leads. Yet maintaining the privacy and security of protected health information introduces significant challenges to out-of-the-box call tracking solutions. CallRail s Healthcare Marketing, HIPAA compliant plans help Covered Entities and the marketing agencies serving them to maintain compliance with the regulations set forth by HIPAA and HITECH. 5

Why HIPAA Compliant Call Tracking is Necessary Phone calls are intimate, one-on-one conversations between health providers and the patients and customers they serve. They frequently involve the discussion of personal issues and medical history. While recording incoming calls can provide significant benefits in determining lead quality and training staff members, the contents of these conversations can clearly contain personal health information. Even without an audio recording of the call, the fact that the call happened at all creates health information that links an individual to a medical practice and the types of services they provide. If the call is to a tracking number that indicates a specific marketing campaign, or one that links an online visitor and their search keywords, an even greater picture of the caller s medical needs and history begins to emerge. 6 CallRail Healthcare Marketing

What the Law Requires The Health Insurance Portability and Accountability Act (HIPAA) requires that this health information be protected from disclosure and misuse. In 2009, this was expanded by the Health Information Technology for Economic and Clinical Health Act (HITECH) to cover all business associates with access to health information, which includes call tracking providers. There are two key components to HIPAA compliance: the Privacy Rule, and the Security Rule. The Privacy Rule dictates what is considered Protected Health Information (PHI), and who may use and access this information. The Security Rule describes how this information is protected, including operational safeguards and technical measures. According to the Privacy Rule, use of call tracking falls under the administrative operations usage of PHI. It is acceptable for this PHI to be shared with CallRail, but only when a Business Associate Agreement (BAA) is in place. If a marketing agency is assisting the healthcare provider then two cascading BAAs are required one between the provider and the marketing agency, and 7

one between the marketing agency and CallRail. The Security Rule requires CallRail to have operational safeguards in place to prevent unauthorized disclosure of PHI. CallRail has these measures in place, but the BAA is legally required to guarantee this to the healthcare provider for proper compliance with HIPAA regulations. In addition, the security rule requires additional technical safeguards, which are enabled for CallRail s HIPAA customers. 8 CallRail Healthcare Marketing

Who Can Provide HIPAA Compliant Call Tracking Covered Entities must select a provider that takes their HIPAA compliance responsibility as seriously as they do. It is crucial to work only with service providers who have designed an end-toend solution to meet the requirements of HIPAA and HITECH. Those providers will be willing to sign a Business Associate Agreement certifying their implementation and responsibilities. Entering into a Business Associate Agreement allows delegation of specific operational responsibilities to thirdparty service providers such as CallRail. This BAA grants the third-party service provider the right to collect and store Protected Health Information on behalf of the healthcare provider. CallRail s software, platform, infrastructure, and processes have all been carefully designed to ensure that clients data is protected and their responsibilities fulfilled. 9

CallRail s HIPAA Implementation CallRail takes data security very seriously for all customers. The following protections are in place for customers on HIPAA compliant CallRail plans: All data encrypted in transit As required by the Security Rule, all access to CallRail is encrypted via SSL to protect data from interception on network points between the user and CallRail. Links between CallRail and other providers are also fully encrypted. Transmission via cipher suites or SSL versions with known weaknesses is prevented. All data encrypted at rest As required by the Security Rule, all call records, web visitor sessions, and call routing details are fully encrypted when stored on disk. This data is seamlessly decrypted as-needed for reporting purposes when accessed by the customer. Recorded audio is also securely encrypted, and only decrypted when needed for playback and registered to an authorized user. These precautions 10 CallRail Healthcare Marketing

protect the data even if hard drives fail, or are decommissioned or stolen. Protection for external systems Call alert emails, integrations, and other CallRail features could potentially expose PHI to external systems that aren t considered HIPAA compliant. In these cases, CallRail prevents transmission of call details to those systems and instead provides a link that requires the user to login to review the information. This protection also applies for web visitor sessions, text messages, form captures, and any other data CallRail may collect and record. Secure access Individual users are granted their own login credentials, which can be controlled by an administrator. Login sessions automatically expire after a brief period of inactivity to prevent unauthorized access. Full audit history HIPAA requires logging for all access and modification to PHI. For HIPAA plans, all access is to the application is logged by user, timestamp, and IP address. Playback of any call recording, as well 11

as all changes to calls, tags, or configuration are similarly logged. Dedicated, single-tenant equipment HIPAA requires that the data owner have hands on access to all equipment used for data processing. CallRail uses only dedicated hardware, and does not make use of virtual machines on shared-tenancy hardware for customers covered by a BAA. Firewalls and private network gap for all machines containing PHI The databases, application servers, and other machines responsible for routing calls and running the CallRail application and services are isolated and inaccessible via the public internet (except the web application itself, of course). This private network is protected by a pair of redundant hardware firewalls to ensure only expected traffic is allowed. 12 CallRail Healthcare Marketing

