Regardless of the method used, communications such as cloud-based VoIP, telehealth, texting, and email in healthcare must comply fully with HIPAA rules and regulations.
HIPAA Requirements for Communications in Healthcare: Covered Entities vs. Business Associates
The HIPAA regulations divide businesses into two groups based on how they handle protected health information (PHI):
Covered Entities (CE): Healthcare providers, health insurers, and healthcare data clearinghouses fall into this category. These companies use PHI for treatment, billing, and data analysis to support those activities. Covered entities like doctors and insurance companies will create PHI in the course of their normal activities.
Business Associates (BA): If a company takes possession of PHI to provide support services to CEs or other BAs, they are considered a business associate. Electronic health record services, third-party billers, and print/mailing firms that send statements to patients are some common examples of BAs.
BAs must follow the provisions of HIPAA’s Privacy Rule, Security Rule, and the HITECH Omnibus Rule, including breach notification and the protection of PHI in physical or electronic (ePHI) formats.
Business Associate Agreements (BAAs) must be signed before exchanging PHI between organizations. The goal is to create an unbroken chain of HIPAA compliance in any place where PHI may be stored or used.