lilarry Premium Member join:2010-04-06 2 edits |
lilarry
Premium Member
2014-Aug-27 10:37 am
VoIP and HIPAA Compliance - Opinions Please?This may be out of the realm of many of the participants on this board, but the topic is extremely important. Hopefully some of you may have some answers. Some of our potential healthcare customers are asking whether VoIP services are HIPAA compliant. (HIPAA = Health Information Portability and Accountability Act). IMHO, short of providing a direct, secure private line, I don't see how it is possible for any telecom carrier (VoIP or otherwise) to guarantee the privacy and security of the information or conversation being carried. This would seem especially true considering the various "legs" a telephone call must traverse to get from one party to another, including the operators of various switch centers, fiber, microwave, Internet and other legs that a call may traverse, the operations of which are often out of the control of the initial provider. Indeed, HIPAA regulations specifically exempt organizations that "merely as a conduit for protected health information, for example, the US Postal Service, certain private couriers, and their electronic equivalents." (full text here: » www.hhs.gov/ocr/privacy/ ··· tes.htmlTo this end, the Terms of Service of many large providers carriers (Cablevision Optimum Business comes to mind) specifically state that their services are NOT HIPAA compliant. (See paragraph 22 here: » business.optimum.net/ter ··· business) All of the above being said, since we are not willing (nor obligated) to sign HIPAA compliance guarantees, one of our potential healthcare customers has instead hired "8x8' (formerly Packet 8) for their VoIP service, thus costing us a customer. "8x8" advertises on their website that they are indeed HIPAA compliant (» www.8x8.com/AboutUs/Secu ··· nce.aspx). For the life of me, unless they are lying, I can't figure out how they can do that. I do not believe their servers are any more sophisticated than any of the other providers we talk about on this board. And even if they somehow are, how can any provider guarantee security compliance once the call leaves their server on its way to the party being called as I described above? I could use some opinions here please. |
|
mackey Premium Member join:2007-08-20 |
mackey
Premium Member
2014-Aug-27 10:51 am
My guess is that, unlike pretty much every other provider, they use encryption between their servers and customer endpoints, and when a call goes to the PSTN it gets handed off to the carrier over a private network. Once the call gets to a carrier it's treated no differently than a POTS call and thus no better or worse there.
/M |
|
arpawocky Premium Member join:2014-04-13 Columbus, OH |
to lilarry
The difference may be that 8x8 will sign a Business Associate Agreement (BAA) with the HIPAA covered entity. I would think the issue would be more about encrypted storage of Voicemails and recordings than about encrypting voice traffic in transit. (Since HIPAA requires the former and not the latter.(AFAIK,IMHO,IANAL,etc)) Look at this snippet from the actual law itself:Certain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media if the information being exchanged did not exist in electronic form immediately before the transmission.
My lay understanding of the above is that the SIP and RTP might not even need to be encrypted.. |
|
lilarry Premium Member join:2010-04-06 |
to mackey
said by mackey:Once the call gets to a carrier it's treated no differently than a POTS call and thus no better or worse there. In which case, how can they claim HIPAA compliance? |
|
lilarry |
to arpawocky
said by arpawocky:The difference may be that 8x8 will sign a Business Associate Agreement (BAA) with the HIPAA covered entity.
