Legal
With HIPAA increasingly in the limelight, we wanted to share where Sinch sits when it comes to developing new applications and HIPAA compliance requirements.
The Health Insurance Portability and Accountability Act, or HIPAA as it’s more commonly known, and its accompanying regulations have been created to establish a national standard to govern the handling of Protected Health Information (“PHI”).
PHI includes the following types of data:
If you’d like more information on how PHI is defined, take a look at the HIPAA website.
HIPAA applies to any healthcare provider (covered entity) and their suppliers and vendors (business associates) based in the USA who “transmit, maintain, access or store” PHI for people who live in the USA.
In short, if you are working in an industry that handles medical information, you need to be HIPAA compliant.
HIPAA has many rules, put together to help healthcare providers and organizations comply and safeguard PHI.
The most important things to remember under HIPAA rules are:
The use of Text, Voice or Video to communicate with patients is not explicitly prohibited under HIPAA. The US Department of Health and Human Services (HHS) describes the situations in which healthcare providers can use these methods to communicate with patients here. It’s important to note that even in the scenarios listed below, healthcare providers should still use reasonable safeguards to verify identity before discussing or disclosing PHI. If you do not wish to send PHI and are looking for ideas on how to do that, please read the sections below.
The healthcare provider can assume that the patient is comfortable communicating in this way, so it’s OK to reply by Text, Voice or Video.
If the healthcare provider is concerned that the patient may not be aware of the risks associated with communicating on these channels, then they should discuss their concerns with the patient before going ahead, making them aware of any risks.
Communicating via Text, Video or Voice is then OK. If a patient explicitly consents to, and still ‘prefers’ to use Text to communicate after being warned of the risks, they should be made aware that:
Third parties may be able to intercept Texts, Voice and Video and read / listen to them.
Similar to scenario 1, if a patient asks to receive appointment reminders by Text, Voice or Video then the provider should go ahead.
HIPAA rules apply to “covered entities” and their “business associates.” A “covered entity” is a health plan, a clearinghouse, or a health care provider; a “business associate” is someone engaged by a covered entity to help carry out health care activities and functions that involve PHI. Both covered entities and business associates need to comply with HIPAA privacy rules.
Sinch is neither a covered entity nor a business associate, so our services and networks do not comply with HIPAA rules.
However, there is an exception called the “conduit” exception, promoted by the HHS which applies to companies transmitting PHI, stating that a Business Associate Agreement (BAA) is not necessary when “a person or organization that acts merely as a conduit for protected health information, for example the US Postal Service, certain private couriers, and their electronic equivalents.”
The HHS goes on to clarify this exception, stating that “entities that act as mere conduits for the transport of PHI, but do not access the information other than on a random or infrequent basis are not seen as business associates.” We believe that Sinch falls under the “conduit” exception.
If you are either a covered entity or a business associate, we strongly encourage you to consult with legal counsel to ensure your use of our network complies with any HIPAA obligations you may have. If you are uncertain, you should avoid transmitting PHI directly over our networks in a way that could be accessed by someone other than the patient or their healthcare provider.
Some techniques that our clients have used are as follows:
For more information on HIPAA privacy rules, we encourage you to visit the Department of Health and Human Services websites using the following links:
Please note that this information is provided solely as a courtesy, and constitutes a high-level summary of HIPAA, which is a complex statutory framework with numerous regulations enacted pursuant to that framework. This information is not legal advice and Sinch does not provide legal advice, or offer to interpret applicable law on behalf of its customers. Sinch strongly encourages you to seek the advice and consultation of a licensed attorney who specializes in HIPAA in order to ensure that your use of the Sinch services is in compliance with HIPAA and other applicable law.