Healthcare Contact Center Compliance and Data Security

Healthcare contact centers collect and store a wealth of sensitive patient information, making them prime targets for fraud—both inside and outside the organization. So when it comes to data security, healthcare contact centers have their work cut out.

In the US alone, healthcare data breaches are reported at a rate of more than one per day; the healthcare industry has the highest costs associated with data breaches, at $408 per lost or stolen record. That’s nearly three times higher than the average in other industries. These breaches expose patients’ personally identifiable information—from medical records to payment card data and beyond. This not only puts patients at risk, but it also tarnishes the reputations of providers and costs them significant amounts of money.

In addition, healthcare contact centers—whether they reside in hospitals, doctors’ offices, insurance/collection agencies, and pharmacies, or are completely outsourced—must comply with a laundry list of regulations. This list includes not only the Health Insurance Portability and Accountability Act (HIPAA) and the new EU GDPR but also the ever-evolving Payment Card Industry Data Security Standard (PCI DSS). Most importantly, they must ensure that they provide the best possible customer service because they serve as the primary touchpoint for all patient matters.

Healthcare Contact Center Data Security and Compliance Obstacles

Sutter Physician Services (SPS), one of California’s most comprehensive healthcare systems, was challenged with ensuring data security and meeting compliance requirements. SPS contact centers used an IVR system to take patient payments over the phone. However, the IVR created frustrations among customers because of misheard or mis-keyed numbers. And that led to premature hang-ups and abandoned calls.

The alternative solution—a point-of-sale (POS) system at every patient service representative’s (PSR) workstation—also created problems. As patients read their credit/debit card numbers aloud, PSRs manually typed them into the POS device. Yet, SPS still had numerous elements in scope for compliance with PCI DSS, including the verbalized cardholder data and the PSRs themselves. They found a cure for this problem with Genesys AppFoundry partner Semafone.

The Semafone Prescription

Because SPS already used the Genesys Customer Experience Platform, they selected Cardprotect from Semafone. Cardprotect lets callers directly enter their payment card details through their phone keypad. Using dual-tone-multi-frequency (DTMF) masking technology, Cardprotect shields card numbers from agents, call recording systems and even nearby eavesdroppers by replacing the keypad tones with flat tones.

Card details are sent directly to the company’s payment processor—they never touch contact center’s IT infrastructure. And that descopes it from PCI DSS regulations. In addition, PSRs can remain on the line with the caller, answering questions and handling wrap-up tasks to ensure a smooth customer journey and improved customer service.

With Semafone, SPS:

  • Descoped much of their contact center environment from the PCI DSS, reducing risks and avoiding noncompliance penalties
  • Improved the customer experience and patient care
  • Strengthened overall data security and simplified PCI DSS compliance

Lessons Learned

Although the SPS project involved payment card data, the company’s approach to secure data and provide a better patient experience carries some universal truths that are applicable across all industries. The most effective way to protect data and comply with complex regulations is to ensure sensitive information never enters your business’ infrastructure.

Companies must look to descoping solutions, like Cardprotect from Semafone, to make their organizations a less-attractive target for hackers, and fraudsters. And, when integrated with the Genesys Customer Experience Platform, companies can ensure they also provide the best possible customer (or patient) experience.

To learn more, register today for our webinar, “The contact center cure: How Sutter Physician Services improved customer service, simplified compliance and strengthened data security.” This webinar will be available on-demand after the live session.

This post was co-authored by Alan Watson, Global Pre-sales Engineering Manager at Semafone. Alan has been a manager of the Semafone pre-sales team since December 2012. Alan’s team provides pre-sales consultancy and technical advice to customers throughout the sales process, advising contact centers on how to take their card payment environment out of scope for PCI DSS regulations. 

Prior to joining Semafone, Alan spent seven years at Avaya as a systems engineer, where he worked on large, complex multinational design projects across multiple industry verticals. Alan has specialist expertise in various technical areas, including contact centers, web services, and PCI DSS solutions.