In this guest post by Max Emelianov of HostForWeb, we go into the details of the implications of the HIPAA (Health Insurance Portability and Accountability Act), understanding how to make sure that your Voice over Internet protocol solution does not violate the rules on the management and exchange of sensitive data.
HIPAA: what you need to know to stay out of trouble.
HIPAA has evolved a great deal since 1996. Today, it includes far-reaching requirements related to the storage and transmission of all electronic health information, including audio recordings. That means that if you are a care provider, your phone lines need to be compliant, same as any other system. Here’s how.
Duty of care is about more than patient outcomes. It’s about more than ensuring the health and safety of the people your organization treats. It’s also about protecting their personal information from those who would use it for ill.
It is clear that healthcare organizations need to do better. Stricter compliance with the Health Insurance Portability and Accountability Act(HIPAA) and good security hygiene are non-negotiable in today’s health landscape. When it comes to the storage of electronically protected health information, there can be no compromises.
This should be the starting point for healthcare organizations, whether covered entities or primary care providers. Patient data must be treated with the utmost care and strictly controlled. Even in light of this, there’s one area care providers frequently seem to overlook.
Perhaps more importantly, most VOIP solutions can be readily used via smartphone, a technology which has become as ubiquitous in the healthcare industry as it has elsewhere.
Here’s where things get problematic. As you may know, HIPAA doesn’t really touch on phone calls. Instead, if includes something known as the Conduit Exception Rule.
What is meant by conduit? Are VOIP solutions part of it?
As explained by the HIPAA Journal, a publication dedicated to advice and education around HIPAA compliance, the conduit exception rule establishes certain entities as“conduits.” This means that they do not store, analyze, or otherwise access PHI. They simply transmit it between two endpoints.
Though they are often misclassified as such, VOIP services are not conduits.
They facilitate the electronic transmission of healthcare data in audio form. Moreover, they store such data through voicemail services and call recording. Some VOIP services even include text chat and file sharing as value-added features.
In other words, if you are a care provider or covered entity, you need to seek a compliant VOIP solution. Otherwise, you are violating HIPAA and failing in your duty of care to your patients. Look for a VOIP provider that offers the following:
Every physician and staffer who uses your VOIP software should have a unique user ID with multiple ways of authentication.
As an addendum to the above, access to your VOIP software and any files within should be strictly-controlled, limited only to those who absolutely need it to do their job.
The ability to search for and audit the activities of all users in the system.
The VOIP provider must be willing to sign a HIPAA Business Associate Agreement.
It’s easy to miscategorize VOIP software as a conduit. However, it’s subject to all the same rules as email, SMS, or fax. You need to be aware of that, lest you find yourself suffering a hefty financial penalty.
Imagicle Call Recording solution, with three recording modes (Always on, On Demand and Live Keep), advanced user profiling, data encryption, audit trail and customizable retention period, allows you to decide exactly what to record, have full control over the data and work safely without worrying about breaking the rules. If you don’t know it yet and you deal with sensitive data, this is a good time to start. Enjoy it!
About the Author. Max Emelianov startedHostForWeb in 2001. In his role as HostForWeb’s CEO, he focuses on teamwork and providing the best support for his customers while delivering cutting-edge web hosting services.