Conclusion Call tracking has numerous benefits, but must be done in accordance with the law for entities covered by HIPAA and HITECH. CallRail has the expertise to provide world-class call tracking for those with compliance needs. Contact Us for a Demo: 888-907-4718 Sales@callrail.com 13

Legal Disclaimer The materials in this white paper are provided for informational purposes only and do not constitute legal advice. Transmission of the information is not intended to create, and the receipt does not constitute, an attorneyclient relationship between sender and receiver. The information is offered only for general informational and educational purposes and does not constitute legal advice or legal opinions. You should not act or rely on any information contained in this white paper without first seeking the advice of an attorney. All risk of loss or damage is solely that of the user and the company disclaims any liability thereof. 14 CallRail Healthcare Marketing

Frequently Asked Questions

What security enhancements were made for the HIPAA-compliant version of CallRail? Numerous changes support CallRail s HIPAAcompliant service: Full data encryption, both in transit and at rest Secure, encrypted recording storage Full access and modification audit logs Elimination of third-party tools to prevent disclosure of PHI Dedicated, redundant, single-tenant hardware for all HIPAA plans All machines containing PHI isolated from public internet via firewalled private network Session timeout enforcement for all users of HIPAA accounts Are any features unavailable in the HIPAAcompliant version of CallRail? It is not possible to secure a BAA with all thirdparty providers. Because of this, we are unable to provide voicemail transcription for customers with HIPAA compliance needs. By enabling integrations in HIPAA compliant accounts, you warrant that your organization has the appropriate administrative and technical safeguards in place to share data, potentially including PHI, with Google Analytics. 16 CallRail Healthcare Marketing

Furthermore, you warrant that you personally have the authority to activate the integration. You also warrant that your organization has the appropriate Business Associate Agreement in place with the integration provider, if required. Finally, alert emails are modified to ensure no PHI is included. For call alerts this means the caller s name and phone number will not be included, and the recording link (if applicable) will require a login. Text message and lead capture alerts will primarily consist of a link back to CallRail for reviewing the content. Note that since Notification Only users cannot log in, they will only be able to see alerts about when these events happen. If these users need access to PHI, they will need to be promoted to Client Reporting users. Are any additional features added for the HIPAAcompliant version of CallRail? Two security-related features are added for CallRail s HIPAA plans. First, users of HIPAA accounts will have sessions that automatically expire after a short period of inactivity. This helps protect against prying eyes when computers are left unlocked. Second, full audit trail logging is enabled to document all access and modification history. Will CallRail sign a Business Associate Agreement (BAA) with my business? 17

Yes, CallRail will provide a BAA to cover the agreement with customers. This BAA can be enacted quickly by electronic signature. What protections exist if I don t have a Business Associate Agreement on file with CallRail? CallRail is confident in its security, even without a BAA in place. However, use of CallRail involving PHI without a BAA in place is strictly prohibited by the Terms of Service. In that case no legal protections are afforded, which places significant financial and legal liability on the healthcare provider. In addition, the extra security measures enabled for HIPAAcompliant customers cannot be activated without a BAA and HIPAA-compliant plan. Will CallRail alert me if my use of the service falls under the scope of HIPAA? No, CallRail cannot audit customers to determine if their use of the application is subject to HIPAA regulations. Knowing the regulations that apply to a particular scenario is solely the customer s responsibility. Does CallRail maintain a BAA with any thirdparties? 18 CallRail Healthcare Marketing

Yes, CallRail maintains Business Associate Agreements with third-party providers of hardware equipment and infrastructure services. Does CallRail maintain access logs to all PHI? Yes, CallRail logs all access to the application with the logged-in user, timestamp, and their IP address. Any changes to data and configuration are logged for audit purposes as well. In the case of a suspected breach or misuse, this audit log can provide a confirmed history of access. This data is highly technical, and therefore not currently available within the application. Access to this data can be obtained by contacting support. For complex requests, a research fee may apply. Can I simply prevent my call tracking provider from gaining access to PHI? A call tracking provider must handle both the source caller ID and the destination phone number in order to route a call. This data alone is enough to connect an individual to a marketing campaign or medical practice, which creates PHI. Simply hiding this data in the tool or asking that it be deleted does not absolve the call tracking provider from responsibility. 19

100 Peachree Street NE Atlanta, GA 30303 888.907.4718 sales@callrail.com www.callrail.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information