Organizations that operate in the healthcare field are likely familiar with the Health Insurance Portability and Accountability Act (HIPAA). HIPAA establishes national standards to protect personal medical records and other health information. It applies to health plans, healthcare clearinghouses and healthcare providers alike.

Like many laws, HIPAA privacy rules can be difficult to interpret and confusing when it comes to compliance. When applicable, HIPAA requires organizations to follow various procedures and best practices to ensure healthcare data is as secure as possible. There can be significant penalties and fines for non-compliance. Some healthcare organizations may wonder whether or not their telephone calls (and other communications) are subject to HIPAA rules. The answer to that question is less straightforward than one would think and requires an analysis of a business’ phone system and policies and procedures.

Why HIPAA? HIPAA and Privacy Provisions

Before we dive into HIPAA coverage, let's look a little closer into the background of the law. Another name for the law is the Health Insurance Portability and Accountability Act of 1996 since that was the year it became effective. The HIPAA privacy rule has several sections, not all of which relate to privacy. A primary focus of the initial act was to ensure that those who lose or change their jobs were able to maintain coverage, but it actually has a much broader scope. The law also includes provisions about taxes, group insurance coverage and other concerns.

For many organizations, HIPAA’s privacy provisions are the most crucial. The law grew out of concerns relating to the privacy and security of healthcare and medical information. At the time, healthcare organizations were handling an ever-increasing amount of private patient data. There were concerns, even back then before the advent of big data, that healthcare organizations needed guidelines for storage and dissemination of medical records. The HIPAA laws provided structure, uniform rules and a roadmap for organizations to ensure that sensitive patient information remains protected and secure.

Patient Record Privacy with HIPAA

The privacy provisions of the Health Insurance Portability and Accountability Act seek to change how patient records are handled and who controls them. The first step to protecting privacy is clarifying ownership of patient records. HIPAA provides patients with a right of access to their records. Working off of this basic provision of ownership and control of most patient records, HIPAA then outlines privacy rules that are intended to safeguard sensitive data, while also enabling communication of these records when necessary. Individual’s healthcare records are subject to privacy guidelines, but healthcare providers and others need a mechanism to safely share records (if there is a change of providers, or the need for a second opinion, for example). 

This need to communicate sensitive medical information, and collaborate on patient care is a driver for a key strategy that enables HIPAA compliance—unified communications.

Privacy Standards for Different Communication Channels

If you wade through the details of HIPAA, you will see what many deem to be an exception to the privacy standards for voice calls. According to HIPAA, "certain transmissions ... of voice, via telephone, are not considered to be transmissions via electronic media." So while most sensitive conversations are covered, be aware that this is the "conduit exception." To facilitate natural conversation between provider and patient, once the patient gives a contact phone number, the provider's office should be able to communicate over the phone without the need for signing HIPAA disclosures for each call.

While some telephone calls are exempt from HIPAA, modern businesses communicate in a wide variety of methods. The idea is that some phone calls are exempt because the information—the content of the voice telephone call—did not exist electronically before the call. But what about all of the different channels of communication and services that are part of an enterprise's unified communications system? You also need to think about voice mail, conference call recording capabilities, integration with Customer Relationship Management (CRM) platforms, and the ability to communicate via email, SMS, chat, and video. There are so many touch-points and such a magnitude of data being gathered that it's nearly impossible to avoid dealing with the type of data that HIPAA covers. For these reasons, HIPAA rules apply almost universally to communications/VoIP systems within the healthcare industry.

How Communications Providers Help with HIPAA compliance

If you’re in the business of healthcare, you need to work with a communications/VoIP provider who understands the complexities of HIPAA and other regulatory compliance. Secure communication, collaboration, and the careful handling of sensitive information are core components of ongoing patient care. At 8x8, we partner with you to take the guesswork out of regulatory matters. As a HIPAA-compliant Business Associate, we work with medical and healthcare-focused businesses every day to provide voice, video, chat and contact center solutions that are tailored to help each individual business ensure security and compliance. 

When it comes to security, 8x8 doesn’t mess around! We provide reliable and compliant cloud solutions at a level of excellence rarely seen by other cloud providers. But don’t just take our word for sure you ask the right questions so you choose the right provider for your business. Don't take your chances with just any cloud-based telecom system. Call 1-866-879-8647 or fill out our online form to request a no-obligation quote from an 8x8 Product Specialist.