dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
6613
lilarry
Premium Member
join:2010-04-06

2 edits

lilarry

Premium Member

VoIP and HIPAA Compliance - Opinions Please?

This may be out of the realm of many of the participants on this board, but the topic is extremely important. Hopefully some of you may have some answers.

Some of our potential healthcare customers are asking whether VoIP services are HIPAA compliant. (HIPAA = Health Information Portability and Accountability Act).

IMHO, short of providing a direct, secure private line, I don't see how it is possible for any telecom carrier (VoIP or otherwise) to guarantee the privacy and security of the information or conversation being carried. This would seem especially true considering the various "legs" a telephone call must traverse to get from one party to another, including the operators of various switch centers, fiber, microwave, Internet and other legs that a call may traverse, the operations of which are often out of the control of the initial provider. Indeed, HIPAA regulations specifically exempt organizations that "merely as a conduit for protected health information, for example, the US Postal Service, certain private couriers, and their electronic equivalents." (full text here: »www.hhs.gov/ocr/privacy/ ··· tes.html

To this end, the Terms of Service of many large providers carriers (Cablevision Optimum Business comes to mind) specifically state that their services are NOT HIPAA compliant. (See paragraph 22 here: »business.optimum.net/ter ··· business)

All of the above being said, since we are not willing (nor obligated) to sign HIPAA compliance guarantees, one of our potential healthcare customers has instead hired "8x8' (formerly Packet 8) for their VoIP service, thus costing us a customer. "8x8" advertises on their website that they are indeed HIPAA compliant (»www.8x8.com/AboutUs/Secu ··· nce.aspx). For the life of me, unless they are lying, I can't figure out how they can do that. I do not believe their servers are any more sophisticated than any of the other providers we talk about on this board. And even if they somehow are, how can any provider guarantee security compliance once the call leaves their server on its way to the party being called as I described above?

I could use some opinions here please.

mackey
Premium Member
join:2007-08-20

mackey

Premium Member

My guess is that, unlike pretty much every other provider, they use encryption between their servers and customer endpoints, and when a call goes to the PSTN it gets handed off to the carrier over a private network. Once the call gets to a carrier it's treated no differently than a POTS call and thus no better or worse there.

/M

arpawocky
Premium Member
join:2014-04-13
Columbus, OH

arpawocky to lilarry

Premium Member

to lilarry
The difference may be that 8x8 will sign a Business Associate Agreement (BAA) with the HIPAA covered entity.

I would think the issue would be more about encrypted storage of Voicemails and recordings than about encrypting voice traffic in transit. (Since HIPAA requires the former and not the latter.(AFAIK,IMHO,IANAL,etc))

Look at this snippet from the actual law itself:
Certain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media if the information being exchanged did not exist in electronic form immediately before the transmission.
My lay understanding of the above is that the SIP and RTP might not even need to be encrypted..
lilarry
Premium Member
join:2010-04-06

lilarry to mackey

Premium Member

to mackey
said by mackey:

Once the call gets to a carrier it's treated no differently than a POTS call and thus no better or worse there.

In which case, how can they claim HIPAA compliance?
lilarry

lilarry to arpawocky

Premium Member

to arpawocky
said by arpawocky:

The difference may be that 8x8 will sign a Business Associate Agreement (BAA) with the HIPAA covered entity.

I would think the issue would be more about encrypted storage of Voicemails and recordings than about encrypting voice traffic in transit. (Since HIPAA requires the former and not the latter.(AFAIK,IMHO,IANAL,etc))

The issue is that the scope of a BAA is much broader than merely the storage of voice mails etc. It encompasses all services provided. How can a provider sign a document that assures compliance in areas beyond the providers control (call completion over PSTN, other VoIP providers that may carry the call, the security environment of the party receiving the call, etc.)?

Thanks for the link to the actual law.

arpawocky
Premium Member
join:2014-04-13
Columbus, OH

1 recommendation

arpawocky

Premium Member

said by lilarry:

The issue is that the scope of a BAA is much broader than merely the storage of voice mails etc. It encompasses all services provided. How can a provider sign a document that assures compliance in areas beyond the providers control (call completion over PSTN, other VoIP providers that may carry the call, the security environment of the party receiving the call, etc.)?

If a non-recorded phone call isnt considered electronic transmission, that part might not need anything special to be compliant.

If the provider stores voicemails, that is now an electronic record. It is electronic PHI. A live call isn't.

Lets look for a moment at a different scenario:

Alice is a doctor. She accepts health insurance, and her practice is a covered entity.

