Business phone service and HIPAA.Could your business be sued or fined for using a business phone service, fax system or call center system that doesn’t meet new HIPAA security and privacy regulations? It’s possible, because today, even businesses that never had HIPAA issues before are finding themselves subject to new rules. Worse yet, many of those who are now violating the law, don’t even realize it. Even less well known is the fact that businesses could face compliance problems due to other businesses’ compliance problems—and those of business phone service providers.

How did this happen?

New regulations governing the protection of patient health information went into effect on September 23, 2013. These changes strengthen the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health (HITECH) Act, and their regulations.

The HIPAA and HITECH regulations protect the privacy and security of health information. Any company that processes, stores or transmits “protected health information” (PHI) directly or indirectly on behalf of a HIPAA-covered entity will now fall under these newly expanded, more rigorous regulations.

What does HIPAA/HITECH mean for businesses?

One of the things that has changed is who is affected by HIPAA. Before, the firms most affected were involved in the medical field. Some provided medical services—hospitals, doctor’s offices, and dentists, for example. Also, businesses involved in paying and processing insurance claims also fell under the law.

But now, the list of companies that are affected “expand many of the requirements to business associates that receive protected health information, such as contractors and subcontractors,” according to the Department of Health and Human Services. “Business associates” now include businesses that “create, receive, maintain or transmit health information for other businesses covered by HIPAA, the HITECH Act and their regulations.”

That includes telecom providers storing PHI in voice mails or recorded calls, as well as thousands of businesses offering general IT and other services that thought they didn’t have medical privacy or security issues. And your own compliance depends on making sure your vendors comply too if your vendors fall into the business associate category.

What to ask your communications services providers

Since fines can be steep—up to $1.5 million per year for egregious violators, more for multiple violations—lots of folks are wondering what they need to do to comply, and make sure that their “business associates” comply Here are some questions to ask representatives at the firms that provide your business phone service, fax services, and call centers.

  1. Are you a HIPAA-compliant business associate? Many companies aren’t, and doing business with them could jeopardize your compliance if you use their services.
  2. What has your company done to ensure compliance? For telecommunications providers, compliance is an extensive, ongoing process. Not only must they make sure their company complies, but they need to verify that their own chain of business associate subcontractors is compliant.
  3. Has your HIPAA compliance been assessed by independent experts? It’s important to get actual third-party verification, so that you don’t jeopardize your own company’s compliance. Salespeople are often confused about the new rules themselves, and could mislead you, so ask for independent confirmation. Also, an independent assessment of compliance will likely have more credibility with regulators than an internal assessment.
  4. Can your communications provider [business phone service, fax service, call center, web conferencing provider, etc.] provide my business with a HIPAA Business Associate Agreement? “If you use a cloud-based service, it should be your business associate,” says David Holtzman of the U.S. Health and Human Services Department’s Office for Civil Rights, Privacy Division. If a provider offers a business associate agreement, it is willing to stand behind its compliance and say in writing that it has the proper privacy and security controls in place. If your business is going to use a vendor that stores PHI on your behalf, you must have a business associate agreement in place. Holtzman adds, “If they refuse to sign, don’t use the service.” Get it in writing, in other words.
  5. Can the services that you provide my business be configured to be HIPAA-compliant? Some providers—notably RingCentral—warn customers that they should not use its services to store HIPAA protected health information. These providers do not even try to achieve HIPAA –compliance or help customers comply. But with a little digging—and these questions—you can find out.
  6. Can you recommend particular configurations of our system to help us comply? Providers that make compliance a priority can often supply you with expertise or suggestions to help you comply, and they’re more likely to have a compliance officer who can explain how their services are set up to facilitate compliance.
  7. Can your firm provide encryption for both “data in motion,” and “data at rest”? When information is being transmitted, such as via voice communications, it’s subject to encryption requirements for data in motion. When it’s being stored, such as in voicemail, faxes and voicemails, it should also be encrypted for protection. Many service providers cannot offer both forms of encryption, but some can.

Many businesses that are too small for a full time compliance officer or department are understandably intimidated by HIPAA compliance issues. But a few communications providers are increasingly shouldering more of the burden of compliance, so picking the right communications provider is critical. Once you pick the right provider, it’s important to work with them to ensure that your solution is specifically configured to be HIPAA compliant.

One company using a HIPAA-compliant solution is ICANotes, provider of a web-based electronic healthcare records solution for psychiatrists and other behavioral health professionals. The company chose business VoIP provider 8×8 for its business phone service and communications solutions, in part because of the priority that the company places on HIPAA compliance.

“We rely on 8×8′s communications services to help us run our business efficiently and securely,” said Jamie Morganstern, Operations Director at ICANotes. “With 8×8, we have safeguards in place to pledge the confidentiality and integrity of the health information of our customers.”

Your business can achieve HIPAA compliance, too. Asking the right questions is a good first step.

See Ring Central, Inc.’s registration statement filed with the Securities and Exchange Commission, at page 28.