Jump to content
  • 2600Hz-logo-RGB copy.png

    Welcome our Monster UI Apps Resource Pages!
    Below is a list of the applications developed by 2600Hz for KAZOO using the Monster UI Interface and documentation related to it. 
    If you have a question that is not covered here, check out our community forums.  

          Featured Apps

      New Updates!    Check it out!     







    Smart PBX

    Call Center Pro

    Porting Manager   Comm.land   Dynamic Caller ID CallThru.us


    >>  2600Hzroundorangelogo.png  Return to Monster Apps Home Page  


  • Notes on HIPAA Compliance Responsibilities

    With the added focus on Telemedicine and Telehealth activities these days, we thought it might help to provide an overview of HIPAA and 2600Hz. 

     NOTE:  We are not legal experts.  Please contact your lawyer to implement your HIPAA compliance strategy.


    What is HIPAA? 
    HIPAA (Health Insurance Portability and Accountability Act) Is a privacy law enacted in 1996 that is designed to protect consumers by ensuring any data related to their personal or “protected health information (PHI)” is not shared and/or used without their express permission. 

    The general requirements of HIPAA Security Standards state that covered entities must:

    1. Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits. 
    2. Protect against any reasonably-anticipated threats or hazards to the security or integrity of such information. 
    3. Protect against any reasonably-anticipated uses or disclosures of such information that are not permitted or required under the privacy regulations.
    4. Ensure compliance by its workforce.

    In short this means a business must

    • Protect and not disclose health information unless expressly given permission
    • Use appropriate measures to keep the information secure
    • Report any breaches of unsecured health information
    • Make available any accounting of disclosures
    • Make internal practices available to the Secretary for audits, to determine compliance.

    Some guidelines HIPAA outlines

    HIPAA provides guidelines that outline how to manage the transfer and storage of data on digital channels.  The guidelines include details about the use of data, encryption, servers, authentication, and audit trails.  

    A copy can be found here:

    If your business provides a service that handles personal health information, data handling details will need to be identified, and a legal agreement outlining how to share the responsibility for keeping data private may be advised.  As a provider, you will want to reach out for legal advice and make sure any contract you enter is appropriate for your situation.

    2600Hz and HIPAA

    Is 2600Hz software HIPAA compliant?
    Currently 2600Hz software is not certified by HIPAA.  Our installations are built to be customized for different client environments by both resellers and users.  We are not in a position to control the HIPAA related settings and ensure the installation is and remains compliant.  For this reason any BAA agreements should be reached and signed between the reseller and the user.

    Why should I be concerned about HIPAA compliance using KAZOO?
    If you are working with a client who is involved in personal health -- for example a doctor’s office, a mental health provider, a pharmacy, or medical equipment company -- you will want to meet with them to identify any requirements or guidelines they have been advised to follow.  At times they may want to engage a HIPAA auditor to clarify their responsibilities.

    It is important you research your responsibility to protect any data you process and understand any liability you may face.

    What are the areas within your software that HIPAA would not approve?
    As with any phone system (and web-based email, texting, etc), some “features” are useful and also fodder for nefarious activity.  Where and how they are stored and how easily these features are activated are some of what concern HIPAA auditors. These include (and there are others):

    • https:// web viewing channel
    • Attached faxes and image files
    • Voicemails transcribed to email
    • Recorded audio/VOIP calls
    • Video calls and recordings, if stored
    • Text and chat messages

    What is a BAA, or Business Associate Agreement?
    Often the responsibility for adhering to the guidelines is shared between the vendor (for conferencing, texts, etc) and the health provider through a legal agreement. 

    The HIPAA BAA stands for a Business Associate Agreement.  This references a legal agreement between two businesses that handle HIPAA related data that outlines what and how they are responsible for it and where they can and cannot use the information.  There is a sample copy of this kind of agreement provided by the US Health and Human Services website, here. 

    We recommend you invest in legal review to make sure your BAA covers your client profile.

    Who do I sign a BAA with?
    You are responsible to sign a BAA with your client.  As 2600hz does not control or have access to your account configuration it is your responsibility to ensure the account is compliant and to sign the agreement with them.

    What role does 2600Hz play in my HIPAA compliance?
    At this time, 2600Hz native software is not HIPAA certified.   Depending on the applications used, accounts may be configured in a way that does support  HIPAA compliance. This kind of adjustment made by resellers and/or clients may include disabling some features that are less secure, such as electronic faxing, or redirecting the storage for these features to a more secure storage service.  Note however, if settings for these features are easily changed by a user it is not an optimal solution.

    How can I make sure I’m HIPAA Compliant using KAZOO?
    We recommend you meet with your client and assess the following:

    1. Identify what applications and use scenarios are subject to HIPAA guidelines
    2. Review application settings to see if they can be adjusted to satisfy HIPAA
      (for example, disabling some features that may not be required)
    3. Enter into a BAA agreement if advised by an auditor or legal counsel.

    One of the first steps offices take is to move all data storage to a HIPAA recognized secure system such as Amazon or Google.   This is neither technically challenging nor a big financial investment; please contact our support team for more information.

    Can I redirect PHI data to a different server that is secure?
    Yes.  We are compatible with secure, encrypted 3rd party storage solutions, such as Amazon's S3 or Google.   We can help you redirect your faxes to these services.

    Do you support S/MIME encryption for emails (in and out) as a way to be compliant?
    At this time we do not support S/MIME encryption.  There is some activity from the community requesting this as a feature; if you want to join their efforts, add it as a request here:


    Reference Links

    Where can I find more information on HIPAA requirements?
    The HHS website below provides an extensive overview, FAQs, and a sample agreement you can review: 


    In addition, the HIPAA Journal has up to date information,

    Edited by Emily R (show revisions)

    User Feedback

    Recommended Comments

    • Customers

    Hi 2600hz,

    We read your Notes on HIPAA Compliance Responsibilities. Thank you.

    We have our customer asks us about HIPAA to store voicemails. Is there an information on how the reseller can setup the external storage for the voicemail if it is within the AWS or Google Drive? Also, how do we set it up on our own server? 


    Edited by Dhruv (see edit history)
    Link to comment
    Share on other sites

    Great post . here i have few more points about HIPAA Compliance responsibilities

    Prior to HIPAA, no generally accepted set of security standards or general requirements for protecting health information existed in the health care industry. At the same time, new technologies were evolving, and the health care industry began to move away from paper processes and rely more heavily on the use of electronic information systems to pay claims, answer eligibility questions, provide health information and conduct a host of other administrative and clinically based functions. 

    Today, providers are using clinical applications such as computerized physician order entry (CPOE) systems, electronic health records (EHR), and radiology, pharmacy, and laboratory systems. Health plans are providing access to claims and care management, as well as member self-service applications. While this means that the medical workforce can be more mobile and efficient (i.e., physicians can check patient records and test results from wherever they are), the rise in the adoption rate of these technologies increases the potential security risks.

    A major goal of the Security Rule is to protect the privacy of individuals’ health information while allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care. Given that the health care marketplace is diverse, the Security Rule is designed to be flexible and scalable so a covered entity can implement policies, procedures, and technologies that are appropriate for the entity’s particular size, organizational structure, and risks to consumers’ e-PHI. 

    Link to comment
    Share on other sites

  • Create New...