With the added focus on Telemedicine and Telehealth activities these days, we thought it might help to provide an overview of HIPAA and 2600Hz.
NOTE: We are not legal experts. Please contact your lawyer to implement your HIPAA compliance strategy.
Overview
What is HIPAA?
HIPAA (Health Insurance Portability and Accountability Act) Is a privacy law enacted in 1996 that is designed to protect consumers by ensuring any data related to their personal or “protected health information (PHI)” is not shared and/or used without their express permission.
The general requirements of HIPAA Security Standards state that covered entities must:
- Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits.
- Protect against any reasonably-anticipated threats or hazards to the security or integrity of such information.
- Protect against any reasonably-anticipated uses or disclosures of such information that are not permitted or required under the privacy regulations.
- Ensure compliance by its workforce.
In short this means a business must
- Protect and not disclose health information unless expressly given permission
- Use appropriate measures to keep the information secure
- Report any breaches of unsecured health information
- Make available any accounting of disclosures
- Make internal practices available to the Secretary for audits, to determine compliance.
Some guidelines HIPAA outlines
HIPAA provides guidelines that outline how to manage the transfer and storage of data on digital channels. The guidelines include details about the use of data, encryption, servers, authentication, and audit trails.
A copy can be found here:
https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/index.html
If your business provides a service that handles personal health information, data handling details will need to be identified, and a legal agreement outlining how to share the responsibility for keeping data private may be advised. As a provider, you will want to reach out for legal advice and make sure any contract you enter is appropriate for your situation.
2600Hz and HIPAA
Is 2600Hz software HIPAA compliant?
Currently 2600Hz software is not certified by HIPAA. Our installations are built to be customized for different client environments by both resellers and users. We are not in a position to control the HIPAA related settings and ensure the installation is and remains compliant. For this reason any BAA agreements should be reached and signed between the reseller and the user.
Why should I be concerned about HIPAA compliance using KAZOO?
If you are working with a client who is involved in personal health -- for example a doctor’s office, a mental health provider, a pharmacy, or medical equipment company -- you will want to meet with them to identify any requirements or guidelines they have been advised to follow. At times they may want to engage a HIPAA auditor to clarify their responsibilities.
It is important you research your responsibility to protect any data you process and understand any liability you may face.
What are the areas within your software that HIPAA would not approve?
As with any phone system (and web-based email, texting, etc), some “features” are useful and also fodder for nefarious activity. Where and how they are stored and how easily these features are activated are some of what concern HIPAA auditors. These include (and there are others):
- https:// web viewing channel
- Attached faxes and image files
- Voicemails transcribed to email
- Recorded audio/VOIP calls
- Video calls and recordings, if stored
- Text and chat messages
What is a BAA, or Business Associate Agreement?
Often the responsibility for adhering to the guidelines is shared between the vendor (for conferencing, texts, etc) and the health provider through a legal agreement.
The HIPAA BAA stands for a Business Associate Agreement. This references a legal agreement between two businesses that handle HIPAA related data that outlines what and how they are responsible for it and where they can and cannot use the information. There is a sample copy of this kind of agreement provided by the US Health and Human Services website, here.
https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html
We recommend you invest in legal review to make sure your BAA covers your client profile.
Who do I sign a BAA with?
You are responsible to sign a BAA with your client. As 2600hz does not control or have access to your account configuration it is your responsibility to ensure the account is compliant and to sign the agreement with them.
What role does 2600Hz play in my HIPAA compliance?
At this time, 2600Hz native software is not HIPAA certified. Depending on the applications used, accounts may be configured in a way that does support HIPAA compliance. This kind of adjustment made by resellers and/or clients may include disabling some features that are less secure, such as electronic faxing, or redirecting the storage for these features to a more secure storage service. Note however, if settings for these features are easily changed by a user it is not an optimal solution.
How can I make sure I’m HIPAA Compliant using KAZOO?
We recommend you meet with your client and assess the following:
- Identify what applications and use scenarios are subject to HIPAA guidelines
-
Review application settings to see if they can be adjusted to satisfy HIPAA
(for example, disabling some features that may not be required) - Enter into a BAA agreement if advised by an auditor or legal counsel.
One of the first steps offices take is to move all data storage to a HIPAA recognized secure system such as Amazon or Google. This is neither technically challenging nor a big financial investment; please contact our support team for more information.
Can I redirect PHI data to a different server that is secure?
Yes. We are compatible with secure, encrypted 3rd party storage solutions, such as Amazon's S3 or Google. We can help you redirect your faxes to these services.
Do you support S/MIME encryption for emails (in and out) as a way to be compliant?
At this time we do not support S/MIME encryption. There is some activity from the community requesting this as a feature; if you want to join their efforts, add it as a request here:
Reference Links
Where can I find more information on HIPAA requirements?
The HHS website below provides an extensive overview, FAQs, and a sample agreement you can review:
https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html
In addition, the HIPAA Journal has up to date information,
https://www.hipaajournal.com/
Edited by Emily R (show revisions)
Recommended Comments