Alice wants a secure cloud-document-archiving solution. She also wants someone to trim the shrubbery outside her office. Lucky for her, she meets Bob, the founder, chairman, CEO, and janitor of: Bob's Landscaping, Hair Care, Web Design, Pizza, and Secure Cloud Storage, LLC.

She signs a BAA with Bob's company, because Bob's company will be archiving PHI. Bob has a BAA with the cloud provider he resells.

Bob outsources the actual lawncare to Eve & Mallory, LLP - A full service landscaping practice that provides its clients with zealous lawn and garden representation in areas spanning everything from mowing the lawn, to planting pretty flowers.

Eve comes out on Tuesdays and mows the lawn. Mallory trims the shrubbery and plants pretty flowers on thursdays. Bob does NOT have a BAA with Eve & Mallory, LLP This is NOT a problem - because that part of the service is not within the scope of HIPAA.

Same logic applies to the live voice call. Its the same as the landscaping. It shouldn't be, but it is.
tired_runner
Premium Member
join:2000-08-25
CT
·Frontier FiberOp..

tired_runner to lilarry

Premium Member

to lilarry
HIPAA compliance has to do with employees, physicians, attendings, etc in a healthcare institution to NOT transmit PHI insecurely over any medium, via email, phone, etc.

The only way a telecom carrier can claim HIPAA compliance is if the carrier controls the pipe end to end to all entities involved; patients, physicians, practitioners, etc. With the exception of select facilities that outsource that through partnerships or affiliations, nobody's footing that kind of monthly bill these days so I know that's marketing fud and BS.

arpawocky
Premium Member
join:2014-04-13
Columbus, OH

arpawocky

Premium Member

Phone is not considered electronic transmission. Makes no sense, i know.
PSTN itself is not secure - so *maybe* it is a good thing that its not considered electronic transmission..
tired_runner
Premium Member
join:2000-08-25
CT

6 recommendations

tired_runner

Premium Member

Government is choosing its battles carefully.

If HIPAA covered telephone calls, it would require encrypting these conversations. Imagine all the bitching the NSA would do over that.

mackey
Premium Member
join:2007-08-20

mackey to lilarry

Premium Member

to lilarry
said by lilarry:

said by mackey:

Once the call gets to a carrier it's treated no differently than a POTS call and thus no better or worse there.

In which case, how can they claim HIPAA compliance?

Because anything on their network is encrypted. If the call stays within their network (extension to extension, one customer to another) it is encrypted end-to-end. Thus, their network is HIPAA compliant.

If a call leaves their network it is handed off as a "normal" PSTN phone call, and AFAIK normal phone calls are allowed under HIPAA.

/M
mackey

mackey to arpawocky

Premium Member

to arpawocky
said by arpawocky:

If the provider stores voicemails, that is now an electronic record. It is electronic PHI. A live call isn't.

Actually from what I've read it still isn't considered electronic PHI. However, since there is no telling who will be the one listening to the message, it must be treated as insecure. »www.hcpro.com/CCP-275965 ··· ges.html

/M
drivel
join:2013-07-12
Santa Clara, CA

drivel

Member

.
lilarry
Premium Member
join:2010-04-06

lilarry to arpawocky

Premium Member

to arpawocky
said by arpawocky:

If the provider stores voicemails, that is now an electronic record. It is electronic PHI. A live call isn't.

That makes some sort of sense. However as I mentioned, HIPAA guidelines specifically exempt "... a person or organization that acts merely as a conduit for protected health information, for example, the US Postal Service, certain private couriers, and their electronic equivalents."

I don't think it is any stretch what-so-ever to assume that the "electronic equivalent" of the US Postal Service refers to email - electronic records stored on servers. Since email would be exempt, why would voice mail not be exempt? What's the difference?
w1ve
Premium Member
join:2007-12-28
Hancock, NH

w1ve to lilarry

Premium Member

to lilarry
I'm currently providing consulting services to some IT folks providing Telecom services to Doctors offices. The PBXs are cloud hosted. So far, no HIPPA alarms. Voicemail is involved. We will encrypt voicemail at some point (we are still in beta).

BTW, the doctors offices were using a nationally-branded VoIP service we know well, and I'm sure they wouldn't brand themselves "HIPPA compliant". The problem was they could not deliver reliable service.
lilarry
Premium Member
join:2010-04-06

lilarry

Premium Member

said by w1ve:

I'm currently providing consulting services to some IT folks providing Telecom services to Doctors offices. The PBXs are cloud hosted. So far, no HIPPA alarms. Voicemail is involved. We will encrypt voicemail at some point (we are still in beta).

