3 Million Dollar Cyber Liability Insurance Policy
Most people don’t know that in the event of a fine being levied for a HIPAA violation, if we (the answering service) cannot pay the fine, then the Secretary’s office will come after you (the customer) to satisfy the fine. A 1 million dollar fine would cripple and bankrupt most answering services. Business Centers has a 3 million dollar Cyber Liability Insurance Policy to protect not only us, but you as well.
Most answering services do not qualify for this insurance. It is not a matter of affording the premiums, but rather because of a number of factors. Our business practices, our HIPAA-certified employees and our record keeping with off-site message storage allows us to qualify for this special coverage. Our insurance company’s computer hacking team even did intensive testing of our firewall and was happy with our security.
TLS Encryption for Email
If your email server supports TLS encryption, we are able to send messages and/or a message summary report to you via email rather than fax. Our IT department can ping your server in 15 seconds and determine if you have this form of encryption. Recently, we informed a hospital in the Midwest that their email was not encrypted. They balked, insisting that it was encrypted. It turned out that their inbound email supported TLS but not their outbound email, which they were unaware of. We could not accept anything containing PHI from this hospital until it was corrected by our IT department.
Secure Message Delivery App
Business Centers strongly recommends the use of a Secure Message app on the cellphones of medical personnel. It provides fast, reliable, 2-way communication while keeping down costs for your organization. It eliminates the need to call in and pick up messages verbally. Once you open and read a Secure Message from our answering service, a read receipt is sent to our equipment, which then stamps the message as delivered and no further action is required on our part. That ‘message delivered’ stamp becomes part of the permanent record set. If the message is unread after X minutes, we call the specified On-Call medical personnel by cell phone to deliver the message.
Currently we support Mediprocity, TigerText, AMS Connect, AMTELCO’s miSecure Message and Spectrum Secure apps. As new providers become available, our IT department can interface with other carriers with access to their API.
For those clients who do not use a secure message system and all and insist on using a cell phone for text messaging, we will still do this as long as we strip out all PHI. It essentially turns the cell phone’s text message capabilities into that of an old style digital pager.
Business Associate Agreements
We require any answering service customer who deals with PHI to have a Business Associate Agreement (BAA) with us. Smaller companies tend to use the BAA, which we supply, to make them the Covered Entity and us the Business Associate. Larger companies tend to use a BAA created by their own legal department. Our clients are at liberty to use either option. If they use their own BAA, then the agreement is subject to review and changes by our compliance officer. We have surprised attorneys in the past because we actually read the BAA they supplied and do not blindly sign it.
HIPAA 30 day emergency operation plan (NIST 800-66)
You must be able to operate your business for up to 30 days in an “Out of Office” disaster event.
Within HIPAA documents, there are many references to the National Institute of Standards and Technology (NIST) standards. Buried in the back of that document is Appendix F: Contingency Planning Defined. Under Continuity of Operations Plan (COOP), Table 8 it states that you must have “A predetermined set of instructions or procedures that describe how an organization’s essential functions will be sustained for up to 30 days as a result of a disaster event before returning to normal operations.”
We can help your organization meet this disaster plan requirement. We can make arrangements to man your phone lines 24 X 7 until you are back in your own facility (see Our Facility page). Remember that a portable generator does not a constitute a disaster plan.
Telephone or Dial Tone Redundancy
We are currently switching to a dial tone provider that has a totally redundant switching system in two different cities. Plus, we have redundant internet service connections to them and can provide emergency numbers in a different city so that your customers can always reach you.