Maintaining HIPAA Compliant Messaging in Call Centers through COVID-19

Key learnings:

  • Why you need HIPAA-compliant messaging in addition to live voice in your call centers.
    • “But what about HIPAA-compliant messaging in call centers”
  • HIPAA-compliant rules and regulations and changes to rules during COVID-19.
    • Link to heading “HIPAA violations can result in civil and criminal penalties—and more.”
  • How to maintain HIPAA-compliant messaging in your call center.
    • Link to heading “How to maintain HIPAA-compliant messaging in your call center.”

Many healthcare organizations are reviewing clinical communication tools and moving to more sophisticated clinical collaboration platforms (CCPs) in response to increased demand for streamlined communications and workflows. Maintaining HIPAA-compliant messaging, supporting higher-level collaboration between clinicians, providing easy access to all healthcare elements, and reducing alert fatigue are all factors in the decision-making process.

But what about HIPAA-compliant messaging in call centers?

Healthcare call centers are often overlooked in the initial evaluation of an organization’s communication and collaboration needs. Yet, these same call centers can be the heart of communications with clinical staff.

Call centers provide a patient’s first impression of a physician practice, hospital, ambulatory care center, or nursing home. They field incoming and prospective patient contacts, maintain after-hours availability, and manage levels of emergency contact between patients and clinicians. They even direct calls and text messages to the appropriate offices or individuals.

Especially now during the COVID-19 pandemic when fast transmission of sensitive patient health information is vital, HIPAA-compliant messaging is essential for call centers.

“The COVID-19 pandemic has compelled most healthcare organizations to adjust their operating procedures and workflows to ensure critical business continuity,” according to Andrew Steger, editor of Health Tech Magazine. “Among those efforts is a massive shift to remote work and care. The move, however, has made HIPAA compliance much more difficult,” he notes.

Workarounds—such as texting on a non-secure messaging platform— can violate HIPAA.

Like most health-related operations, call centers are keenly aware of the importance of HIPAA compliance and typically have policies in place to protect private health information. Their policies state that personal health information (PHI) cannot be sent via unsecured platforms, such as text or SMS messaging. But call center employees are under the gun to be efficient and to expedite patient care. So, they may work around these policies by texting – which is outside of HIPAA compliance unless they are using a secure messaging platform.

During the pandemic, many health centers are operating remotely. “Based on The Taylor Reach Group’s research of the COVID-19 impact on contact centers released in June,” writes Colin Taylor, reporting for TechTarget. “87% of centers have remote agents, up from 15% before the pandemic.” Remote agents, call center employees working from home may violate HIPAA compliance by using workarounds such as SMS messaging or texting on non-secure messaging platforms.

HIPAA compliance for call centers is an essential consideration for every company providing an answering service or call-forwarding service for the healthcare industry,” according to the HIPAA Journal, described as the number one online resource for all matters relating to HIPAA. “Since the Final Omnibus Rule updated the Health Insurance Portability and Accountability Act (HIPAA) in 2013, all service providers processing, storing, or transmitting ePHI directly or on behalf of a healthcare organization are subject to the same Privacy and Security Rules as the healthcare organization itself.”

HIPAA violations can result in civil and criminal penalties—and more.

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy and Security Rules. HIPAA violations can include civil and criminal penalties and can cause legal fees, financial penalties, loss of business, loss of trust, and reputational damage.

Most healthcare organizations are aware of HIPAA violations’ risks and penalties and work with established processes to maintain HIPAA compliance. But under duress, healthcare call centers can resort to using unsecured text and SMS messaging platforms to get critical patient health information to physicians quickly.

Specific HIPAA rules are relaxed during the COVID-19 national emergency.

In April 2020, the Office for Civil Rights (OCR) at the HHS issued notification of enforcement discretion for Telehealth remote communications during COVID-19. “Under the notice, covered health care providers may use popular applications that allow for video chats,” according to the OCR. The applications listed in the notice include Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Zoom, and Skype.

Usage of these applications to provide telehealth services will be permitted during the national health emergency without the risk that OCR might seek to impose a penalty for non-compliance with the HIPAA regulations. “Providers are encouraged to notify patients that these third-party applications potentially introduce privacy risks, and providers should enable all available encryption and privacy modes when using such applications,” states the notice from the OCR.

Why the OCR notice should not be seen as a “free pass” for HIPAA compliance.

“The notice is helpful for providers administering care to at-risk patients, but it’s still a temporary solution — and it shouldn’t be viewed as a free pass,” states Andrew Steger. According to Steger, healthcare providers are an increasingly attractive target for hackers during the current public health emergency. According to the Department of Homeland Security, advanced persistent threat (APT) hacking groups are exploiting the COVID-19 pandemic to target healthcare providers and other essential services.” And HIPAA rules will still apply to healthcare workers once the federal provisions have lifted, no matter where or how their work is performed,” warns Steger.

An article published on Relias Media, a trusted resource for healthcare information and continuing information, reminds us that even with waivers and relaxed requirements, OCR still expects HIPAA compliance. “OCR is taking this pandemic very seriously and trying to be helpful in providing guidance and clarification on enforcement. But make no mistake — HIPAA is still here,” says Lucie F. Huger, JD, an officer with Greensfelder in St. Louis. “Compliance is still very important. Even though we have a pandemic, HIPAA still should be a significant concern.”

How to maintain HIPAA-compliant messaging in your call center.

Currently, there is no end date in sight for the COVID-19 national health emergency. Healthcare organizations are under enormous pressure to respond to current demand while planning and staffing for the possibility of surges in the virus. The use of telehealth is expected to continue, and even to grow, after the emergency has been lifted. Under these circumstances, maintaining a HIPAA-compliant call center is not only practical, but it is also essential.

So how to maintain HIPAA-compliant messaging in your call center during and after the national health emergency? Deploying a clinical collaboration platform (CCP) that provides HIPAA-compliant secure messaging functionality is the answer. With the implementation of a system-wide CCP that includes affiliated call centers, your health system can consolidate clinical communication vendors, provide secure messaging capabilities to call center employees, and ensure all of their communication is HIPAA-compliant.


Maintaining HIPAA-compliant messaging in your organization’s call centers through the COVID-19 national health emergency is not only practical but advisable. This is true despite the short-term relaxation of some of the HIPAA regulations governing telehealth practices.

One of the most expedient and cost-effective ways to maintain compliance and avoid violations is to deploy a clinical collaboration platform with HIPAA-compliant messaging.

Hear our CEO Dr. Jose Barreau discuss the importance of a clinical collaboration platform and how Halo Health addresses this need with our CCP.
Making the Case for a Clinical Collaboration Platform
Share on facebook
Share on twitter
Share on linkedin
Share on email

Get Insights in your Inbox:

Download our ROI White Paper Here