Jump to content

Recommended Posts

Posted
One of our customer under medical services is asking for a  documentation to put in their HIPAA binder to show that the fax and phone VOIP services are HIPAA compliant.

As per 2600hz support stated they don't carry any HIPAA compliance documentation. 

Do any of you have a medical clients? What are you guys doing for this?
Posted
TLDR -- "HIPAA Compliance" is a marketing term. HIPAA does not specify or require encryption. You can be HIPAA compliant by enforcing some security standards and signing a HIPAA Business Associate Agreement between you and your health care provider customer. -- Vern

Joy -- I've been wondering about this for years, and I just did some research that might clear things up. HIPAA is actually a rather skeletal set of guidelines and advice. The main problem occurs for covered organizations when there is a breach of some sort, and that causes an incident that will generate an investigation by HHS and Office of Civil Rights (OCR) or by a state attorney general.  See this link for the official HIPAA site: 

http://www.hhs.gov/ocr/privacy/hipaa/understanding/index.html

It seems like the legal standard for HIPAA is "no harm no foul." Nobody is going to do a HIPAA inspection without there also being a civil or criminal investigation of an actual breach.

The actual rules for HIPAA (or lack thereof) DO NOT SPECIFY ENCRYPTION for data "in motion" or "at rest". In fact, typical of most HIPAA stuff, they don't give specific guidelines on what you should do. For example, I found a VoIP-related NIST document referenced in some HIPAA documentation, but once again, these are the technical recommendations for making a secure VoIP system:

http://csrc.nist.gov/publications/nistpubs/800-58/SP800-58-final.pdf

But, there are competitors out there, such as a 8x8, who say they are "HIPAA Compliant." What does that mean? Actually, "HIPAA Compliant" NOT a term defined by HHS/OCR. Nobody officially determines if you are HIPAA compliant. It's just a marketing term.

What is 8x8 doing then to sell HIPAA Compliant service? I think I found out by parsing the verbiage on the 8x8 web site.

In 8x8's world, they are "HIPAA Compliant" because 8x8, as a "Business Associate" of a "Covered Organization," has a "HIPAA Business Associate Agreement" signed between 8x8 and the health care provider.  The HHS website gives a template for writing your own HIPAA Business Associate Agreement:

http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html

So, based on this research any Kazoo reseller could be a HIPAA compliant if you:
  1. Assure that the Covered Entity's LANs are built according to the NIST SP800-58 guidelines (mainly separate VLANS for voice and data)
  2. Offer the Covered Entity a HIPAA Business Associate Agreement to assure them that you will notify them of any known breach
To make this complete, we should probably get some sort of statement from 2600hz that gives a short description of how information in the Kazoo cluster is kept private, and any specified on Intrusion Detection, because we will need to represent that in our HIPAA Business Associate Agreement.
  • 2 weeks later...
Posted
Yes, HIPAA doesn't specify what encryption type you have to use. However a lot has changed since the original roll-out of HIPAA - there are stricter rules now since 2014.

 § 164.312 Technical safeguards states:
(iv) Encryption and decryption (Addressable). Implement a mechanism to encrypt and decrypt electronic protected health information.

(ii) Encryption (Addressable). Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.

When does it need to be encrypted? It's pretty clear that it says the policies and procedures detailed above are to ensure the data is only accessed by authorized personnel:
 (a)(1) Standard: Access control. Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in § 164.308(a)(4).  


The fines are very, very, very steep. If a hard drive is stolen from a premises and the drive wasn't encrypted you are going to be looking at a $1,700,000 fine: http://www.apta.org/PTinMotion/NewsNow/?blogid=10737418615&id=10737433533

This isn't just for Covered Entities anymore - it applies to Business Associates as well since 2014, and BAs (you) can get audited and fined.

And that's even if the machine is a desktop machine behind gated, passcarded, security-cameraed, security-guarded premises and the machine is passworded:
https://www.paubox.com/blog/hipaa-privacy-violations-include-stolen-office-computers

In practice, when dealing with a HIPAA-regulated client, you need to encrypt any patient data at rest and in transit, you need to have policies in place for data security practices that every employee signs off that they read and understood, and you need to have an audit trail and regular security audits to track who has accessed what data.

Basically, you need to have a paper trail that shows you're committed to security, and that you've tracked and documented the movement of all unsecured patient data.

Finally, if you are a technology provider to a HIPAA-regulated client, *you* are responsible and liable for any data breaches of your systems if the associate agreement states that and both parties have signed it. The Business Associate Agreement should specify all of the things you have to do to stay compliant for the Covered Entity. And all outside vendors of any HIPAA-regulated organization must have a BAA on file - though this onus is on the HIPAA-regulated organization to make sure they do this.

Finally, the "Breach notification rule" requires organizations to notify HHS when a breach of unsecured patient data occurs, and to cease usage of the breached business associate's services. See http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/

What this means in practice is that HIPAA clients need to be paying you a lot more :)

If you're providing services to HIPAA clients, you really should at least skim the 114 page summary document:
http://www.hhs.gov/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf
×
×
  • Create New...