I would think the issue would be more about encrypted storage of Voicemails and recordings than about encrypting voice traffic in transit. (Since HIPAA requires the former and not the latter.(AFAIK,IMHO,IANAL,etc)) The issue is that the scope of a BAA is much broader than merely the storage of voice mails etc. It encompasses all services provided. How can a provider sign a document that assures compliance in areas beyond the providers control (call completion over PSTN, other VoIP providers that may carry the call, the security environment of the party receiving the call, etc.)? Thanks for the link to the actual law. |
|
|
arpawocky Premium Member join:2014-04-13 Columbus, OH
1 recommendation |
arpawocky
Premium Member
2014-Aug-27 11:55 am
said by lilarry:The issue is that the scope of a BAA is much broader than merely the storage of voice mails etc. It encompasses all services provided. How can a provider sign a document that assures compliance in areas beyond the providers control (call completion over PSTN, other VoIP providers that may carry the call, the security environment of the party receiving the call, etc.)? If a non-recorded phone call isnt considered electronic transmission, that part might not need anything special to be compliant. If the provider stores voicemails, that is now an electronic record. It is electronic PHI. A live call isn't. Lets look for a moment at a different scenario: Alice is a doctor. She accepts health insurance, and her practice is a covered entity. Alice wants a secure cloud-document-archiving solution. She also wants someone to trim the shrubbery outside her office. Lucky for her, she meets Bob, the founder, chairman, CEO, and janitor of: Bob's Landscaping, Hair Care, Web Design, Pizza, and Secure Cloud Storage, LLC. She signs a BAA with Bob's company, because Bob's company will be archiving PHI. Bob has a BAA with the cloud provider he resells. Bob outsources the actual lawncare to Eve & Mallory, LLP - A full service landscaping practice that provides its clients with zealous lawn and garden representation in areas spanning everything from mowing the lawn, to planting pretty flowers. Eve comes out on Tuesdays and mows the lawn. Mallory trims the shrubbery and plants pretty flowers on thursdays. Bob does NOT have a BAA with Eve & Mallory, LLP This is NOT a problem - because that part of the service is not within the scope of HIPAA. Same logic applies to the live voice call. Its the same as the landscaping. It shouldn't be, but it is. |
|
·Frontier FiberOp..
|
to lilarry
HIPAA compliance has to do with employees, physicians, attendings, etc in a healthcare institution to NOT transmit PHI insecurely over any medium, via email, phone, etc.
The only way a telecom carrier can claim HIPAA compliance is if the carrier controls the pipe end to end to all entities involved; patients, physicians, practitioners, etc. With the exception of select facilities that outsource that through partnerships or affiliations, nobody's footing that kind of monthly bill these days so I know that's marketing fud and BS. |
|
arpawocky Premium Member join:2014-04-13 Columbus, OH |
arpawocky
Premium Member
2014-Aug-27 12:06 pm
Phone is not considered electronic transmission. Makes no sense, i know. PSTN itself is not secure - so *maybe* it is a good thing that its not considered electronic transmission.. |
|
6 recommendations |
Government is choosing its battles carefully.
If HIPAA covered telephone calls, it would require encrypting these conversations. Imagine all the bitching the NSA would do over that. |
|
mackey Premium Member join:2007-08-20 |
to lilarry
said by lilarry:said by mackey:Once the call gets to a carrier it's treated no differently than a POTS call and thus no better or worse there. In which case, how can they claim HIPAA compliance? Because anything on their network is encrypted. If the call stays within their network (extension to extension, one customer to another) it is encrypted end-to-end. Thus, their network is HIPAA compliant. If a call leaves their network it is handed off as a "normal" PSTN phone call, and AFAIK normal phone calls are allowed under HIPAA. /M |
|
mackey |
to arpawocky
said by arpawocky:If the provider stores voicemails, that is now an electronic record. It is electronic PHI. A live call isn't. Actually from what I've read it still isn't considered electronic PHI. However, since there is no telling who will be the one listening to the message, it must be treated as insecure. » www.hcpro.com/CCP-275965 ··· ges.html/M |
|
drivel join:2013-07-12 Santa Clara, CA |
drivel
Member
2014-Aug-27 2:37 pm
. |
|
lilarry Premium Member join:2010-04-06 |
to arpawocky
said by arpawocky:If the provider stores voicemails, that is now an electronic record. It is electronic PHI. A live call isn't. That makes some sort of sense. However as I mentioned, HIPAA guidelines specifically exempt "... a person or organization that acts merely as a conduit for protected health information, for example, the US Postal Service, certain private couriers, and their electronic equivalents." I don't think it is any stretch what-so-ever to assume that the "electronic equivalent" of the US Postal Service refers to email - electronic records stored on servers. Since email would be exempt, why would voice mail not be exempt? What's the difference? |
|
w1ve Premium Member join:2007-12-28 Hancock, NH |
to lilarry
I'm currently providing consulting services to some IT folks providing Telecom services to Doctors offices. The PBXs are cloud hosted. So far, no HIPPA alarms. Voicemail is involved. We will encrypt voicemail at some point (we are still in beta).
