Architecting for HIPAA Compliance
The Health Insurance Portability and Accountability Act (HIPAA) is a set of federal standards to protect the privacy of patients’ medical records and other health information maintained by covered entities: health plans, which include many governmental health programs, such as the Veterans Health Administration, Medicare, and Medicaid; most doctors, hospitals, and many other health care providers; and healthcare clearinghouses. These standards provide patients with access to their medical records and with significant control over how their personal health information is used and disclosed. The Security Rule specifies a series of administrative, physical, and technical safeguards for covered entities and their business associates to use so they can assure the confidentiality, integrity, and availability of electronic protected health information (PHI).
PHI generally includes individually identifiable health information including demographic data, that relates to:
- The individual’s past, present or future physical or mental health or condition,
- The provision of health care to the individual, or
- The past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual.
- Individually identifiable health information including name, address, birth date, Social Security Number, etc.
By law, the HIPAA Privacy Rule applies to covered entities: health plans, healthcare clearinghouses, and certain healthcare providers and business associates. A business associate is a person or entity that performs certain functions or activities that involve the use of the PHI on behalf of a covered entity.
This article is intended for CallTrackingMetrics customers that have a Business Associate Addendum (BAA) in place with CallTrackingMetrics, or intend to enter into a BAA with us.
This article provides specific guidelines on how customers can use CallTrackingMetrics to develop HIPAA compliant workflows. CallTrackingMetrics believes that security and compliance is a shared responsibility between CallTrackingMetrics and the customer. There are aspects of HIPAA controls that CallTrackingMetrics has put in place for all of our customers’ data. There are additional safeguards that customers seeking HIPAA compliance will require, and it is CallTrackingMetrics’ responsibility to provide the services and tools necessary to configure for the additional requirements. It is the customer’s responsibility to ensure that their workflows built on CallTrackingMetrics utilize these tools to architect a solution that supports HIPAA compliance.
Throughout this article, we have indicated whether each CallTrackingMetrics feature is required for HIPAA compliance or if there are recommendations for additional security. There are also sections that call out special considerations that customers should take note of under certain circumstances.
Customers that enter into a BAA with CallTrackingMetrics will need to specify which of their Accounts are designated HIPAA (per the BAA) for all existing and future Subaccounts created. They may use any CallTrackingMetrics features under the designated HIPAA Accounts, but workflows that potentially contain PHI can only be built using the requirements as outlined here. If an Agency (Parent) ID is designated as HIPAA at the signing of a BAA, then any future Subaccounts created in that Agency will also be automatically designated as HIPAA Accounts. If only select Subaccounts are designated as HIPAA Subaccounts at the signing of a BAA, then the customer will need to request that any later-created Subaccounts be designated as HIPAA.
This section outlines the set of required and recommended best practices for building a HIPAA compliant workflow on CallTrackingMetrics.
- You must be on the Contact Center, Marketing, Advanced, or Enterprise plan. You can check your plan and change your plan at the top of the Account Settings page
- We need to have a Business Associate Agreement in place with you. Please contact us at firstname.lastname@example.org to request a BAA.
- You cannot use tracking numbers that are marked as “not eligible for HIPAA compliance”. Non HIPAA numbers will be marked with an asterisk and flagged on the Buy Numbers page as well as the Tracking Numbers page in your account.
- Individual Logins: Each individual user accessing HIPAA accounts must have their own unique login for CTM.
- User Security: Within Agency Settings, navigate to “Security” area and configure the following:
- Logout users automatically after no more than 15 minutes of idle connection,
- Enable two factor authentication to ask for verification code every time or every 30 days, and
- Check the box to require a user login to access call recordings
- Encrypted Call Recordings: If recording phone calls, you must enable the following in account settings:
- Encrypted call recordings – Encrypted call recordings cost an additional $.005 cents per minute.
- Encrypted call recording storage – Encrypted call recording storage costs an additional $.0005 cents per minute.
- Enable automatic redaction on your account to manage how much and how long information is being stored.
- Redaction removes personal information from records of calls, texts, and forms in your account
- Redaction can be configured to occur daily, every 30 days, every 60 days, or every 90 days.
- Redaction can also be done manually for an individual call or text in the Call or Text Log.
- MMS enables exchange of attachments and picture messages between mobile phones over the carrier network. This capability cannot be used in conjunction with SMS for workflows requiring HIPAA compliance at this time.
- Online Fax allows customers to send and receive faxes on their tracking numbers. This feature cannot be used for workflows requiring HIPAA compliance at this time.
- If you expect sensitive information such as Social Security numbers or personal phone numbers to be exchanged, you need to enable Secure Call Transcriptions which will automatically detect the presence of that information in your interactions and will redact them from your recordings and transcriptions.
- Avoid configuring triggers, notifications, or exports that move PHI out of CallTrackingMetrics into emails or text messages. If choosing to use any of these features, it is your responsibility to ensure security of the information once it leaves CallTrackingMetrics. For example:
- When using SMS services on CTM, do not include PHI in the body of your text messages.
- If you are using post call notifications trigger emails each time a call comes in that matches certain criteria you have set, be sure to remove fields that could contain unsecured PHI from your notifications such as: Recordings (unless the login required option has been turned on per item above), Transcriptions, Name, Phone number, E-mail address, Call Notes, and any other field containing PHI for your particular use case (such as tags).
- Another example would be exporting your call log. When exporting the call log, you would need to remove any fields that contain unsecured access to PHI such as Recordings (unless the login required option has been turned on per item above), Transcriptions, Name, Phone number, E-mail address, Call Notes, and any other field containing PHI for your particular use case (such as tags)
- Consider turning off Caller ID in Call Settings if you do not need to collect the name or location of your callers.
- Avoid using Enhanced Caller ID if you do not need to collect that information.
Integrations with Third Parties
Integrations with Third Party services and webhooks and triggers enable customers to link CallTrackingMetrics with external services like Salesforce, Hubspot or Facebook. It is your responsibility to ensure that the third party services or applications are used in a HIPAA compliant manner.