HIPAA and Unified Communications in Healthcare

UCaaS and HIPAA Compliance

Healthcare providers have increasingly become aware of the advantages unified communications can offer. United communications in healthcare improve efficiency, reduce costs, and enhance communication capabilities, making healthcare providers eager to adopt the technology. 

Healthcare providers also look to UCaaS solutions for their expertise: 

“A lot of practices are not focused on IT and telephony services, and a company like ours comes in and gives them the ability to take advantage of cloud services,” said Jason Smith, director of solution design engineering at West Unified Communications, a communication and network infrastructure provider. “We help augment their deficiencies and let them focus on their core business.” 

While the healthcare vertical offers lucrative opportunities, UCaaS providers must consider compliance.

Where does HIPAA in unified communications come in? As a UCaaS provider working with healthcare organizations, you are considered a business associate. This is because you have the potential to access electronic protected health information (ePHI) in the course of service you provide to your healthcare clients. 

HIPAA requires business associates to adhere to specific standards the law sets. This means that you must adopt a HIPAA compliance program to ensure the privacy and security of ePHI.

Colleen Schmidt, director of partner success at CoreDial, a white-label cloud communications vendor, stated, “Based on feedback and influence from our channel partners, we made the strategic decision to invest in making our SaaS platform HIPAA compliant so that our partners could satisfy the needs of their UCaaS clients in any industry that deals with the handling of sensitive information.”

How Do UCaaS Providers Interact with ePHI?

What is ePHI? ePHI is any individually identifiable information that relates to the past, present, or future provision of healthcare that is in an electronic format. Some examples of ePHI include patient names, phone numbers, email addresses, fax numbers, and IP addresses. You can interact with ePHI in many different ways depending on what services your healthcare clients are using you for.

ePHI can be filtered through your service in the following ways: 

• Voice and telephony: when healthcare providers interact with patients over the phone, or communicate patient information with other providers involved with the patient’s care.
• Audio or video conferencing: when healthcare providers offer patients telehealth services.
• Messaging: when healthcare providers are interact with patients via email or text or communicate patient information with other providers involved with the patient’s care.

HIPAA Security Requirements

HIPAA for UCaaS providers requires the confidentiality, integrity, and availability of ePHI transmitted or stored through their services to be upheld. 

To accomplish this, UCaaS providers must conduct an annual security risk assessment (SRA). An SRA assesses your current security posture against HIPAA standards. By completing an SRA, risks and vulnerabilities to ePHI are identified. Deficiencies identified in your SRA must be addressed with remediation efforts. 

Your products must also offer advanced security controls such as two-factor authentication, access controls, encryption, transmission security, and audit logs.

HIPAA Policies and Procedures

An effective HIPAA compliance program is dependent on documented policies and procedures. HIPAA policies and procedures provide guidelines for your employees on the proper use and disclosures of ePHI, how ePHI is protected, and what to do if there is an ePHI breach.

You must customize your HIPAA policies and procedures to apply directly to your business’s operations. 

Business Associate Agreements

A business associate agreement (BAA) is a legal contract between a business associate and their healthcare client. The purpose of a BAA is to ensure that both you and your client understand your HIPAA obligations. It also limits liability in case of a breach as each signing party is responsible for maintaining compliance. 

As your client’s business associate, you must sign a BAA with them before providing your services. 

Seth Woodward, vendor business development specialist at Telecom Brokerage Inc., stated, “understanding the chain of liability in supplying IT and tech services to those customers — specifically, signing a BAA. If you are a service provider providing some form of service to a healthcare company and you sign a BAA, it’s saying you are essentially owning or taking responsibility for your portion of what you’re supplying … and that you’re HIPAA compliant.”

Employee HIPAA Training

Employee HIPAA training is essential to the success of your HIPAA compliance. Any employee that could access ePHI must be trained upon hire and annually after that. Since you have employees with the potential to access ePHI, they need to be trained on HIPAA standards and your internal policies and procedures. 

HIPAA for UCaaS Using Compliancy Group

Compliancy Group helps UCaaS providers (and their clients) become HIPAA compliant. Using an automated software platform and Compliance Coach guidance, HIPAA is simplified into manageable steps.

Longtime UCaaS client Joel Maloff, Senior Vice President of Strategic Alliances and Chief Compliance Officer at Phone.com, stated,  “I knew my fellow executives and I wanted to protect our business and our clients. When you point to the risk that this kind of hypothetical can present, it captures everyone’s attention pretty quickly.”

HIPAA compliance is a proven and effective way to capture new clients in healthcare by speaking directly to their needs.

“We wrote a single paragraph in our newsletter to announce that we were now signing BAAs and immediately received half a dozen emails in response,” said Joel. 

Healthcare is one of the fastest growing sectors of the US economy–and becoming HIPAA compliant is an essential first step toward capturing that growth for your business.