By using the Aculab site, you agree with our use of cookies.

 

 

 

  •  

     

    Voice biometrics

    Add enhanced security and user convenience with biometric voice authentication to your customer contact apps

       Find out more    Try the demo

  •  

     

    Communications Platform as a Service

    Powerful, programmable voice, SMS and fax with simple, high-level APIs.

    Find out more

  •  

     

    Gateways

    For IP and TDM interworking, protocol conversion and more
     

    Find out more

  •  

     

    Media processing

    Reliable, deployment proven technology for a wide range of enterprise and telco grade telecom applications
     

    Find out more

You may have seen our press release recently announcing Aculab Cloud conformance with HIPAA and HITECH regulations. In that release, we stated that Aculab is able to enter into HIPAA Business Associate Agreements (BAA) with its Covered Entity customers providing healthcare platforms.

Compliance with HIPAA Privacy and Security Rules

The point regarding a HIPAA BAA is important news for any customer or potential customer considering using a cloud-based communications-platform-as-a-service, such as Aculab Cloud, as part of the solutions it offers to healthcare service providers in the United States.

It is important, because businesses offering patient management and advisory (PMA) or electronic healthcare records (EHR) solutions are obliged to ensure compliance with the HIPAA Privacy and Security Rules. If businesses use a communications API platform, such as Aculab Cloud, in delivering their solutions, it’s clear that such use can be subject to those rules.

To understand the obligation in relation to platforms like Aculab Cloud, it’s important for you to consider the HIPAA Rules.

The Privacy Rule addresses the use and disclosure of individuals’ Protected Health Information (PHI) by organisations subject to the Rule. Such organisations are called Covered Entities and their Business Associates. The balanced Rule seeks to ensure that individuals’ health information is properly protected, while permitting the disclosure of health information needed for high quality healthcare and to protect the public’s well being. The standards inherent in the Rule also provide for individuals’ rights to understand and control how their health information is used.

The HIPAA Privacy and Security Rules

Privacy Rule

The Privacy Rule addresses the use and disclosure of individuals’ Protected Health Information (PHI) by organisations subject to the Rule. Such organisations are called Covered Entities and their Business Associates. The balanced Rule seeks to ensure that individuals’ health information is properly protected, while permitting the disclosure of health information needed for high quality healthcare and to protect the public’s well being. The standards inherent in the Rule also provide for individuals’ rights to understand and control how their health information is used.

Security Rule

The Security rule encompasses federal safeguards for protecting PHI that is created, received, held, maintained or transmitted in electronic form, then called e-PHI. Those safeguards must be put in place by Covered Entities and their Business Associates to ensure the confidentiality and integrity of e-PHI. The Rule is intended to allow the adoption of technologies to improve the quality and efficiency of patient care, such as those used in PMA, EHR, pharmacy and laboratory systems.

What is considered PHI

In essence, PHI is information that relates to the individual’s health condition, or the provision of healthcare to the individual, that identifies, or can be used to identify, the individual.

Applicability

The HIPAA Rules apply to Covered Entities and their Business Associates who transmit e-PHI. The PMA and EHR services provided by Aculab’s customers clearly include management and administration services, both of which are included in the limited list of services identified in the Privacy Rule, and the transmission of e-PHI. Customers use Aculab Cloud for a variety of solutions, including those involving patient management, advisory, care, diagnosis, results, rehabilitation, messenger, and information systems.

Aculab as the operator of Aculab Cloud is not a Covered Entity and Aculab’s healthcare customers may not be Covered Entities. However, an Aculab customer performing functions or activities that involve the use or disclosure of e-PHI, by providing services to a Covered Entity, is by definition a Business Associate. The relationship between a Covered Entity and a Business Associate is through a BAA. In the case of a service provider to a Business Associate, the service provider becomes a Business Associate and, for the purpose of the BAA, the other party becomes a Covered Entity. That means Aculab is the Business Associate and its customer is the Covered Entity.

Compliance

Of course, one way to remain compliant is to not process, store or transmit e-PHI using a communications-platform-as-a-service, but that rather defeats the purpose of such platforms.

The following paragraphs provide some high-level suggestions for achieving compliance with the HIPAA Privacy and Security Rules when using a platform, such as Aculab Cloud, to process and transmit e-PHI involved in a PMA or EHR solution.

