Is the Vonage API platform HIPAA compliant?
What is HIPAA compliance?
The Health Insurance Portability and Accountability Act (HIPAA) is a set of regulations designed to protect the privacy and security of certain health information. Within HIPAA is the Privacy Rule and Security Rule. The Privacy Rule is a set of standards for the privacy of individually identifiable health information (what should be kept private and secure). The Security Rule establishes a set of standards for protecting this health information when transferred in electronic form (how to secure health information when transmitting in electronic form).
By law, the HIPAA Privacy Rule applies only to covered entities: health plans, healthcare clearinghouses, and certain health care providers. Many healthcare providers do not carry out all their health care activities and functions themselves. The Privacy Rule does allow these covered entities to use and share information to their partners, also know as business associates. The Vonage API platform does not consider itself to be a business associate to covered entities. Therefore, protected health information should never be transmitted through any of Vonage's APIs.
What is protected health information (PHI)?
Under HIPAA, protected health information:
- Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or healthcare clearinghouse; and
- Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.
For more information, refer to the HIPAA website.
How can I build my Vonage API application and remain in HIPAA security rule compliance?
Businesses related to and in healthcare have successfully built their communications on top of the Vonage API platform. They key factor is to avoid transmitting over the Vonage API platform protected health information (PHI) in a way which could be accessed by someone other than the patient or their clinician/healthcare organization. For instance, rather than sending a text message which has PHI in the body, you could:
- Store the PHI separately on your own system, and send a text message with a link to your system, as long as accessing the link requires strong authentication by the patient.
- Call the customer using the Voice API, and do not record the call.
Vonage API's services are not HIPAA-compliant, nor does Vonage API consider itself to be either a covered entity or a business associate under the HIPAA Rules. As a provider of voice calling services, Vonage API would act under the “conduit” exception to the HIPAA Rules.
Vonage's SMS services facilitate the transmission of communications via an extensive network of partner providers. Vonage API is unable to monitor or enforce whether or how those communications are encrypted on these partner provider networks; Vonage API cannot control whether and how records of those communications are stored on those networks; and Vonage API cannot guarantee receipt by the intended recipient. As such, to ensure your compliance with the HIPAA Security Rule, you should avoid transmitting PHI via our SMS services.
The foregoing is provided solely as a courtesy and not as legal advice. We cannot guarantee compliance with applicable law, and strongly urge you to consult with your own licensed legal advisor with expertise in the relevant laws and regulations.