PureCloud is committed to respecting the privacy of your and your customer’s information, including electronic protected health information (ePHI). As part of this commitment, many PureCloud services are compliant with the Health Insurance Portability and Accountability Act (HIPAA), specifically meeting the administrative, physical, and technical safeguards required by law. Ask a sales representative about specific compliance matters including business associate agreements (BAAs) and third-party compliance verification.
What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) is a United States federal law that was originally passed in 1996 and includes subsequent additions passed in the years since. Because HIPAA is a U.S. Federal Law, it only governs transactions or entities within the United States and is not an international law or standard.
HIPAA was designed to regulate both health insurance plans (Title I) and the privacy and security of health information (Title II), among other things. The Privacy Rule in Title II regulates the use and disclosure of protected health information (PHI). The Security Rule in Title II complements the Privacy Rule and lays out administrative, physical, and technical safeguards required for HIPAA compliance.
What is a business associate and a BAA?
Covered entities, which include health care providers, health plan providers, and health care clearinghouses, may engage PureCloud in the role of a business associate to help carry out their health care activities and functions. Business associates include entities that perform functions or activities on behalf of, or provide certain services to covered entities, such as creating, receiving, maintaining, and/or transmitting protected health information.
Generally, covered entities using the services of a business associate must have a written business associate agreement (BAA) with each business associate. A BAA should ensure that business associates will appropriately safeguard protected health information and should also clarify and limit the permissible uses and disclosures of protected health information by the business associate.
Is PureCloud HIPAA-certified?
There is no HIPAA certification for a cloud services provider such as PureCloud. However, PureCloud has undergone an independent audit which verified our administrative, physical, and technical controls.
As a potential business associate to covered entities, PureCloud is required to implement the administrative, physical, and technical controls required for HIPAA compliance. For details about these controls, the PureCloud security program, network security and more, see Security and compliance.
Is PureCloud HIPAA-compliant?
PureCloud features are HIPAA-compliant with the following exceptions:
- ACD emails
- SMS messages
Where does PureCloud support HIPAA compliance?
HIPAA compliance is available in the Amazon Web Services (AWS) US-East region.
Does PureCloud have a business associate agreement with Amazon?
Yes. This agreement helps ensure that your customer data is fully protected.
What is different in PureCloud with HIPAA compliance enabled?
PureCloud provides HIPAA-compliant organizations a similar user interface and user experience as non-HIPAA compliant organizations. However, some PureCloud features work differently for HIPAA-compliant organizations:
- In HIPAA-compliant organizations, PureCloud does not send email notifications to inform users of new voicemails, including personal and group ring voicemails. PureCloud users in HIPAA-compliance organizations will continue to receive in-app notifications for new voicemails, and can listen to voicemails by accessing their inbox.
- SMS messages are not HIPAA-compliant and should not be used to transmit ePHI.
How do I sign up for PureCloud with HIPAA compliance?
All HIPAA PureCloud organizations require a valid business associate agreement with PureCloud. When a business associate agreement is signed by all parties, PureCloud will set a HIPAA toggle for your organization.
If you are an administrator, you can check the status your organization’s HIPAA compliance by reviewing the HIPAA setting toggle on the Manage Organization page:Settings tab.
How do I set up a business associate agreement with PureCloud?
To receive a BAA from PureCloud, contact us.
Can I enable HIPAA compliance on an existing PureCloud organization?
If you are an administrator, you can check the status your organization’s HIPAA compliance by reviewing the HIPAA setting toggle on the Manage Organization page:Settings tab. If you need to enable HIPAA compliance, contact us.
Can I use non-compliant services with HIPAA compliance enabled?
Yes. However, using non-HIPAA compliant services to transmit electronic protected health information is not covered by the PureCloud BAA and may be a violation of HIPAA regulations. For more information, contact us.
Do I have any responsibilities for using PureCloud in a HIPAA-compliant manner?
- Must enforce an inactivity timeout on user workstations to meet organizational policy.
The PureCloud API does have a HIPAA idle timeout. But applications, including the PureCloud user interface, can make requests on behalf of the user while the user is idle. These requests include fetching data to keep the application up to date or saving application logs. A request resets the HIPPA API timeout.
When Using the PureCloud web or desktop applications, if the user is idle longer than the API timeout, the user will see the following message prompting them to re-authenticate.
- Should use Full Disk Encryption.
PureCloud may store a Session Token in local storage on client devices so that PureCloud sessions can survive browsers that are frequently closed and reopened.
For more information, contact PureCloud Customer Care.