As Threat Levels Surge, Here’s How Healthcare Contact Centres Can Stay HIPAA Compliant
By Finn Rafter-Phillips, Sector Specialist, Healthcare, IPI
The Health Insurance Portability and Accountability Act (HIPAA) been around for nearly three decades. But its patient data security and privacy focus has never been more relevant amid a volatile threat landscape. In 2023, two unenviable new records were set: the highest number of reported data breaches (725) and exposed patient records (133 million) in a year.
As a critical link in the healthcare sector supply chain that manages highly regulated patient data, Contact Centers are an attractive target for cyber-criminals. The good news is that the right technology partners can not only help to mitigate reputational, financial and compliance risk. At the same time, they are able to enhance operational efficiency and the patient experience.
Healthcare in the crosshairs
Healthcare organizations (HCO) and their service providers have always been high on the priority list for malicious actors. Part of that is down to the sheer volume of sensitive and highly monetizable information they store. Patient and employee financial and personal information, as well as protected health information (PHI), can be used in follow-on identity theft and health insurance fraud campaigns, or even to blackmail the victims.
IT budget constraints, highly distributed technology environments, large numbers of users and unmanaged devices, and IoT/OT assets also expand the typical cyber-attack surface. All of which helps explain why, since records were first published by the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) in 2009, there have been nearly 6,000 large healthcare breaches reported to the government.
Unfortunately, there seem to be no signs of things slowing down. The latest figures for 2024 show more than 435 recorded incidents in just the first half of the year, putting it on track for another record. The sector continues to be the most expensive in terms of the cost of data breaches: estimated by IBM to be $9.8m, versus $4.9m across all verticals.
What HIPAA demands
Against this backdrop, HIPAA demands that HCOs and service providers roll out rigorous security and privacy measures to protect sensitive customer/patient information. These include strong encryption for data at rest and in transit – such as stored call recordings – staff training, compliant hardware and software solutions, and data security to protect PHI from unauthorized access, alteration or destruction.
The penalties for breaking the law are severe – ranging from $137 to nearly $70,000 per violation. Criminal penalties could also be levied for severe infractions, and state attorney generals are able to bring civil cases against erring companies which could further compound financial and reputational damage. Those found wanting may also be required to adopt a corrective action plan to bring their compliance program up to HIPAA standards.
What IPI offers
Why should Contact Centers care? Because they sit at a critical interface between patient and HCO, taking card payments, and managing and storing sensitive personal and PHI. As such, failure to comply with HIPAA would result in major regulatory fines and critical reputational damage.
That makes a powerful case for Contact Center managers to ensure they have the right people, process and technology in place to mitigate any HIPAA-related risk. IPI offers several features which can help protect sensitive personal and payment information which customers/patients may need to hand over to agents during calls or digital sessions.
Part of this is about reducing the scope of compliance by removing the most sensitive element – the data itself. Pauseable is IPI’s automated pause and resume technology which, as the name suggests, automatically pauses the call during a phone-based card payment. This means that sensitive payment details are not stored on the Contact Center’s systems, where they could theoretically be accessed and/or exfiltrated by malicious actors. The call recording is automatically resumed once the payment information has been taken.
DTMF (Dual Tone Multi-Frequency) suppression technology can add an extra layer of security by masking the numbers callers’ input onto their phone keypad when making a card payment. Both solutions can be deployed as part of IPI’s Automated IVR Payment offering, which routes the payment section of a call to IPI’s secure cloud via on-demand media technology. It integrates seamlessly with third-party IVR technology, to offer a streamlined user experience (UX) for the caller.
Another option is pay-by-link functionality which can be sent by a Contact Center agent to a customer via a chat window. It uses a SAD token system to ensure any personal or financial information inputted by the customer is hidden from the agent. Meanwhile, in the background, the token creates a link to third-party platforms such as CRM apps, insurance carriers, and health record providers. Once again, hiding the sensitive information itself reduces breach risks and removes it from HIPAA compliance scope.
Beyond compliance
The US healthcare sector can be a competitive industry. Providers are always looking for ways to improve the patient experience and back-office efficiencies, without increasing compliance or other business risks. The end goal should be compliance not as an obligatory check box process but something that is built naturally into every business decision. In this way, the Contact Center solutions organizations purchase shouldn’t merely cross another HIPAA requirement off the list. They should add genuine business value in other ways – driving growth rather as well as reducing risk.
This is where HIPAA solutions like those above can help healthcare Contact Centers truly differentiate. Yes, they minimize the opportunities for threat actors to access sensitive information, by supporting data minimization best practices. But they do so in a way that enables Contact Centers to meet their customers where they are, providing them with secure ways to pay both via traditional phone-based and digital channels. The focus is on automation, with any rerouting hidden from the customer, so that their experience is uninterrupted.
Contact Center managers looking to refresh their technology stack over the coming year have a great opportunity—not only to ensure they remain on the right side of HIPAA compliance, but also to improve UX. Look for a technology provider that goes beyond the usual transactional relationship – taking time out to build a true partnership based on business requirements and regulatory red lines. It could turn compliance from a cost center into a business differentiator.