BTW, the doctors offices were using a nationally-branded VoIP service we know well, and I'm sure they wouldn't brand themselves "HIPPA compliant". The problem was they could not deliver reliable service. |
|
lilarry Premium Member join:2010-04-06 |
lilarry
Premium Member
2014-Aug-27 5:02 pm
said by w1ve:I'm currently providing consulting services to some IT folks providing Telecom services to Doctors offices. The PBXs are cloud hosted. So far, no HIPPA alarms. Voicemail is involved. We will encrypt voicemail at some point (we are still in beta).
BTW, the doctors offices were using a nationally-branded VoIP service we know well, and I'm sure they wouldn't brand themselves "HIPPA compliant". The problem was they could not deliver reliable service. Thanks for this response. We are obviously in the same or similar businesses. Considering your response, would you or any of the providers you represent ever be willing to sign a HIPAA BAA (Business Associate Agreement)? |
|
|
to lilarry
Sorry, only skimmed this thread, but I'd throw out ZRTP as something you could look at and note that I think Silent Circle has a service that you can pay for that provides just that. |
|
lilarry Premium Member join:2010-04-06 |
lilarry
Premium Member
2014-Aug-27 8:49 pm
said by p8787:Sorry, only skimmed this thread, but I'd throw out ZRTP as something you could look at and note that I think Silent Circle has a service that you can pay for that provides just that. Thanks p8787. These encryption schemes are cool. Unfortunately they are not applicable for everyday telephone usage at a busy healthcare office. I'm also not sure they would qualify for HIPAA compliance. And I think ZRTP would be required at both ends of the conversation to work at all - I don't think some elderly patients (or most any patients) would have a clue. I do think Silent Circle is kind of interesting for a cell phone application though. |
|
hardly Premium Member join:2004-02-10 USA |
to lilarry
|
|
79176722 (banned)VoIP.ms, Magento, and lotsa open tabs join:2015-02-19 Miami, FL 4 edits
1 recommendation |
to lilarry
This is what 8x8 is doing, straight from the horse's mouth: » blog.8x8.com/2014/06/why ··· pliance/So 8x8 itself admits that no specific HIPAA compliance is needed for VoIP providers as long as they don't store voicemail/fax on their own servers at their datacenter. So if the servers that store the health-laden data are physically at the doctor's office, then still (by my understanding) no specific HIPAA "certificate of compliance" ("BAA") is necessary by the VoIP provider. The doctor would just need to make sure the data stored on the physically secured in-house servers at the doctor's office are strongly encrypted. Bottom line doesn't change, though. That customer lilarry lost wouldn't be convinced by all this (regardless of VoIP voicemail/fax storage location), since he ain't a lawyer (neither am I, BTW) and is likely highly paranoid. It's better to cave in and get that silly BAA and join the 8x8 game just for shits and giggles, as they say... Or better yet, talk to a lawyer who will probably tell you that your company can state it is "HIPAA compliant" if you indeed know everything you're doing is compliant, without the silly BAA bureaucracy...just like a hot-dog vendor selling lunch to the doctor can convince him to buy his food from him because he's "HIPAA compliant". He ain't lying, and if the stupidity/paranoia of the doctor generates the keen vendor more biz, then all the merrier. |
|
|
Good analysis indeed. |
|
|
atcotr to lilarry
Anon
2015-Feb-20 8:41 pm
to lilarry
HIPAA is about compliance and CYA, not real security. Hence why anything that happens over a traditional phone line is exempt. Signing BAAs, having auditors check checkboxes, and having huge fines hanging over doctors and hospitals and their vendors is just a way to shift liability and assign blame after the data is leaked. Like PCI DSS, it is probably a net benefit since some docs would provide absolutely zero security without regulations, but it's still woefully inadequate. Fun fact: the #1 type of HIPAA violation is lost file cabinets, not online hacking. |
|
arpawocky Premium Member join:2014-04-13 Columbus, OH |
Fun Fact #2: HIPAA isn't about privacy of health information. Its about portability with health insurance... and the privacy bit is an afterthought.
Fun Fact #2.1: The "I" in HIPAA stands for "Insurance" not "Information" Fun Fact #2.2: The first "P" in HIPAA stands for "Portability", NOT "Privacy" Fun Fact #2.3: There is no second "P" in HIPAA.
