They provide phone services for millions of users in homes and businesses around the country. But is Ooma HIPAA compliant?
What Makes a Software Tool HIPAA Compliant?
When it comes to software, there are specific indications of the tool’s HIPAA compliance. Software HIPAA compliance boils down to two things. Does the tool have safeguards to keep patient data private and secure? Does the software provider sign business associate agreements?
When the answer to both of these questions is “yes,” the tool is likely HIPAA compliant. If the answer to either is “no,” the tool is not HIPAA compliant.
What Are HIPAA Safeguards?
HIPAA safeguards are measures that a healthcare organization puts into place to protect the confidentiality, integrity, and availability of protected health information (PHI). HIPAA categorizes safeguards into three groups – administrative, physical, and technical.
Administrative safeguards are written policies and procedures that dictate PHI’s proper uses and disclosures.
Physical safeguards protect an organization’s physical location, such as locks and alarm systems.
Technical safeguards are measures that protect electronic PHI (ePHI).
While administrative and physical safeguards are essential, technical safeguards are generally the determining factor of a software provider’s HIPAA compliance. You should expect technical safeguards, including encryption, user authentication, access controls, and audit controls.
Why is a Business Associate Agreement Important?
Business associate agreements are a crucial determinant of HIPAA compliance. Even the most secure software platform is NOT HIPAA compliant if they will not sign a business associate agreement (BAA).
Why?
A BAA is a legal agreement that requires each signing party to be HIPAA compliant and be responsible for maintaining compliance. As such, a BAA limits the liability for both singing parties in the event of a breach or OCR audit, as only the negligent party would be held culpable.
Is Ooma HIPAA Compliant?
Is Ooma HIPAA compliant? One section in Ooma’s Enterprise Terms and Conditions answers the HIPAA Compliance question:
HIPAA. Customer acknowledges and agrees that the use of the Services are not designed, intended, or recommended for use as a repository or means by which to store “protected health information,” as defined under the Health Insurance Portability and Accountability Act of 1996, the Health Information Technology for Economic and Clinical Health Act, and similar legislation in other jurisdictions, and the regulations promulgated pursuant thereto (such laws and regulations, “HIPAA”; such information, “PHI”) on a non-temporary basis, and Customer represents and warrants that neither the Services nor any ancillary product or service that is a part thereof will be used for such purpose. OOMA SPECIFICALLY MAKES NO REPRESENTATION, WARRANTY, OR GUARANTEE THAT THE SERVICES, THE ACCOUNT(S), OR THE OOMA EQUIPMENT (OR THE USE OF ANY OF THE FOREGOING BY ANY PARTY) COMPLIES OR WILL COMPLY WITH HIPAA OR ANY OTHER LAW OR WILL RENDER ANY PARTY COMPLIANT WITH HIPAA OR ANY OTHER LAW.
Because Ooma clearly states that its product is not intended to store PHI, Ooma is not HIPAA compliant.