Authentication

Password authentication to access e.g., recordings, voicemail messages or voice response systems doesn’t alter the fact that such data is e-PHI and, if it is created, received, processed, stored or transmitted via Aculab Cloud, it is subject to the Privacy and Security Rules. However, that is a rather good method of ensuring compliance. That is, by applying protective measures, which are the essence of what is required by the Rules.

Encryption

Similarly, whether or not the data is voice or speech and broadcast or transmitted over encrypted channels, it remains e-PHI and is subject to the Rules. Encrypting the data is not a means of avoiding your obligation; it is merely an effective means of complying with the Rules and meeting your obligation.

SMS

With regard to SMS, it’s clear that you can’t send a short message over an encrypted channel; it remains plain text on transmission. Furthermore, by virtue of sending an SMS to a patient, you cannot avoid including the destination number, which number could be used to identify the individual, thus qualifying the text as e-PHI. What you can do is to ensure the content of text messages contains no sensitive patient data. A message stating “Your appointment for tomorrow at 10:15 is confirmed” is compliant, whereas a message stating “Your appointment at the < insert too much information > clinic…” would not be.

Recordings

Voice recordings can be made by healthcare professionals and patients alike, and their existence can’t be ignored from a compliance standpoint. An effective method of protecting and securing recordings is to encrypt the resultant file. However, there are additional precautions around how you handle the encryption that you would do well to consider.

You should ensure that the encrypted file and the encryption key are never sent via the same route, nor retained by the platform after use. That means the key should be received by the platform only when needed at the time of use, never stored on the platform, and destroyed after use, simultaneously with transmission of the encrypted file. Similarly, the source recording should be deleted.

Message playback

The process is similar, albeit in reverse, for playback of a .wav file, for example, to relay information in the form of a message to a patient. On receipt of the encrypted file for transmission, you should ensure the applicable key is available only at the time of decryption in order to playback the message. As above, the key should be received via a different route from the message and destroyed after use, along with the original encrypted message.

Fax handling

Once again, the process is similar when sending fax messages, the use of which technology is still common and widespread in healthcare. On receipt of the encrypted fax for transmission, you should ensure the applicable key is available only at the time of decryption in order to transmit the fax. As above, the key should be received via a different route and destroyed after use, as with the original encrypted message. It’s the reverse for receiving a fax and forwarding the corresponding encrypted message to the intended receiver.

More information

To find out about Aculab's cloud platform for HIPAA compliance, check out the HIPAA, security & encryption page.

For more information on the HIPAA regulations, check out the HIPAA website.

Aculab provides the above information as a courtesy. It is not intended to constitute legal advice, which Aculab is not in a position to provide. You should always seek professional legal advice, and particularly in relation to your status and obligations in relation to HIPAA and other applicable laws and regulations.

  • Are facemasks a problem for Voice Biometrics?

    Wearing a mask is now the primary way to limit the spread of coronavirus, and has been found to reduce the daily growth rate of reported infections in large scale populations by around 45%- but this raises a potential problem for voice biometric security.

    Read more

  • Voice Biometrics: Why Businesses and Users are driving its adoption

    In this blog post, we’ll look at the rapidly growing market of Voice Biometrics, and what drives its increasing rate of adoption, as more businesses and services are made aware of the need for multi-factor authentication.

    Read more

  • An underused tool in the fight against the second wave of Coronavirus

    In this article, we'll go into a bit more depth as to why exactly Broadcast Messaging is such a powerful tool. We have compiled a list of six unique characteristics to highlight exactly how it can be used productively, to shore up the lines of communication in the ongoing situation with Coronavirus.

    Read more

  • The seven realms of Broadcast Messaging

    Broadcast messaging that uses a cloud-based service is a natural choice. Using a cloud as-a-service approach gives a variety of message delivery options, and cuts down costs by automatically scaling to meet demand. Find out what makes Aculab Cloud such a natural choice for voice and SMS broadcast messaging, and how other customers are already reaping the benefits from using Aculab's CPaaS platform.

    Read more

  • The technology working behind the scenes to support emergency services networks

    Now more than ever, telecoms infrastructures play a vital role in supporting the health of our communities. Behind the scenes, networking technologies are working to keep the lines of communications open between emergency services and those in need.

    A recent example from the Lombardy region of Italy highlights a typical scenario:

    Read more