HIPAA Best Practices for Cloud Services and VOIP

Ensuring HIPAA Compliance Graphic

Many organizations play fast and loose with the phrase “HIPAA-compliant.” But this isn’t a mere marketing label that everyone can apply however they see fit. HIPAA’s standards for achieving and maintaining compliance are admittedly confusing in many areas. But there ARE HIPAA best practices and standards—well-documented ones at that.

In this blog, we’ll offer insights on two specific areas that frequently cause confusion around HIPAA compliance: cloud services and voice over IP (VOIP).

Is Encryption in Cloud Services Required?

Whenever you see “HIPAA-compliant” and “cloud service provider” in the same sentence, expect things to get confusing. Don’t automatically accept a service provider’s claim that their cloud service is HIPAA-compliant. In their default state, many implementations using cloud services actually aren’t. If a cloud service provider states they are HIPAA-compliant, they generally mean that their platform can be used in a HIPAA-compliant manner if configured and used appropriately.

For instance, many cloud services do not currently enforce encryption at rest when data is stored on their platforms. (Data at rest is simply data that is being stored rather than data being transmitted or processed. It could be, for example, data stored on a hard drive, in a .txt file, or in an Amazon S3 bucket). In many cases, encryption at rest is a configurable feature/option, but you’ll have to manually turn it on. To make matters even more confusing, at rest encryption can be implemented in many different ways, such as full disk encryption; volume or virtual disk encryption; file/folder encryption; and even database table/field encryption. And, of course, no two cloud providers or solutions do things exactly the same way.

If you don’t encrypt data at rest in cloud environments used to store Protected Health Information (PHI), you will often be non-compliant with HIPAA. That naturally leads to the question, “If HIPAA requires encryption at rest, why doesn’t it just say so?” Here are the details.

The HIPAA Security Rule and the U.S. Department of Health and Human Services (HHS) do not explicitly require implementation of encryption at rest in every situation. (This is one of the safeguards called "addressable" in HIPAA parlance, which means “not required.”) But HIPAA does require that every organization conduct a risk assessment to determine whether encryption is a "reasonable and appropriate safeguard" for PHI data at rest for their organization in every situation. (This section of HIPAA has the details. Note that HIPAA handles all of its "addressable" safeguards this way.)

Furthermore, HHS has acknowledged that "encryption protects ePHI by significantly reducing the risk of the information being viewed by unauthorized persons.”

Why Encryption Makes Sense

Along with HHS’ recommendation, every covered entity and healthcare organization we’ve worked with has expected that PHI be encrypted at rest when it is outside of the organization’s direct control. Your decision should be even easier when you learn that it doesn’t cost much in time or money to implement at rest encryption.

All of that is why we recommend encrypting PHI in two situations:

  • Whenever PHI leaves your data center/office and your organization's enforced/monitored physical and logical security controls.
  • Whenever PHI resides in a place where it could be stolen more easily, such as cloud services and mobile devices.

Encrypting data in these situations mitigates the risk of data loss. You will be protected in the event of breakdowns of physical or logical security controls in cloud service provider environments or at other potentially uncontrolled locations (such as remote work locations).

Keep in mind that if you want to pass a HIPAA audit, you’ll need to take additional measures for any location/service where you don’t encrypt PHI data at rest. HHS states, "If the entity decides that the addressable implementation specification is not reasonable and appropriate, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate."

Basically, if you decide not to encrypt PHI in a cloud service, you need to document that ahead of time, along with details of the equivalent alternative measures/safeguard you use. All of that must be available to any auditors who come calling from the Office for Civil Rights (OCR, which enforces HIPAA).

For more information on how HIPAA applies to cloud service providers, click here.

Voice Services

Voice services and voicemail present their own HIPAA complexity. Part of the challenge stems from the fact that HIPAA arrived long before anyone used VOIP. HIPAA was released in the same year (1996) that VOIP was invented (specifically, the SIP protocol). But VOIP didn’t hit widespread usage among healthcare providers until around 2011. (Here’s a quick history of VOIP).

HHS has said that telephone and fax services are exempted under the HIPAA Security Rule because they are written and oral communication. But that’s not the end of the story.

This overview of HIPAA’s treatment of telephone and fax services illustrates the challenge. It doesn't address VOIP or video over IP services specifically.

We suspect HIPAA exempted telephone service in the first place because encryption of voice communications wasn’t considered a reasonable and appropriate safeguard in 1996. Transit encryption was ridiculously expensive/difficult to implement for voice transmissions, and voicemail as a service didn’t exist. And no one had even thought about the concept of cloud providers.

The best way to avoid non-compliance in an audit or penalties from OCR is to use transit encryption with VOIP or video services. Both history and recently released information from HHS point to this:

  • HHS tacitly admitted that cloud voice/video providers in general may not be compliant.
  • HHS also indicated that voice/video traffic transmitted over the Internet should be encrypted and that a breach caused by interception of PHI voice or video transmissions sent over the Internet could lead to OCR penalties.

If you need help understanding how HIPAA rules affect your organization, contact us today.