BTW, the doctors offices were using a nationally-branded VoIP service we know well, and I'm sure they wouldn't brand themselves "HIPPA compliant". The problem was they could not deliver reliable service.

Thanks for this response. We are obviously in the same or similar businesses.
Considering your response, would you or any of the providers you represent ever be willing to sign a HIPAA BAA (Business Associate Agreement)?
p8787
join:2014-07-25

p8787 to lilarry

Member

to lilarry
Sorry, only skimmed this thread, but I'd throw out ZRTP as something you could look at and note that I think Silent Circle has a service that you can pay for that provides just that.
lilarry
Premium Member
join:2010-04-06

lilarry

Premium Member

said by p8787:

Sorry, only skimmed this thread, but I'd throw out ZRTP as something you could look at and note that I think Silent Circle has a service that you can pay for that provides just that.

Thanks p8787. These encryption schemes are cool. Unfortunately they are not applicable for everyday telephone usage at a busy healthcare office. I'm also not sure they would qualify for HIPAA compliance. And I think ZRTP would be required at both ends of the conversation to work at all - I don't think some elderly patients (or most any patients) would have a clue. I do think Silent Circle is kind of interesting for a cell phone application though.
hardly
Premium Member
join:2004-02-10
USA

hardly to lilarry

Premium Member

to lilarry
HIPAA Compliance

»googleforwork.blogspot.com/
79176722 (banned)
VoIP.ms, Magento, and lotsa open tabs
join:2015-02-19
Miami, FL

4 edits

1 recommendation

79176722 (banned) to lilarry

Member

to lilarry
This is what 8x8 is doing, straight from the horse's mouth:
»blog.8x8.com/2014/06/why ··· pliance/

So 8x8 itself admits that no specific HIPAA compliance is needed for VoIP providers as long as they don't store voicemail/fax on their own servers at their datacenter. So if the servers that store the health-laden data are physically at the doctor's office, then still (by my understanding) no specific HIPAA "certificate of compliance" ("BAA") is necessary by the VoIP provider. The doctor would just need to make sure the data stored on the physically secured in-house servers at the doctor's office are strongly encrypted.

Bottom line doesn't change, though. That customer lilarry lost wouldn't be convinced by all this (regardless of VoIP voicemail/fax storage location), since he ain't a lawyer (neither am I, BTW) and is likely highly paranoid. It's better to cave in and get that silly BAA and join the 8x8 game just for shits and giggles, as they say...

Or better yet, talk to a lawyer who will probably tell you that your company can state it is "HIPAA compliant" if you indeed know everything you're doing is compliant, without the silly BAA bureaucracy...just like a hot-dog vendor selling lunch to the doctor can convince him to buy his food from him because he's "HIPAA compliant". He ain't lying, and if the stupidity/paranoia of the doctor generates the keen vendor more biz, then all the merrier.
PX Eliezer1
Premium Member
join:2013-03-10
Zubrowka USA

PX Eliezer1

Premium Member

Good analysis indeed.

atcotr
@wideopenwest.com

atcotr to lilarry

Anon

to lilarry
HIPAA is about compliance and CYA, not real security. Hence why anything that happens over a traditional phone line is exempt. Signing BAAs, having auditors check checkboxes, and having huge fines hanging over doctors and hospitals and their vendors is just a way to shift liability and assign blame after the data is leaked. Like PCI DSS, it is probably a net benefit since some docs would provide absolutely zero security without regulations, but it's still woefully inadequate. Fun fact: the #1 type of HIPAA violation is lost file cabinets, not online hacking.

arpawocky
Premium Member
join:2014-04-13
Columbus, OH

arpawocky

Premium Member

Fun Fact #2: HIPAA isn't about privacy of health information. Its about portability with health insurance... and the privacy bit is an afterthought.

Fun Fact #2.1: The "I" in HIPAA stands for "Insurance" not "Information"
Fun Fact #2.2: The first "P" in HIPAA stands for "Portability", NOT "Privacy"
Fun Fact #2.3: There is no second "P" in HIPAA.

Fun Fact #3: Not all healthcare providers are covered entities.. rather, only those that accept some form of insurance are covered entities. Ie, a cash-only doctor's office could lose the file cabinet, upload patient data to pastebin, and not encrypt anything - all without violating HIPAA.
PX Eliezer1
Premium Member
join:2013-03-10
Zubrowka USA

3 recommendations

PX Eliezer1

Premium Member

said by arpawocky:

Fun Fact #2.3: There is no second "P" in HIPAA.

