Architecting for HIPAA Compliance

The Health Insurance Portability and Accountability Act (HIPAA) is a set of federal standards to protect the privacy of patients' medical records and other health information maintained by covered entities: health plans, which include many governmental health programs, such as the Veterans Health Administration, Medicare, and Medicaid; most doctors, hospitals, and many other health care providers; and healthcare clearinghouses.  These standards provide patients with access to their medical records and with significant control over how their personal health information is used and disclosed.  The Security Rule specifies a series of administrative, physical, and technical safeguards for covered entities and their business associates to use so they can assure the confidentiality, integrity, and availability of electronic protected health information (PHI).

PHI generally includes individually identifiable health information including demographic data, that relates to:

• The individual’s past, present or future physical or mental health or condition,
• The provision of health care to the individual, or
• The past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual.
• ​Individually identifiable health information including name, address, birth date, Social Security Number, etc.

By law, the HIPAA Privacy Rule applies to covered entities: health plans, healthcare clearinghouses, and certain healthcare providers and business associates. A business associate is a person or entity that performs certain functions or activities that involve the use of the PHI on behalf of a covered entity.

This article is intended for CallTrackingMetrics customers who have a Business Associate Addendum (BAA) in place with CallTrackingMetrics or intend to enter into a BAA with us.

This article provides specific guidelines on how customers can use CallTrackingMetrics to develop HIPAA compliant workflows.  CallTrackingMetrics believes that security and compliance is a shared responsibility between CallTrackingMetrics and the customer. There are aspects of HIPAA controls that CallTrackingMetrics has put in place for all of our customers’ data. There are additional safeguards that customers seeking HIPAA compliance will require, and it is CallTrackingMetrics' responsibility to provide the services and tools necessary to configure the additional requirements. It is the customer’s responsibility to ensure that their workflows built on CallTrackingMetrics utilize these tools to architect a solution that supports HIPAA compliance.

Throughout this article, we have indicated whether each CallTrackingMetrics feature is required for HIPAA compliance or if there are recommendations for additional security. Some sections call out special considerations that customers should take note of under certain circumstances.

Customers that enter into a BAA with CallTrackingMetrics will need to specify which of their Accounts are designated HIPAA (per the BAA) for all existing and future Sub-accounts created. They may use any CallTrackingMetrics features under the designated HIPAA Accounts, but workflows that potentially contain PHI can only be built using the requirements as outlined here. If an Agency (Parent) ID is designated as HIPAA at the signing of a BAA, then any future Sub-accounts created in that Agency will also be automatically designated as HIPAA Accounts.  If only select Sub-accounts are designated as HIPAA Sub-accounts at the signing of a BAA, then the customer will need to request that any later-created Sub-accounts be designated as HIPAA.

Customer Requirements

This section outlines the set of required and recommended best practices for building a HIPAA-compliant workflow on CallTrackingMetrics.

Required:

