Several years ago, Plain Old Telephone Service (POTS) was the most common option for communications over a telephone network. Now, there are a variety of other communications options to consider, such as cellular and Voice over IP (VoIP).
While each option has advantages, when it comes to protected health information (PHI), there are important safeguards to consider.
Just recently we were asked when a cloud-based phone provider is considered a business associate. Specifically, are covered entities required to have a business associate agreement (BAA) with a cloud-based phone provider?
Definition of Business Associate
A "business associate" is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information (PHI) on behalf of or provides services to, a covered entity. In other words, a business associate is a person or entity who performs functions or activities that create, receive, maintain or transmit PHI on behalf of, or provide services to, a covered entity.
Are Telecommunication Companies Business Associates?
According to the Office of Civil Rights (OCR) there is a difference between data transmission services that require access to PHI on a routine basis, and "conduits." Businesses that function as conduits are not business associates. This is because under the Omnibus Rule, a conduit transports information, but does not access it except on a random basis as necessary to perform the transportation service or a required by law. OCR specifically mentions a telecommunications company may have occasional, random access to PHI when viewing whether the data transmitted over its network arrives at its intended destination.
So what about cloud-based phone providers?
According to HHS, cloud services providers (such as cloud-based phone providers) that provide services to a covered entity or business associate that involve creating, receiving, or maintaining (e.g., to process and/or store) e) electronic protected health information (ePHI) meet the definition of a business associate, even if the CSP cannot view the ePHI because it is encrypted and the cloud services provider does not have the decryption key. The conduit exception applies where the only services provided to a covered entity or business associate customer are for transmission of ePHI that do not involve any storage of the information other than on a temporary basis incident to the transmission service.
Our recommendation
If you are using a cloud services provider such as a cloud-based phone provider and they provide services that involve creating, receiving, or maintaining ePHI (e.g., voice mail services) you should have a signed business associate agreement in place with that provider. If the cloud-based phone provider only provides transmission services a business associate agreement would not be necessary.
If you have additional questions please contact us by email: [email protected] or by phone: 855-427-0427.