I used to never be able to remember: HIPAA or HIPPA.

Then I remembered, it drives us to drink, so it ends with AA.
PX Eliezer1

PX Eliezer1 to arpawocky

Premium Member

to arpawocky
said by arpawocky:

Fun Fact #3: Not all healthcare providers are covered entities.. rather, only those that accept some form of insurance are covered entities. Ie, a cash-only doctor's office could lose the file cabinet, upload patient data to pastebin, and not encrypt anything - all without violating HIPAA.

Actually the definition relates to whether or not you transmit transaction information electronically.
»www.hhs.gov/ocr/privacy/ ··· ntities/

Now, it is true that just about the only way to avoid transmitting electronically is to not accept insurance.

OTOH even if you don't sign a participation agreement with Medicare, you are still required to submit a claim to Medicare for the benefit of the patient. And generally Medicare claims have to be submitted electronically. So there's not really much way out of this for that reason and other such reasons.

arpawocky
Premium Member
join:2014-04-13
Columbus, OH

arpawocky

Premium Member

said by PX Eliezer1:

Actually the definition relates to whether or not you transmit transaction information electronically.
»www.hhs.gov/ocr/privacy/ ··· ntities/

And the types of "transaction information" all deal with insurance in some way or another..

AFAIK & IANAL, submitting credit card transactions to an acquiring bank wouldn't qualify - but submitting a claim to a health plan would. I could be mistaken on this point.
said by PX Eliezer1:

OTOH even if you don't sign a participation agreement with Medicare, you are still required to submit a claim to Medicare for the benefit of the patient.

Unless you don't accept medicare at all. Ie, if you're an "opt-out" provider. Which a purely cash-only doctor probably would be.
PX Eliezer1
Premium Member
join:2013-03-10
Zubrowka USA

PX Eliezer1

Premium Member

Right, and for those who don't happen to know, Medicare opt-out is a rare status that's a level beyond non-par.

I'll stop here in respect to what forum this is.
79176722 (banned)
VoIP.ms, Magento, and lotsa open tabs
join:2015-02-19
Miami, FL

1 edit

1 recommendation

79176722 (banned) to arpawocky

Member

to arpawocky
said by arpawocky:

Ie, a cash-only doctor's office could lose the file cabinet, upload patient data to pastebin, and not encrypt anything - all without violating HIPAA.

I'm not so sure about that...
»www.medscape.com/viewart ··· e/771348

But even if technically cash-only doctors don't need to be HIPAA compliant, I'd be surprised if a cash-only doctor who loses unencrypted patient records is protected from negligence and related lawsuits.

OTOH, if the cash-only doctor is behaviorally HIPAA compliant, then I'd think it should be much harder to win any serious damages when suing him in some weird case where some disgruntled ex-employee (for example) leaked the info despite the HIPAA precautions on the doctor's side. IANAL but I'm pretty sure the court would consider HIPAA as "high enough standard of security" thus the doctor not responsible for damages/fines (or at least drastically reducing the damages in $-amount)...

And again, IANAL.

arpawocky
Premium Member
join:2014-04-13
Columbus, OH

arpawocky

Premium Member

said by 79176722:

But even if technically cash-only doctors don't need to be HIPAA compliant, I'd be surprised if a cash-only doctor who loses unencrypted patient records is protected from negligence and related lawsuits.

Agreed. There would still probably be plenty of trouble, just not for HIPAA.

battleop
join:2005-09-28
00000

battleop to lilarry

Member

to lilarry
From what I understand things that start out analog like voice and faxing are exempt from some of the HIPAA rules because you can't encrypt it to begin with.

Even with that we still encrypt the customer's voice from the router at the customer's location to a router in our network that terminates in the same switch as our voice network. We do not terminate the IPSEC tunnels directly to the voice servers however one would have to have physical access intercept any voice traffic.

It's impossible for a provider to provide 100% encrypted voice traffic outside of their network. There are two sides to the call and carriers who carry traffic that are beyond our control. If the person who called them called from an unsecured connection both sides of that call are in the clear. The only thing we can do is make sure that breach isn't going to happen on anything we control.

We have a lot of customers who are financial and medical and none of them seem to have a problem with this. The financial guys seem to go through more audits more often and none of their auditors seem to have a problem with how we do our part.
battleop

battleop to arpawocky

Member

to arpawocky
"My lay understanding of the above is that the SIP and RTP might not even need to be encrypted.."

That's my understanding as well.