HIPAA compliance


PureCloud is committed to respecting the privacy of your and your customer’s information, including electronic protected health information (ePHI). As part of this commitment, many PureCloud services are compliant with the Health Insurance Portability and Accountability Act (HIPAA), specifically meeting the administrative, physical, and technical safeguards required by law. Ask a sales representative about specific compliance matters including Business Associate Agreements (BAAs) and third-party compliance verification.

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) is a United States federal law that was originally passed in 1996 and includes subsequent additions passed in the years since. Because HIPAA is a U.S. Federal Law, it only governs transactions or entities within the United States and is not an international law or standard. 

HIPAA was designed to regulate both health insurance plans (Title I) and the privacy and security of health information (Title II), among other things. The Privacy Rule in Title II regulates the use and disclosure of protected health information (PHI). The Security Rule in Title II complements the Privacy Rule and lays out administrative, physical, and technical safeguards required for HIPAA compliance.

What is a business associate and a BAA?

Covered entities, which include health care providers, health plan providers, and health care clearinghouses, may engage PureCloud in the role of a business associate to help carry out their health care activities and functions. Business associates include entities that perform functions or activities on behalf of, or provide certain services to covered entities, such as creating, receiving, maintaining, and/or transmitting protected health information. 

Generally, covered entities using the services of a business associate must have a written BAA with each business associate. A BAA should ensure that business associates will appropriately safeguard protected health information and should also clarify and limit the permissible uses and disclosures of protected health information by the business associate.

Is PureCloud HIPAA-certified?

There is no HIPAA certification for a cloud services provider such as PureCloud. However, PureCloud has undergone an independent audit which verified our administrative, physical, and technical controls.  

As a potential business associate to covered entities, PureCloud is required to implement the administrative, physical, and technical controls required for HIPAA compliance. For details about these controls, the PureCloud security program, network security and more, see Security and compliance.

Is PureCloud HIPAA-compliant?

PureCloud features are HIPAA-compliant with the following exceptions:

  • ACD emails
  • SMS messages
  • Email notifications of voicemails
    • Email notifications of faxes
    Caution: Using non-HIPAA compliant services to transmit ePHI is not covered under the terms of the PureCloud BAA.

    What about AppFoundry applications, third party integrations, and bring your own technology service providers? 

    PureCloud cannot guarantee that third party providers are HIPAA compliant. While the PureCloud BAA does not exclude communications to and from any third party providers, our BAA does not extend beyond PureCloud.

    Generally, if you are using a third party technology to communicate protected health information to or from PureCloud, you must have a BAA with both PureCloud and the third party technology provider.  For example, if you use a third party messaging platform with a third party channel such as Facebook, Twitter, or WhatsApp, you should have both a BAA with Genesys and a BAA with the third party messaging platform.  Similarly, if you use an application from the AppFoundry such as Google Dialogflow or Amazon Lex to communicate ePHI to or from Genesys Cloud, you should have a BAA with both Genesys and the third party, Google Dialogflow, or Amazon Lex.

    Where does PureCloud support HIPAA compliance?

    HIPAA compliance is available in the Amazon Web Services (AWS) US East and US West regions.

    Does PureCloud have a business associate agreement with Amazon Web Services (AWS)?

    Yes. The BAA between PureCloud and AWS covers information that PureCloud stores in AWS.  This agreement helps ensure that your customer data is fully protected.

    What is different in PureCloud with HIPAA compliance enabled?

    PureCloud provides HIPAA-compliant organizations a similar user interface and user experience as non-HIPAA compliant organizations. However, some PureCloud features work differently for HIPAA-compliant organizations: 

    • In HIPAA-compliant organizations, PureCloud does not send email notifications to inform users of new voicemails, including personal and group ring voicemails. PureCloud users in HIPAA-compliant organizations will continue to receive in-app notifications for new voicemails, and can listen to voicemails by accessing their inbox.
    • In HIPAA-compliant organizations, PureCloud does not send email notifications to inform users of new faxes. PureCloud users in HIPAA-compliant organizations will continue to receive in-app notifications for new faxes.
    • SMS messages are not HIPAA-compliant and should not be used to transmit ePHI.
    Note: PureCloud provides the same high level of security to all organizations. HIPAA-compliant organizations and non-HIPAA compliant organizations are equally secure.

    How do I sign up for PureCloud with HIPAA compliance?

    All HIPAA PureCloud organizations require a valid business associate agreement with PureCloud.  When a business associate agreement is signed by all parties, PureCloud will set a HIPAA toggle for your organization.

    If you are an administrator, you can check the status your organization’s HIPAA compliance by reviewing the HIPAA setting toggle on the Manage Organization page:Settings tab

    How do I set up a business associate agreement with PureCloud?

    To receive a BAA from PureCloud, contact us.

    Can I enable HIPAA compliance on an existing PureCloud organization?

    If you are an administrator, you can check the status your organization’s HIPAA compliance by reviewing the HIPAA setting toggle on the Manage Organization page:Settings tab. If you need to enable HIPAA compliance, contact us.

    Can I use non-compliant services with HIPAA compliance enabled?

    Yes. However, using non-HIPAA compliant services to transmit electronic protected health information is not covered by the PureCloud BAA and may be a violation of HIPAA regulations. For more information, contact us.

    Do I have any responsibilities for using PureCloud in a HIPAA-compliant manner?

    PureCloud customers:

    • Should use Full Disk Encryption.
    • Must have a written BAA with any third party providers that customers will use for transmitting protected health information with PureCloud.
    • Must enforce an inactivity timeout on user workstations to meet organizational policy. 

    The PureCloud API does have a HIPAA idle timeout. But applications, including the PureCloud user interface, can make requests on behalf of the user while the user is idle. These requests include fetching data to keep the application up to date or saving application logs. A request resets the HIPAA API timeout.

    When Using the PureCloud web or desktop applications, if the user is idle longer than the API timeout, the user will see the following message prompting them to re-authenticate.

    Caution: The only way to guarantee the inactivity timeout required by HIPAA is an operating system level lockout on the user workstation. PureCloud recommends a 15-minute inactivity timeout on user workstations.  

    PureCloud may store a Session Token in local storage on client devices so that PureCloud sessions can survive browsers that are frequently closed and reopened.

    For more information, contact PureCloud Customer Care.