Don't Underestimate the Importance of HIPAA Compliance

Don’t Underestimate the Importance of HIPAA Compliance

HIPAA Compliance Is More Than a Best Practice, It’s the Law

Over twenty years ago, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) was born. Even now, two decades later, we’re still grappling to understand the ramifications of this wide-ranging act that continues to evolve.

Here’s a quick and basic overview as it relates to the answering service industry. First, HIPAA applies to healthcare providers. The act calls these covered entities (CE). It also addresses organizations that work for CEs. They’re called business associates (BA). A telephone answering service with an account in the healthcare industry is a BA of that account. That means the answering service falls under the requirements of HIPAA regulations. A failure to comply can result in fines and a loss of standing in the medical community.

The key element of HIPAA, as it relates to answering services, is protected health information (PHI). Answering services with medical accounts must properly handle protected health information. This includes data storage and transmission, that is, at rest and in motion. This likely means secure computer centers, encrypted archives, HIPAA-trained staff, and secure messaging apps.

Let’s take a brief look at each one.

Secure Computer Centers

There are varying degrees of security, but an open or unlocked door to an equipment room is not one of them. At a most basic level, security requires locked doors and limited access. If your equipment is on premise, then these security measures fall to you to provide and maintain. If your system is off-site, such as hosted, SaaS, or cloud-based, you must make sure your vendor provides adequate facility security on your behalf. If they fail to do so, you’re on the hook.

Encrypted Archives

Most answering services store messages on their main platform for a short time. Then they move older messages off the system and into a storage facility. In addition to securing physical and remote access to this facility is to limit the data’s usability should it fall into the wrong hands. Though not an absolute requirement of HIPAA, it’s a best practice to encrypt all archives.

HIPAA-Trained Staff

The HIPAA act also requires compliance training of new hires and regular, ongoing training of all staff. Though the regulations don’t specify how frequently training must occur or what it must cover, it’s critical to document that HIPAA training took place and what information it covered. Most organizations opt for annual training and more frequently as needed. Usually, a HIPAA instructor provides the training. This could occur onsite, remotely with a live presenter, or by recorded video. Don’t skip this step.

Secure Messaging Apps

Perhaps the best-known requirements of HIPAA in the answering service industry is the use of secure messaging apps. Most all major TAS vendors provide this capability. If your system doesn’t allow for secure messaging, it’s up to you to figure out how to effectively communicate with your clients and still maintain compliance. This is a difficult goal to achieve without secure messaging apps.


Although most medical answering services take HIPAA compliance seriously, not all do. A few take shortcuts, and some others ignore it, hoping they’ll never get caught. But this is risky, as it puts the future of the entire answering service, its employees, and its clients in jeopardy, not to mention the protected health information of the clients’ patients.

Many organizations, including ATSI, help with HIPAA compliancy. These include employee training, compliance consulting, and a business associate contract, among other things.

Don’t leave HIPAA compliance to chance. Review your current practices, and then correct any shortcomings. Do it today.

Share this post:

Comments on "Don't Underestimate the Importance of HIPAA Compliance"

Comments 0-5 of 0

Please login to comment