HIPAA compliance
Genesys Cloud is committed to respecting the privacy of your and your customer’s information, including electronic protected health information (ePHI). As part of this commitment, many Genesys Cloud services are compliant with the Health Insurance Portability and Accountability Act (HIPAA), specifically meeting the administrative, physical, and technical safeguards required by law. Ask a sales representative about specific compliance matters including Business Associate Agreements (BAAs) and third-party compliance verification.
What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) is a United States federal law that was originally passed in 1996 and includes subsequent additions passed in the years since. Because HIPAA is a U.S. Federal Law, it only governs transactions or entities within the United States and is not an international law or standard.
HIPAA was designed to regulate both health insurance plans (Title I) and the privacy and security of health information (Title II), among other things. The Privacy Rule in Title II regulates the use and disclosure of protected health information (PHI). The Security Rule in Title II complements the Privacy Rule and lays out administrative, physical, and technical safeguards required for HIPAA compliance.
What is a business associate and a BAA?
Covered entities, which include health care providers, health plan providers, and health care clearinghouses, may engage Genesys Cloud in the role of a business associate to help carry out their health care activities and functions. Business associates include entities that perform functions or activities on behalf of, or provide certain services to covered entities, such as creating, receiving, maintaining, and/or transmitting protected health information.
Generally, covered entities using the services of a business associate must have a written BAA with each business associate. A BAA should ensure that business associates will appropriately safeguard protected health information and should also clarify and limit the permissible uses and disclosures of protected health information by the business associate.
Is Genesys Cloud HIPAA-certified?
There is no HIPAA certification for a cloud services provider such as Genesys Cloud. However, Genesys Cloud has undergone an independent audit which verified our administrative, physical, and technical controls.
As a potential business associate to covered entities, Genesys Cloud is required to implement the administrative, physical, and technical controls required for HIPAA compliance. For details about these controls, the Genesys Cloud security program, network security and more, see Security and compliance.
Is Genesys Cloud HIPAA-compliant?
Genesys Cloud features are HIPAA-compliant with the following exceptions:
- ACD emails
- SMS messages
What about AppFoundry applications, third party integrations, and bring your own technology service providers?
Genesys Cloud cannot guarantee that third party providers are HIPAA compliant. While the Genesys Cloud BAA does not exclude communications to and from any third party providers, our BAA does not extend beyond Genesys Cloud.
Generally, if you are using a third party technology to communicate protected health information to or from Genesys Cloud, you must have a BAA with both Genesys Cloud and the third party technology provider. For example, if you use a third party messaging platform with a third party channel such as Facebook, Twitter, or WhatsApp, you should have both a BAA with Genesys and a BAA with the third party messaging platform. Similarly, if you use an application from the AppFoundry such as Google Dialogflow or Amazon Lex to communicate ePHI to or from Genesys Cloud, you should have a BAA with both Genesys and the third party, Google Dialogflow, or Amazon Lex.
Where does Genesys Cloud support HIPAA compliance?
HIPAA compliance is available in the Amazon Web Services (AWS) US East and US West regions.
Does Genesys Cloud have a business associate agreement with Amazon Web Services (AWS)?
Yes. The BAA between Genesys Cloud and AWS covers information that Genesys Cloud stores in AWS. This agreement helps ensure that your customer data is fully protected.
What is different in Genesys Cloud with HIPAA compliance enabled?
Genesys Cloud provides HIPAA-compliant organizations a similar user interface and user experience as non-HIPAA compliant organizations. However, some Genesys Cloud features work differently for HIPAA-compliant organizations.
When HIPAA compliance is enabled for your organization, Genesys Cloud will enforce an idle timeout of 15 minutes. This idle timeout is also applicable to OAuth clients. However, this idle timeout is reset any time an application such as the Genesys Cloud user interface makes a request on behalf of the user, for example, fetching data to keep the application up to date or saving application logs. Any request resets the idle timeout. Accordingly, HIPAA-compliant organizations must enforce an inactivity timeout on user workstations to meet organizational policy. To customize an organization’s idle timeout, see Set an automatic inactivity timeout.
- Genesys Cloud provides the same high level of security to all organizations. HIPAA-compliant organizations and non-HIPAA compliant organizations are equally secure.
- SMS messages are not HIPAA-compliant and should not be used to transmit ePHI.
- Allow PII in email notifications and Voicemail Transcription options are unavailable with HIPAA toggled on.
How do I sign up for Genesys Cloud with HIPAA compliance?
All HIPAA Genesys Cloud organizations require a valid business associate agreement with Genesys Cloud. When a business associate agreement is signed by all parties, Genesys Cloud will set a HIPAA toggle for your organization.
If you are an administrator, you can check the status your organization’s HIPAA compliance by reviewing the HIPAA setting toggle on the Manage Organization page:Settings tab.
How do I set up a business associate agreement with Genesys Cloud?
To receive a BAA from Genesys Cloud, contact dataprivacy@genesys.com. If you have a BAA and need to enable HIPAA, contact Genesys Cloud Customer Care.
Can I enable HIPAA compliance on an existing Genesys Cloud organization?
If you are an administrator, you can check the status your organization’s HIPAA compliance by reviewing the HIPAA setting toggle on the Manage Organization page:Settings tab. If you need to enable HIPAA compliance, contact us.
Can I use non-compliant services with HIPAA compliance enabled?
Yes. However, using non-HIPAA compliant services to transmit electronic protected health information is not covered by the Genesys Cloud BAA and may be a violation of HIPAA regulations. For more information, contact us.
Do I have any responsibilities for using Genesys Cloud in a HIPAA-compliant manner?
Genesys Cloud customers:
- Should use Full Disk Encryption.
- Must have a written BAA with any third party providers that customers will use for transmitting protected health information with Genesys Cloud.
- Must enforce an inactivity timeout on user workstations to meet organizational policy.
The Genesys Cloud API does have a HIPAA idle timeout. But applications, including the Genesys Cloud user interface, can make requests on behalf of the user while the user is idle. These requests include fetching data to keep the application up to date or saving application logs. A request resets the HIPAA API timeout.
When Using the Genesys Cloud web or desktop applications, if the user is idle longer than the API timeout, the user will see the following message prompting them to re-authenticate.
Genesys Cloud may store a Session Token in local storage on client devices so that Genesys Cloud sessions can survive browsers that are frequently closed and reopened.
For more information, contact us.
More information about the inactivity timeout
HIPAA regulations regarding technical safeguards (45 CFR 164.312) state that a covered entity or business must, in accordance with 164.306, implement technical policies and procedures for electronic information systems (that maintain ePHI) that, among other things, allow access only to those persons or software programs that have been granted access rights as specified in 164.308(a)(4). The implementation specifications state, in 164.312(a)(2)(iii), “Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.” Neither statute, regulation, nor the HHS have established a specific time measurement for the ‘predetermined time of inactivity’ or what constitutes ‘inactivity’. Genesys Cloud determines inactivity during an electronic session based on, among other things, the amount of time between certain API calls, as the user interfaces within the system rely on API calls to receive and transmit data. As such, those API calls generally reflect agent activity or, in this context, inactivity with the user interface. Genesys Cloud currently utilizes a default timeout period of 15 minutes as a reasonable ‘predetermined time of inactivity’ between those API calls to terminate an electronic session, that is, log off the agent, to protect ePHI in our system from unauthorized access. The timeout period is configurable by a customer to a minimum of 5 minutes.