Tags
Share
As a unified communications provider, Dialpad knows all about the list of requirements a business phone system needs to offer. Reliability, features, cost—and in the healthcare industry, there’s one that jumps to the top of the list: HIPAA compliance.
Data breaches or other HIPAA violations could result in hefty penalties and damaged reputations, not to mention the loss of your patients’ trust.
So is Dialpad HIPAA-compliant? The short answer is yes. Buuut there are some measures you need to take to make sure it’s set up correctly for use by healthcare providers.
What is HIPAA?
The Healthcare Insurance Portability and Accountability Act (HIPAA), has been the defining privacy law for American healthcare providers since 1996, and it’s just as relevant today as it was back then. The purpose of HIPAA, together with its 2009 update Health Information Technology for Economic and Clinical Health Act (HITECH), is to protect patients’ personal health information (PHI and ePHI) from data breaches and unauthorized access.
A phone system is an integral part of healthcare operations, but choosing the right provider is crucial to stay HIPAA compliant.
What makes a phone system HIPAA-compliant?
Healthcare providers and their vendors need VoIP that follows HIPAA guidelines because calls could contain sensitive data stored electronically as PHI or ePHI.
The Privacy and Security Rules
A phone system that’s “HIPAA compliant” is one that meets the requirements that HIPAA lays out for safeguarding patient data, as found in the aptly-named Privacy Rule and Security Rule, and protects potential ePHI that may pass through a business phone system For a deeper dive into the rules and the types of data involved, see Dialpad’s explainer on HIPAA-compliant VoIP: What it is and how to find the right one.
The Business Associate Agreement
Before anything else, for Dialpad to be HIPAA compliant, we need to sign a Business Associate Agreement (BAA) together per HIPAA regulations. A BAA is a written contract between Dialpad and the Covered Entity (like a hospital or clinic) or another Business Associate (like an insurer, IT contractor, or billing consultant).
This contract means we take responsibility for the compliance of our platform, and is required by law for HIPAA compliance. A BAA has 10 provisions that need to be covered, such as defining what PHI is used by the business associate, requiring appropriate security measures, and requiring the business associate to delete all PHI at the end of the contract. It’s a standard contract, so it makes them easy to review against the HHS standard, and is worth doing.
All healthcare providers must be HIPAA-compliant. It’s their responsibility to protect all medical records and health-related information, so it’s incredibly important for healthcare providers to also use HIPAA-compliant communications solutions that ensure ePHI is stored and transmitted securely.
What falls under personal health information according to HIPAA?
PHI can take many forms and be found in all types of communications, from voicemails to video consultations. To be HIPAA compliant, Dialpad needs to collect and protect this information regardless of communication type.
PHI includes individually identifiable health information that is transmitted or maintained in any form (electronic, verbal, or physical) by a Covered Entity or its Business Associate. Some examples of PHI are:
A patient's name, address, date of birth, and SSN
A patient’s physical or mental health condition
Details of care provided to a patient
Payment information
The goal of HIPAA is to ensure PHI is properly protected, while still allowing the information to be used to promote a high-quality healthcare experience.
🩺 Get the guide to healthcare communications
Does your healthcare practice or organization have a distributed team? Download this guide to learn more about best practices for healthcare teams that aren't all in the office!
How does Dialpad stay HIPAA-compliant?
Here’s how Dialpad keeps communications HIPAA compliant, as well as uses the power of the cloud to keep your data managed, protected, and private.
Rigorous security risk assessment: Dialpad is SOC2 Type 2 certified, annually audited and undergoes regular penetration. It has also completed the Cloud Security Alliance’s Consensus Assessment Initiative Questionnaire (CAIQ) which addresses the controls listed in the HIPAA Security and Privacy Rule and meets the needs of the HIPAA Security Risk Assessment.
BAA: Dialpad provides contractual assurance to implement HIPAA safeguards protecting ePHI. This also ensures that any subcontractors partnered with Dialpad will also follow these safeguards.
Identity and access management: Single sign-on (SSO) and automated user provisioning through providers like Azure, GSuite, OneLogin, and Okta mean that the right people on your team always have access to the right data. No less, no more. And if you’re using passwords, authorization is communicated over HTTPS and is secured under the admin’s choice of OAuth2.0, SAML 2.0, or by email and password combination (that’s stored and encrypted using a secure cryptographic one-way hash function of the salted password).
Google Cloud Platform: Dialpad websites, web apps, smartphone back-end, and customer-sensitive data are processed and stored using the trusted and reliable Google Cloud Platform.
Failovers and backups: Automatic backups are built into our system. Every aspect of our system has been designed with redundancy in mind so that in the event of a failure, there’s always an alternative to take its place immediately.
24/7 emergency response: Dialpad’s team is available 24/7/365 and employs a “follow the sun” support model so that no matter where you are, Dialpad is available when you need us.
Proactive logs and monitoring: We monitor log access to sensitive information and systems and have event monitoring in place, complete with staff who are trained to proactively identify unusual activity.
Customizable retention policies: From call recording to cutting-edge speech recognition and real-time analytics, use Dialpad’s full range of tools with confidence knowing that you can keep the data you need, for as long as you need it (and no longer). Dialpad’s BAA includes a suggested 30-day retention policy to reduce your exposure and this period can be extended if we both agree on it
Learn more about healthcare contact center best practices, with examples from real-world practices.
Need a communications platform that'll help you stay HIPAA-compliant?
Book a product tour to see how healthcare providers like Fenway Health and Firefly Health are using Dialpad to work from anywhere while providing an excellent patient experience!