CallRail is a software service that enables call tracking, recording, and analytics. By utilizing CallRail businesses track marketing initiatives by determining which marketing campaigns drive calls. Organizations working with protected health information (PHI) must ensure that the software they’re using is HIPAA compliant. That begs the question, is CallRail HIPAA compliant?
Is CallRail HIPAA Compliant: Security Features
HIPAA requires that software used by organizations working with protected health information (PHI), have proper security measures safeguarding PHI. These safeguards must ensure the confidentiality, integrity, and availability of the PHI they work with.
To address this, CallRail utilizes end-to-end encryption (E2EE). E2EE masks sensitive data from one endpoint to another (an endpoint is a device that connects to the internet such as a laptop, tablet, or smartphone). “Unmasking” data requires a decryption key, as such, data can only be read by authorized users.
Additional security features for CallRail’s HIPAA compliant accounts include:
◈ Automatic logoff. Users are logged out every 30 minutes.
◈ Integrations. There are restrictions on integrations that send PHI to third parties.
◈ Voicemail privacy. Voicemail transcriptions are confidential.
◈ Access to recordings. Accessing the recording link will require a login. Only Client Manager or Client Reporting users have access to recordings. As such, they must log into the account to listen to call recordings.
◈ Caller ID. Caller ID information isn’t included in Call Notification emails. This information is only available upon logging into CallRail.
◈ Form submission. Form submission alerts received through text messages don’t include messages from the lead. This information is only available upon logging into CallRail.
◈ Email notifications. Emails only include the caller’s phone number. To access the message, users must log into CallRail.
Is CallRail HIPAA Compliant: Business Associate Agreements
Software companies that work with healthcare clients, or may have access to PHI as part of their job function, are considered business associates. An essential part of HIPAA compliance is ensuring that business associates will protect PHI. Business associate agreements (BAA) dictate the security measures business associates are required to have in place to service their clients. A BAA requires each signing party to agree to be HIPAA compliant, and states that each party is responsible for maintaining their compliance. Software companies that are unwilling to sign a business associate agreement cannot be used in conjunction with PHI.
CallRail states on their website that they will sign a BAA with their healthcare clients.
Is CallRail HIPAA Compliant?
Yes, provided users enable the proper security features, and have a signed business associate agreement, CallRail can be used in a HIPAA compliant manner.