Table of Contents
HIPAA Guidelines
This document provides a brief overview of celito’s celitoVoice Unified Communications Product and celito's understanding of HIPAA guidelines as applied to Unified Communications Systems.
Is celito HIPAA Certified?
As there is not an official HIPAA certification process for telephony solutions, it is impossible for any vendor to say their solution (premise or hosted) is HIPAA certified. What a vendor can state is that based on their understanding of the HIPAA regulations, their solution is in line with the regulation under a certain set of configuration guidelines. celito recommends you consult with a security consultant to ensure your network, including any celitoVoice components, is HIPAA compliant.
celitoVoice is a Unified Communications solution that supports many advanced features. A number of these features, if utilized, could be in conflict with HIPAA requirements for the protection of patient information. That said, it is critical that customers understand the HIPAA guidelines and do not configure celitoVoice inappropriately.
Security and Controlled Access
The majority of information provided in this this document is based on celito's interpretation of HIPAA regulations as for security and controlled access, specifically, 45 CFR § 164.530 ( c ) of the Privacy Rule states:
( c )(1) Standard: safeguards. A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information.
(2) Implementation specification: safeguards. (i) A covered entity must reasonably safeguard protected health information from any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications or other requirements of this subpart.
(ii) A covered entity must reasonably safeguard protected health information to limit incidental uses or disclosures made pursuant to an otherwise permitted or required use or disclosure.
When properly configured, celitoVoice has safeguards in place to limit access to:
- The administrative interface
- The user interface
- Device connectivity
- External IP Connectivity
Although security measures are available, it is up to the Network Administrator to ensure they are properly implemented and utilized. While celito will alert users and administrators to some security risks, such as weak passwords, it does not prohibit their use.
Calls
In the HIPAA Security Standard Final Rule it states:
"…because "paper-to-paper" faxes, person-to-person telephone calls, video teleconferencing, or messages left on voice-mail were not in electronic form before the transmission, those activities are not covered by this rule." (page 8342)
Based on this requirement, telephone calls via celitoVoice would be considered HIPAA compliant. Some will state that VoIP is more prone to security threats than traditional telephone calls, but in general, it is easier to tap a traditional PSTN line than a VoIP line.
celito recommends health care providers should always consider who is listening when using the telephone as the means of communication.
Voicemail
While HIPAA does not explicitly state that voicemail cannot be utilized it does provide guidelines for what should be left on answering machines.
It states that minimal information should be left. As an example, location, time, and date of appointment are acceptable but not details on medical conditions or specific diagnosis. Note that inbound voicemails may be received from labs, other providers, patients, etc., and you have no control over what information they leave. Since celitoVoice does provide secure control of voicemail when properly configured, that information is considered protected and therefore compliant.
Call Recording
HIPAA does not provide clear guidance on call recordings within Unified Communications Systems. Since those call recordings would be stored, they would need to be password protected which the celitoVoice integrated security features will accomplish.
celito recommends not utilizing this feature to eliminate any gray areas. Since call recording is disabled by default no action is necessary. Consult a HIPAA knowledgeable Security Expert for additional guidance if call recording is an important or needed element of your installation.
Fax
celito offers multiple fax options including physical only, physical and virtual, or virtual only. Within those options celito uses different carriers depending on the client's needs. Please contact your account executive if you need help determining which service you are using.
Physical Only - Faxsipit-based
This service uses a blue Audiocodes MP202 ATA plugged in to your fax machine. When sending a fax it is only transmitted from your fax machine to the ATA. From there it is encrypted using HTTPs and sent to a fax server hosted by Faxsipit which is private, secure, and HIPAA-compliant. From there it is transmitted via T.38 which is traditional fax over VoIP. When receiving a fax it is the same thing but in reverse order. This maintains HIPAA compliance. Faxes are also stored on faxsipit's portal for 14 days, but are only accessible with your username and password. The use of the portal can be opted-out of if it does not meet your requirements (and this is typically done when using physical only).
Physical Only - celito-based
This service uses a dark grey Cisco SPA122 ATA plugged in to your fax machine. This is the closest option to traditional faxing that can be obtained on VoIP. When sending or receiving a fax it is transmitting live between your fax machine and the fax machine you are sending/receiving from with no fax server in the middle. This option does not provide a portal where faxes can be stored and automatically resent if failed, so the completion rate on this service can be slightly lower than the Faxsipit-based service.
Virtual Only
All virtual faxing is done via Faxsipit's portal. The portal stores faxes for 14 days and they are protected by a secure password which meets HIPAA compliance. Virtual faxing does provide the ability to receive the faxes via email, however that likely does not meet requirements or obligations for HIPAA as the emails are not encrypted. You will have to ensure compliance within your own network as that falls outside of our control.
Physical and Virtual
Any physical and virtual setups are using a combination of Faxsipit's physical service and virtual service. Please see the relevant sections above for details.
Conclusion
The intent here is to provide insight as to how celito interprets the HIPAA Security standard, how it applies to celitoVoice implementations, and provide guidance on how to best configure celitoVoice such that it is line with HIPAA guidelines. As stated previously, there are no standards bodies that do HIPAA based testing and certification of Unified Communications systems, so it is impossible for celito or any other UC vendor to state they are HIPAA Certified.
This brief overview of celitoVoice and HIPAA compliance is not intended to be an all encompassing celitoVoice configuration guide or a commitment by celito that celitoVoice is HIPAA compliant. celito takes security and compliance seriously and recommends you consult with a Security Consultant to ensure your network, including celito components, is HIPAA compliant.