Healthcare businesses frequently ask us, “Is Plivo HIPAA compliant?” To answer that question, we have to throw a little jargon around — but we think you’ll like the answer.
The Health Insurance Portability and Accountability Act (HIPAA) and its follow-on, the Health Information Technology for Economic and Clinical Health Act (HITECH), are US laws designed to protect the privacy and security of consumers’ medical data, which in HIPAA terms is referred to as protected health information (PHI).
Under HIPAA, covered entities (such as physicians and health plans) have to follow documented Privacy Rules and Security Rules guidelines for handling PHI. They don’t have to do everything on their own systems, however; they can contract with other companies that provide business functions such as billing or medical record storage or (ahem) providing a communications platform that lets the covered entities communicate with consumers via messaging or voice calls. To keep a covered entity complaint, a service provider that can access PHI must sign a business associate agreement (BAA) that provides assurances to the covered entity that the service provider will do its part to protect their data.
Plivo can sign a BAA for customers who sign up for an enterprise package.
HIPAA compliance requires everyone’s attention
HIPAA compliance is a shared responsibility, however. Plivo can guarantee things like encryption of data in transit and at rest and redaction of details in logs, and back those guarantees up with audit reports from independent third parties. But our customers, the covered entities, are responsible for other aspects, such as securing their authentication credentials and using the Plivo console in a secure environment. In short, you have to use Plivo in a compliant manner and make sure your applications’ instructions to us comply with the statutes.