The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996. The legislation was originally designed to make it easier for workers to retain health insurance coverage when they change or lose their jobs. The legislation also sought to drive the adoption of electronic health records to improve the efficiency and quality of the American healthcare system through improved information sharing.
Along with increasing the use of electronic medical records, the law included provisions to protect the security and privacy of Protected Health Information (PHI). PHI includes a very wide set of personally identifiable health- and health-related data, from insurance and billing information, to diagnosis data, clinical care data, and lab results such as images and test results. The rules apply to “Covered Entities”, which include hospitals, medical services providers, employer sponsored health plans, research facilities and insurance companies that deal directly with patients and patient data. The law and regulations also extend the requirement to protect PHI to “Business Associates”.
Rule of Conduit Exception
In many cases, IVR Lab does not store customer PHI or Health Information, so in such cases HIPAA rules do not apply. However, as many of our services involve some kind of data transfer either via an IVR or Chatbot, we may be exempt under the rule of conduit.
HHS states that “data transmission organizations that do not require access to protected health information on a routine basis would not be treated as business associates. This is consistent with our prior interpretation of the definition of ‘business associate,’ through which we have stated that entities that act as mere conduits for the transport of protected health information but do not access the information other than on a random or infrequent basis are not business associates.” (See Final Rule, pg. 5571, emphasis added). HHS further confirmed this in its “Guidance on HIPAA and Cloud Computing” which states “The conduit exception applies where the only services provided to a covered entity or business associate customer are for transmission of ePHI that do not involve any storage of the information other than on a temporary basis incident to the transmission service.”
Business Associate Agreement
Under HIPAA, a “business associate” is a person or entity who performs functions or activities on behalf of, or provides certain services to, a covered entity and isn’t employed by the covered entity. A “business associate” also includes a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate – under the HIPAA regulations, Cloud Service Providers like IVR Lab, are considered business associates. The HIPAA Rules generally require that covered entities and business associates enter into contracts to ensure that the business associates will appropriately safeguard protected health information. The business associate contract also serves to clarify and limit, as appropriate, the permissible uses and disclosures of protected health information by the business associate, based on the relationship between the parties and the activities or services being performed by the business associate. While generally not required, if applicable, IVR Lab will execute a Business Associate Agreement with the customer.
Is IVR Lab HIPAA-Certified?
There is no HIPAA certification for a cloud service provider such as IVR Lab. In order to meet the HIPAA requirements applicable to our operating model, IVR Lab has signed an agreement with our primary cloud company, AWS, which aligns their HIPAA risk management program with FedRAMP and NIST 800-53, a higher security standard that maps to the HIPAA security rule.
We take all our customers’ compliance needs seriously and we continue to improve our own processes to help you along your implementation projects