• You must be on the Connect, Growth, Advanced, Marketing Pro, Sales Engage, or Enterprise plan.  You can check your plan and change your plan at the top of the Account Settings page
• We need to have a Business Associate Agreement in place with you. To request a BAA, follow these steps:
  1. Log into your account. 
  2. Navigate to Help > Ticket Portal, or click here to open a ticket. 
  3. Fill out the details for your request and click the Submit button. 
• You cannot use tracking numbers that are marked as "not eligible for HIPAA compliance". Non HIPAA numbers will be marked with an asterisk and flagged on the Buy Numbers page as well as the Tracking Numbers page in your account.
• Individual Logins: Each user accessing HIPAA accounts must have their own unique login for CTM.
• User Security: Within Agency Settings, navigate to the "Security" area and configure the following:
  • Logout users automatically after no more than 15 minutes of idle connection,
  • Enable two-factor authentication to ask for a verification code every time or every 30 days, and
  • Check the box to require a user login to access call recordings
• Encrypted Call Recordings: If recording phone calls, you must enable the following in account settings:
  • Encrypted call recordings - Encrypted call recordings cost an additional $.005 cents per minute.
  • Encrypted call recording storage - Encrypted call recording storage costs an additional $.0005 cents per minute.
• Enable automatic redaction on your account to manage how much and how long information is being stored.
  • Redaction removes personal information from records of calls, chats, texts, and forms in your account
  • Redaction can be configured to occur daily, every 30 days, every 60 days, or every 90 days.
  • Redaction can also be done manually for an individual call, chat, or text in the Call or Text Log.
• MMS enables the exchange of attachments and picture messages between mobile phones over the carrier network. MMS is now HIPAA compliant.
• Online Fax allows customers to send and receive faxes on their tracking numbers. This feature cannot be used for workflows requiring HIPAA compliance at this time.
• If you expect sensitive information such as Social Security numbers or personal phone numbers to be exchanged, you need to enable Secure Call Transcriptions which will automatically detect the presence of that information in your interactions and will redact them from your recordings and transcriptions.

Recommended:

• Avoid configuring triggers, notifications, or exports that move PHI out of CallTrackingMetrics into emails or text messages.  If choosing to use any of these features, it is your responsibility to ensure the security of the information once it leaves CallTrackingMetrics. For example:
  • When using SMS services on CTM, do not include PHI in the body of your text messages.
  • If you are using post-call notifications trigger emails each time a call comes in that matches certain criteria you have set, be sure to remove fields that could contain unsecured PHI from your notifications such as Recordings (unless the login required option has been turned on per item above), Transcriptions, Name, Phone number, E-mail address, Call Notes, and any other field containing PHI for your particular use case (such as tags).
  • Another example would be exporting your call log. When exporting the call log, you would need to remove any fields that contain unsecured access to PHI such as Recordings (unless the login required option has been turned on per item above), Transcriptions, Name, Phone number, E-mail address, Call Notes, and any other field containing PHI for your particular use case (such as tags)
• Consider turning off Caller ID in Call Settings if you do not need to collect the name or location of your callers.
• Avoid using Enhanced Caller ID if you do not need to collect that information.

Restrictions:

• When using AskAI workflows, Customer shall not market, sell, or otherwise introduce or deliver any function that constitutes a medical device. For purposes of this restriction, the term “medical device” has the meaning given to that term in Section 201(h)(1) of the U.S. Federal Food, Drug, and Cosmetic Act, U.S. Food and Drug Administration (“FDA”) regulations and guidance, or in relevant statutes and authorities of any other jurisdiction where Customer markets, sells, or otherwise introduces or delivers products that use the AskAI workflows.
• When using AskAI workflows, Customer shall not use the workflows to practice medicine, including to prevent, diagnose, or treating a disease or condition. However, nothing shall preclude our Customers who are licensed and qualified professionals who are authorized to practice medicine in the relevant jurisdictions from using the AskAI workflows provided they:
  • inform their Customers in writing that the AskAI output and the associated Services are computer-generated and not human-generated, and may be inaccurate or incomplete; and
  • are trained and otherwise qualified in such professional’s applicable scope of practice.
• When using AskAI workflows, Customer shall not use the workflows for the purposes of coding medical claims or otherwise supporting medical billing, coding, or claims generation. However, nothing shall preclude our Customers who are duly trained and qualified individuals who maintain such certifications as are available and required for individuals performing such activities from using the AskAI workflows provided they:
  • inform their Customers in writing that the AskAI output is computer-generated and not human-generated, and may be inaccurate or incomplete; and
  • are trained and otherwise qualified in the provision of such coding, claims, and billing activities. 

Integrations with Third Parties

Integrations with Third-Party services and webhooks and triggers enable customers to link CallTrackingMetrics with external services like Salesforce, Hubspot or Facebook. It is your responsibility to ensure that the third party services or applications are used in a HIPAA compliant manner.