Juridique

HIPAA Compliance & Sinch

With HIPAA increasingly in the limelight, we wanted to share where Sinch sits when it comes to developing new applications and HIPAA compliance requirements.

What is HIPAA?

The Health Insurance Portability and Accountability Act, or HIPAA as it’s more commonly known, and its accompanying regulations have been created to establish a national standard to govern the handling of Protected Health Information (“PHI”).

PHI includes the following types of data:

  • an individual’s past, present, or future physical or mental health or condition
  • information regarding an individual’s treatment
  • payment arrangements for an individual’s health care

If you’d like more information on how PHI is defined, take a look at the HIPAA website.

Which organizations does HIPAA cover?

HIPAA applies to any healthcare provider (covered entity) and their suppliers and vendors (business associates) based in the USA who “transmit, maintain, access or store” PHI for people who live in the USA.

In short, if you are working in an industry that handles medical information, you need to be HIPAA compliant.

What requirements are imposed on Healthcare Providers when communicating PHI information?

HIPAA has many rules, put together to help healthcare providers and organizations comply and safeguard PHI.

The most important things to remember under HIPAA rules are:

  • Ensure Privacy. Only share patient information with the patient, with third parties also dealing with the patient, when the patient has explicitly consented to the disclosure of their information, or when it is in the public interest to share information
  • Ensure Security. Ensure integrity, confidentiality, and security of PHI records by implementing physical, technical and administrative safeguards, i.e. only communicate PHI via encrypted and secure channels
  • Notify patients in the event of a data breach. All those related to the HIPAA covered entity are also responsible for providing breach notification

Does this mean I can’t send PHI information via text, voice or video?

The use of Text, Voice or Video to communicate with patients is not explicitly prohibited under HIPAA. The US Department of Health and Human Services (HHS) describes the situations in which healthcare providers can use these methods to communicate with patients here. It’s important to note that even in the scenarios listed below, healthcare providers should still use reasonable safeguards to verify identity before discussing or disclosing PHI. If you do not wish to send PHI and are looking for ideas on how to do that, please read the sections below.

Scenario 1: The Patient Starts the Conversation over Text, Voice or Video

The healthcare provider can assume that the patient is comfortable communicating in this way, so it’s OK to reply by Text, Voice or Video.

If the healthcare provider is concerned that the patient may not be aware of the risks associated with communicating on these channels, then they should discuss their concerns with the patient before going ahead, making them aware of any risks.

Scenario 2: The Patient Gives Formal Consent Before any Text, Video or Voice Conversations Take Place

Communicating via Text, Video or Voice is then OK. If a patient explicitly consents to, and still ‘prefers’ to use Text to communicate after being warned of the risks, they should be made aware that:

Third parties may be able to intercept Texts, Voice and Video and read / listen to them.

Scenario 3: The Patient Asks the Healthcare Provider to Communicate by Text, Voice or Video

Similar to scenario 1, if a patient asks to receive appointment reminders by Text, Voice or Video then the provider should go ahead.

Is Sinch HIPAA compliant?

HIPAA rules apply to “covered entities” and their “business associates.” A “covered entity” is a health plan, a clearinghouse, or a health care provider; a “business associate” is someone engaged by a covered entity to help carry out health care activities and functions that involve PHI. Both covered entities and business associates need to comply with HIPAA privacy rules.

Sinch is neither a covered entity nor a business associate, so our services and networks do not comply with HIPAA rules.

However, there is an exception called the “conduit” exception, promoted by the HHS which applies to companies transmitting PHI, stating that a Business Associate Agreement (BAA) is not necessary when “a person or organization that acts merely as a conduit for protected health information, for example the US Postal Service, certain private couriers, and their electronic equivalents.”

The HHS goes on to clarify this exception, stating that “entities that act as mere conduits for the transport of PHI, but do not access the information other than on a random or infrequent basis are not seen as business associates.” We believe that Sinch falls under the “conduit” exception.

If you are either a covered entity or a business associate, we strongly encourage you to consult with legal counsel to ensure your use of our network complies with any HIPAA obligations you may have. If you are uncertain, you should avoid transmitting PHI directly over our networks in a way that could be accessed by someone other than the patient or their healthcare provider.

How can I design my applications to use the Sinch platform while maintaining HIPAA compliance?

Some techniques that our clients have used are as follows:

  • Send a unique link (URL) to a page within a Text message pointing to the PHI data you wish to share. The page linked to should be encrypted and ideally behind a secure portal that requires user authentication before access is allowed
  • Send generic reminders or communications that do not reveal any PHI information, e.g., “It’s flu season— have you gotten your flu shot?”
  • Request the patient contact a call-center from a fixed line to enable verification of  identity before going ahead
  • Enable two-factor authentication on your portal, to allow a text message to be sent, or a phone call to be made containing a unique code that the patient can use to  access their PHI
  • Ensure that your application never transmits PHI over unencrypted channels including Voice, Video or Text

Additional Information

For more information on HIPAA privacy rules, we encourage you to visit the Department of Health and Human Services websites using the following links:

https://www.hhs.gov/hipaa/for-professionals/privacy
https://www.hhs.gov/sites/default/files/privacysummary.pdf

Please note that this information is provided solely as a courtesy, and constitutes a high-level summary of HIPAA, which is a complex statutory framework with numerous regulations enacted pursuant to that framework. This information is not legal advice and Sinch does not provide legal advice, or offer to interpret applicable law on behalf of its customers. Sinch strongly encourages you to seek the advice and consultation of a licensed attorney who specializes in HIPAA in order to ensure that your use of the Sinch services is in compliance with HIPAA and other applicable law.