HIPAA compliance

PureCloud is committed to respecting the privacy of your and your customer’s information, including electronic protected health information (ePHI). As part of this commitment, many PureCloud services are compliant with the Health Insurance Portability and Accountability Act (HIPAA), specifically meeting the administrative, physical, and technical safeguards required by law. Ask a sales representative about specific compliance matters including business associate agreements (BAAs) and third-party compliance verification.

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) is a United States federal law that was originally passed in 1996 and includes subsequent additions passed in the years since. Because HIPAA is a U.S. Federal Law, it only governs transactions or entities within the United States and is not an international law or standard. 

HIPAA was designed to regulate both health insurance plans (Title I) and the privacy and security of health information (Title II), among other things. The Privacy Rule in Title II regulates the use and disclosure of protected health information (PHI). The Security Rule in Title II complements the Privacy Rule and lays out administrative, physical, and technical safeguards required for HIPAA compliance.

What is a business associate and a BAA?

Covered entities, which include health care providers, health plan providers, and health care clearinghouses, may engage PureCloud in the role of a business associate to help carry out their health care activities and functions. Business associates include entities that perform functions or activities on behalf of, or provide certain services to covered entities, such as creating, receiving, maintaining, and/or transmitting protected health information. 

Generally, covered entities using the services of a business associate must have a written business associate agreement (BAA) with each business associate. A BAA should ensure that business associates will appropriately safeguard protected health information and should also clarify and limit the permissible uses and disclosures of protected health information by the business associate.

Is PureCloud HIPAA-certified?

There is no HIPAA certification for a cloud services provider such as PureCloud. However, PureCloud has undergone an independent audit which verified our administrative, physical, and technical controls.  

As a potential business associate to covered entities, PureCloud is required to implement the administrative, physical, and technical controls required for HIPAA compliance. For details about these controls, the PureCloud security program, network security and more, see Security and compliance.

Is PureCloud HIPAA-compliant?

PureCloud features are HIPAA-compliant with the following exceptions:

  • ACD emails
  • SMS messages 
Caution: Using non-HIPAA compliant services to transmit ePHI is not covered under the terms of the PureCloud BAA.

Where does PureCloud support HIPAA compliance?

HIPAA compliance is available in the Amazon Web Services (AWS) US-East region.

Does PureCloud have a business associate agreement with Amazon?

Yes. This agreement helps ensure that your customer data is fully protected.

What is different in PureCloud with HIPAA compliance enabled?

PureCloud provides HIPAA-compliant organizations a similar user interface and user experience as non-HIPAA compliant organizations. However, some PureCloud features work differently for HIPAA-compliant organizations: 

  • In HIPAA-compliant organizations, PureCloud does not send email notifications to inform users of new voicemails, including personal and group ring voicemails. PureCloud users in HIPAA-compliance organizations will continue to receive in-app notifications for new voicemails, and can listen to voicemails by accessing their inbox.
  • SMS messages are not HIPAA-compliant and should not be used to transmit ePHI.
Note: PureCloud provides the same high level of security to all organizations. HIPAA-compliant organizations and non-HIPAA compliant organizations are equally secure.

How do I sign up for PureCloud with HIPAA compliance?

All HIPAA PureCloud organizations require a valid business associate agreement with PureCloud.  When a business associate agreement is signed by all parties, PureCloud will set a HIPAA toggle for your organization.

If you are an administrator, you can check the status your organization’s HIPAA compliance by reviewing the HIPAA setting toggle on the Manage Organization page:Settings tab

How do I set up a business associate agreement with PureCloud?

To receive a BAA from PureCloud, contact us.

Can I enable HIPAA compliance on an existing PureCloud organization?

If you are an administrator, you can check the status your organization’s HIPAA compliance by reviewing the HIPAA setting toggle on the Manage Organization page:Settings tab. If you need to enable HIPAA compliance, contact us.

Can I use non-compliant services with HIPAA compliance enabled?

Yes. However, using non-HIPAA compliant services to transmit electronic protected health information is not covered by the PureCloud BAA and may be a violation of HIPAA regulations. For more information, contact us.

Do I have any responsibilities for using PureCloud in a HIPAA-compliant manner?

PureCloud customers:

  • Must enforce an inactivity timeout on user workstations to meet organizational policy. 

The PureCloud API does have a HIPAA idle timeout. But applications, including the PureCloud user interface, can make requests on behalf of the user while the user is idle. These requests include fetching data to keep the application up to date or saving application logs. A request resets the HIPAA API timeout.

When Using the PureCloud web or desktop applications, if the user is idle longer than the API timeout, the user will see the following message prompting them to re-authenticate.

Caution: The only way to guarantee the inactivity timeout required by HIPAA is an operating system level lockout on the user workstation. PureCloud recommends a 15-minute inactivity timeout on user workstations.  
  • Should use Full Disk Encryption.

PureCloud may store a Session Token in local storage on client devices so that PureCloud sessions can survive browsers that are frequently closed and reopened.

For more information, contact PureCloud Customer Care.