HIPAA Compliance and Customer Feedback


Share on LinkedIn

Vocalabs has several healthcare-related clients, so we are used to dealing with the privacy and security requirements of HIPAA. Some recent changes to the regulations will mean significant new requirements for what a company like us needs to do to remain HIPAA compliant after September 2013.

Since Vocalabs itself is not a healthcare company, we are not what’s called a “covered entity” under the regulations. Rather, we are a “business associate,” which is basically any company which a covered entity hires to perform some work which may require sharing protected health information.

Many non-healthcare companies hired by a covered entity would also be considered business associates–for example: accountants, IT services, lawyers, business process consultants, etc.

Under the old rules, a business associate had to sign a contract with the covered entity that basically promised to keep protected health information private and secure. Business associates had to maintain the same level of privacy and security as the covered entity, but did not have to go through the formal documentation and review process.

After September, though, business associates have to follow all the security rules as a covered entity (at least insofar as they can reasonably be applied) and produce the same formal documentation and policies. What’s more, to the extent that a business associate subcontracts to a third party which may also receive protected health information, that subcontractor also has to comply with all the policy and documentation requirements.

These new requirements can potentially be a big problem for some survey companies. At Vocalabs, our existing policies and processes are already consistent with HIPAA requirements, so for us it will be mostly a matter of documenting and formalizing what we already do. But at companies which aren’t as security-minded, the HIPAA changes could require large investments in infrastructure, training, and compliance.

So how does all this apply to Customer Feedback?

Keep in mind that the HIPAA rules only apply to “protected health information,” which has a very specific legal definition. It’s basically health- and care-related information created by a healthcare company (doctor, hospital, insurance company, etc.) which can be tied to a specific, identifiable patient. Customer feedback is not, by itself, protected health information.

But sometimes we need to have protected health information in order to gather useful feedback. For example, we need to know the patient’s phone number to call him or her, and that phone number combined with the fact that there had been a hospital visit could arguably qualify as “protected health information.” So to be on the safe side, we will treat it as PHI. For analysis purposes, we may also want to know the doctor’s name, hospital, or other details which can really help understand how to improve the patient’s experience but which clearly need to be protected.

So between now and September we will be updating our security and privacy policies, revising contracts, and doing everything we need to do to remain fully HIPAA compliant under the new rules. And anyone else collecting customer feedback around healthcare will need to do the same.

Republished with author's permission from original post.

Peter Leppik
Peter U. Leppik is president and CEO of Vocalabs. He founded Vocal Laboratories Inc. in 2001 to apply scientific principles of data collection and analysis to the problem of improving customer service. Leppik has led efforts to measure, compare and publish customer service quality through third party, independent research. At Vocalabs, Leppik has assembled a team of professionals with deep expertise in survey methodology, data communications and data visualization to provide clients with best-in-class tools for improving customer service through real-time customer feedback.


Please use comments to add value to the discussion. Maximum one link to an educational blog post or article. We will NOT PUBLISH brief comments like "good post," comments that mainly promote links, or comments with links to companies, products, or services.

Please enter your comment!
Please enter your name here