HIPPA Compliance
Many years ago, the federal government issued guidance that clarified that traditional analog phone systems are NOT subject to the HIPAA Security rule provisions. So, what about your VoIP phone system? Many companies, schools, and government agencies have moved to VoIP service. It is estimated that by 2017 that more than 50% of the calls that will be made in the United States will be over a VoIP-based system. VoIP is a method for taking analog audio signals and turning them into digital data that can be transmitted over the internet instead of traditional analog phone lines. Does patient information stored and processed by these phone systems constitute electronic Protected Health Information?
- Electronic storage material, which includes, for example, computer hard drives, or
- Transmission media, which includes, for example, the internet.
Note that part of this definition changed with the 2013 Omnibus Rule changes, and states “Certain transmissions, including of paper, via facsimile, and of voice, via the telephone, are not considered to be transmissions via electronic media, if the information being exchanged did not exist in electronic form immediately before the transmission”.
What features does HIPAA look for with VoIP Based Telephone System
The implementation specifications in the HIPAA rule that apply to the software include:
- Unique User ID & authentication. Phones identify themselves with the phone number or serial number on the phone.
- Access Controls. Certain users may have additional privileges beyond making phone calls so the system should support different classes of users.
- Audit logs. The system should record call metadata, as well as any details regarding any administrative activities performed by an authenticated user.
- Encryption. TLS and or VPNs can be employed between IP Phones and the Communications Manager Software. For data at rest, for example, voicemails, other encryption technologies can be used.
- Business Associate Agreement. When cloud-based VoIP solutions are used, an essential ingredient is the HIPAA Business Associate agreement. The cloud provider has an additional set of compliance obligations including their own physical, technical and administrative controls.
Be wary of VoIP Providers offering conduit services without baas
The HIPAA Final Omnibus Rule has an extensive explanatory discussion by the Department of Health and Human Services (HHS). It talks about the “mere conduit” exception, where a service provider only passes through protected health information. A phone-only service would be a mere conduit. But with voicemail and call recording—two facets of most VoIP-enabled unified communications services—it goes beyond that. HHS emphasized that persistent data storage means an entity is “maintaining” protected health information, and thus triggers Business Associate status. Also, HHS says in that document that the mere conduit exception is a narrow one. So, there is no doubt that HHS is going to conclude that VoIP providers’ services are HIPAA-regulated, and “conduit service” is not going to get anyone off the hook. Companies doing business with non-compliant VoIP providers are probably not going to “get a break” on this one, either.
Carolina Digital Phone and Business Associate Agreement (BAA)
Your VoIP phone system with Carolina Digital is the hosted application, and you need to assess risks during your risk assessment, conduct the appropriate security evaluation, and document compliance. Carolina Digital makes sure the data you store on our servers in our secure data center is secure and is only accessible by you and your authorized agents. If necessary for your company to have Carolina Digital enter into a Business Associate Agreement in order to be compliant with your privacy policies and further in compliance with HIPAA we have drafted a Sample Business Associate Agreement for your review. After reviewing this sample agreement, the management team at Carolina Digital will tailor an agreement for your specific requirements. Any legal document you sign, we recommend you have reviewed by your legal counsel. Likewise, we have two attorneys that review all documents we enter into. The Sample Business Associate Agreement we have provided is a template only and is not for signatures.
Resources to determine how your business can be HIPAA compliant:
- Sample Business Associate Agreements – U.S. Department of Health & Human Services
- Audit logs. The system should record call metadata, as well as any details regarding any administrative activities performed by an authenticated user.
- How do I become HIPAA Complaint Checklist from TruVault
- HIPAANews.org – a Checklist to protecting the privacy of personal health information
- Compliance Helper – Assure compliance with HIPAAssure