Stemming Plagues Might Test Communications Providers’ Speed and Compliance

HIPAA applies to contact centersIf HIPAA were a teenager, the eighteen-year-old would be allowed to vote and sign contracts. That’s why it’s tough to understand why so many businesses and government agencies are still failing to implement HIPAA-compliant unified communications—and why many don’t even know they SHOULD comply, even after the generation-long phase-in and revisions.

Perhaps most astonishing of all, worldwide health crises could combine with stepped-up law enforcement to test these companies and agencies, revealing just how many corporate and government systems have HIPAA-compliance problems with their unified communications and contact centers.

Ohio Opens Ebola Call Centers

Government agencies are already announcing that they’re setting up contact centers to handle questions from the public. For example, a few days after the news broke that an Ebola patient had visited family in Ohio, the Ohio Department of Health’s Public Information Officer, Melanie Amato, announced that the Department has activated a 24/7 call center to deal with questions from worried Ohio residents. She says the goal of the Department is to deliver accurate and timely information to Ohioans about the state’s response.

Right now, these call centers—which for now are only available via phone, not through email or social channels, and only focus on Ebola—are largely for reassurance. “What we want to say is be concerned, but do not panic,” Amato said.

Contact Centers Could Start Handling Protected Health Info

But it’s easy to envision a contact center that would handle all kinds of information that could be protected under HIPAA. For example,  a contact center’s role might initially focus on just giving out general information. But what if later in an outbreak, its purpose shifted to also gather info from people who thought they’d been exposed?

As contact centers’ roles expand, it’s easy to see how they could quickly start collecting individually identifiable health information—or protected health information (PHI), as HIPAA terms it. This might include a person’s contact information, as well as extremely sensitive data regarding exposure and possibly even how patients are isolated and treated.

Think about it: If you had been exposed to someone who had a feared disease like Ebola, would you want the world to know?

It’s also easy to envision this information passing from one agency to another, because transporting patients and sanitizing areas contaminated with Ebola virus might fall under different agencies—and they’d need to coordinate their responses and roles.

Communications: An Often Overlooked HIPAA Compliance Problem

And here’s where HIPAA compliance comes in. Contact centers that store PHI are subject to HIPAA. So are many unified communications systems, including VoIP phone service, Internet faxing, and some collaboration features.

Many companies—including some in the medical, legal and insurance fields—have communication systems that still aren’t HIPAA-compliant. And even more companies that subcontract to organizations covered by HIPAA still don’t realize that their Internet business phone system providers must comply with HIPAA, and so must their phone systems and contact centers.

And yet, at this time, 8x8 is the only Internet-based unified communications provider to advertise third-party verified HIPAA compliance. Nor do other providers say they sign business associate agreements (BAAs), which is what a hospital, attorney or insurance business needs to show HIPAA auditors to establish that its communications system is HIPAA-compliant.

Many Service Providers Ignore HIPAA Requirements—Too Much Work!

Achieving HIPAA compliance in unified communications takes a great deal of work, commitment and expertise on the part of the service provider. Not all telecommunications firms are willing to invest in compliance capabilities. For example, HIPAA mandates protection of data stored at rest, just one requirement of many required for compliance.

So, to ensure the security of stored data like voicemails, faxes, and call recordings, the 8x8 service is housed in multiple redundant state-of-the-art, SSAE 16 certified data centers. These facilities are in undisclosed locations in unmarked buildings, and access is by appointment only. Each is staffed 24/7 and equipped with high-grade security features, equipment and procedures. Five layers of physical security—in a system originally designed for the U.S. Federal Reserve—protect against unauthorized access. These layers include mantraps, hundreds of biometric hand geometry readers, visual confirmation, and 24-hour video surveillance. Within the data centers, all stored data is encrypted.

And that’s just what’s needed to satisfy one aspect of HIPAA. This investment in our customers’ protection is part of the reason why 8x8 services can be configured to be HIPAA compliant, with administrative controls and restrictions to protect stored faxes, recordings and voicemails.

8x8 solutions are also engineered to automatically create the required audit trails so that you can easily document the compliance of your communications systems, thereby avoiding a nasty surprise from the representatives of the Secretary of the Department of Health and Human Services.

8x8’s Work Means Contact Centers and Medical Communications Can Comply Quickly

These features and more took several years to develop at 8x8. But in addition to compliance, they offer the further benefit of improving the general security of your business communications. Plus, cloud-based services offer the peace of mind that the compliance experts at 8x8 will keep the system up-to-date with all the latest security capabilities and requirements. The cloud also makes it possible to offer such services at a price point that can be an order of magnitude less than old-style PBX systems and clunky, hardware-based call systems that the cloud replaces.

But because HIPAA compliance takes years to develop, many other unified communications providers haven’t invested in the policies, procedures, training and technology that are needed to comply with HIPAA. That’s part of the reason why they can’t in turn offer HIPAA-compliant solutions that can meet the government’s HIPAA requirements for communications.

Fast Response Possible with HIPAA-Compliant Cloud Communications

On the other hand, cloud communications technology help companies that only use HIPAA-compliant unified communications service. They can just leverage the investment of HIPAA-compliant providers, to get the compliant phone, fax and contact center communications necessary to reach out to their customers or constituents.

It used to take months or years to establish call centers. Now it’s possible to set up a contact center—complete with phone, chat and email support—in weeks, if the need arises. The task is much closer to that of getting a new phone line or having one ported, than it is to the huge hardware-and-software development projects of yesteryear.

How Fast is ‘Fast’?

How fast can 8x8 help set up a contact center? Consultants used 8x8 Virtual Contact Center technology to establish a drinking water hotline for the EPA several years ago—in about three weeks. While that project had no HIPAA component, it would have been just as easy and quick to add HIPAA compliant-options if they’d been needed. Insurance companies have used mobile apps and similar cloud technology to help process claims and answer questions in the wake of disasters such as Hurricane Sandy.

And when a potential disaster like an infectious disease hits, many in the medical field can rest a tiny bit easier knowing that at least they don’t have to choose between quick response times and complying with the law.

Click here to learn more about HIPAA-compliant communications.

Mike McAlpen


Mike McAlpen is the Executive Director of Security and Compliance at 8x8, one of the largest US VoIP providers for business. Prior to this, Mike was a business leader with Visa, Inc. Global Information Security and Compliance. Before this Mike was a leader in HP Professional Services Information Security, CIO/CISO Advisory and other services for nearly 12 years. Mike is a frequent Information Security speaker, a three-term IT Services Management Foundation President, on the Board of Directors of the Silicon Valley ISSA, and active in ISACA, FBI/DHS InfraGard, U.S. Secret Service’s Cyber Crime Task Force and the American Bar Association Science and Technology Section’s Information Security Committee. [...] Read More >

  • icon-gray-linkedin.png