Fun Fact #3: Not all healthcare providers are covered entities.. rather, only those that accept some form of insurance are covered entities. Ie, a cash-only doctor's office could lose the file cabinet, upload patient data to pastebin, and not encrypt anything - all without violating HIPAA. |
|
3 recommendations |
said by arpawocky:Fun Fact #2.3: There is no second "P" in HIPAA. I used to never be able to remember: HIPAA or HIPPA. Then I remembered, it drives us to drink, so it ends with AA. |
|
PX Eliezer1 |
to arpawocky
said by arpawocky:Fun Fact #3: Not all healthcare providers are covered entities.. rather, only those that accept some form of insurance are covered entities. Ie, a cash-only doctor's office could lose the file cabinet, upload patient data to pastebin, and not encrypt anything - all without violating HIPAA. Actually the definition relates to whether or not you transmit transaction information electronically. » www.hhs.gov/ocr/privacy/ ··· ntities/Now, it is true that just about the only way to avoid transmitting electronically is to not accept insurance. OTOH even if you don't sign a participation agreement with Medicare, you are still required to submit a claim to Medicare for the benefit of the patient. And generally Medicare claims have to be submitted electronically. So there's not really much way out of this for that reason and other such reasons. |
|
arpawocky Premium Member join:2014-04-13 Columbus, OH |
arpawocky
Premium Member
2015-Feb-20 10:22 pm
And the types of "transaction information" all deal with insurance in some way or another.. AFAIK & IANAL, submitting credit card transactions to an acquiring bank wouldn't qualify - but submitting a claim to a health plan would. I could be mistaken on this point. said by PX Eliezer1:OTOH even if you don't sign a participation agreement with Medicare, you are still required to submit a claim to Medicare for the benefit of the patient. Unless you don't accept medicare at all. Ie, if you're an "opt-out" provider. Which a purely cash-only doctor probably would be. |
|
|
Right, and for those who don't happen to know, Medicare opt-out is a rare status that's a level beyond non-par. I'll stop here in respect to what forum this is. |
|
79176722 (banned)VoIP.ms, Magento, and lotsa open tabs join:2015-02-19 Miami, FL 1 edit
1 recommendation |
to arpawocky
said by arpawocky:Ie, a cash-only doctor's office could lose the file cabinet, upload patient data to pastebin, and not encrypt anything - all without violating HIPAA. I'm not so sure about that... » www.medscape.com/viewart ··· e/771348But even if technically cash-only doctors don't need to be HIPAA compliant, I'd be surprised if a cash-only doctor who loses unencrypted patient records is protected from negligence and related lawsuits. OTOH, if the cash-only doctor is behaviorally HIPAA compliant, then I'd think it should be much harder to win any serious damages when suing him in some weird case where some disgruntled ex-employee (for example) leaked the info despite the HIPAA precautions on the doctor's side. IANAL but I'm pretty sure the court would consider HIPAA as "high enough standard of security" thus the doctor not responsible for damages/fines (or at least drastically reducing the damages in $-amount)... And again, IANAL. |
|
arpawocky Premium Member join:2014-04-13 Columbus, OH |
arpawocky
Premium Member
2015-Feb-21 11:20 am
said by 79176722:But even if technically cash-only doctors don't need to be HIPAA compliant, I'd be surprised if a cash-only doctor who loses unencrypted patient records is protected from negligence and related lawsuits. Agreed. There would still probably be plenty of trouble, just not for HIPAA. |
|
|
to lilarry
From what I understand things that start out analog like voice and faxing are exempt from some of the HIPAA rules because you can't encrypt it to begin with.
Even with that we still encrypt the customer's voice from the router at the customer's location to a router in our network that terminates in the same switch as our voice network. We do not terminate the IPSEC tunnels directly to the voice servers however one would have to have physical access intercept any voice traffic.
It's impossible for a provider to provide 100% encrypted voice traffic outside of their network. There are two sides to the call and carriers who carry traffic that are beyond our control. If the person who called them called from an unsecured connection both sides of that call are in the clear. The only thing we can do is make sure that breach isn't going to happen on anything we control.
We have a lot of customers who are financial and medical and none of them seem to have a problem with this. The financial guys seem to go through more audits more often and none of their auditors seem to have a problem with how we do our part. |
|
battleop |
to arpawocky
"My lay understanding of the above is that the SIP and RTP might not even need to be encrypted.."
That's my understanding as well. |
|