HIPAA Compliance



Convo supports HIPAA and HITECH regulations, as well as the ability to sign HIPAA Business Associate Agreements (BAAs) with customers. Convo is one of the few cloud-based enterprise communication providers that signs HIPAA BAAs, demonstrating our ongoing investment in enterprise security, compliance and control for our customers.

All U.S. based healthcare Covered Entities (CE), such as providers, insurance plans and clearinghouses, are required by law to obtain a signed BAA from any Business Associate (BA) that receives, maintains or transmits Protected Health Information (PHI) on their behalf.

What is HIPAA?

HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. It is a federal mandate that requires specific security and privacy protections for Protected Health Information (PHI). More information around HIPAA can be found on the Department of Health and Human Services' website.

What is the HITECH Act and what is the HIPAA Omnibus Final Rule?

The Health Information Technology for Economic and Clinical Health (HITECH) Act was signed into law in 2009, to promote the adoption and meaningful use of health information technology in the U.S.

In 2013, the final HIPAA Omnibus rule set further statutory requirements, which greatly enhanced a patient’s privacy rights and protections, including holding all custodians of Protected Health Information (PHI) — including HIPAA Business Associates (BA) — subject to the same security and privacy rules as Covered Entities under HIPAA.

What is Protected Health Information (PHI)?

Protected Health Information (PHI) refers to demographic information, medical history, test and laboratory results, insurance information and other data that is collected by a healthcare professional to identify an individual and determine appropriate care.

What is a HIPAA Business Associate (BA)?

A HIPAA Business Associate (BA) refers to a person or organization that conducts business with the HIPAA Covered Entity (CE) and touches the Protected Health Information (PHI) that the covered entity is stewarding on behalf of the patient.

Business Associates (BAs) include those vendors that do business with a HIPAA Covered Entity (CE). Under the HIPAA Omnibus Final Rule any service that receives, maintains or transmits PHI on behalf of a Covered Entity is considered Business Associate even if the associate does not actually view the protected health information.

How does the Business Associates Agreement (BAA) work?

A Business Associate is a vendor or subcontractor who has access to PHI transmitted or stored by a covered entity. For example, if a medical clinic sends patient data through Convo, the medical clinic will be a Covered Entity and Convo will be a Business Associate.

Signing the BAA will ensure that Convo upholds its duty to safeguard and manage patient data in compliance with HIPAA. The BAA will also clearly outline what services Convo will provide and what Convo is responsible for. A BAA is necessary to complete HIPAA compliance for a Covered Entity.

What is the Conduit Exception?

The conduit exception is a narrow exception to HIPAA requirements and only covers those entities providing mere courier services, such as the U.S. Postal Service, FedEx or their electronic equivalents, such as internet service providers (ISPs) providing mere data transmission services.

The conduit exception does not apply to enterprise messaging, communication, collaboration or file storage services, even if those services encrypt or periodically delete their data. Covered Entities (CE) utilizing any of these services are required to obtain signed BAAs from each vendor.

What are the penalties to my organization if employees are caught texting PHI via apps that are not HIPAA compliant?

The penalties for non-compliant texting of PHI are steep. A single violation for an unsecured communication can result in a fine of $50,000 and repeated violations can lead to millions of dollars in fines in a single year.

Do services like SMS, WhatsApp, Facebook Messenger and Skype meet HIPAA requirements?

No. Generally, consumer messaging apps do not meet HIPAA security standard requirements and are not safe to use when communicating PHI.

How does Convo facilitate HIPAA compliance for its customers?

Convo meets the obligations required by HIPAA, HITECH, and the final HIPAA Omnibus ruling. Additionally, Convo signs BAAs with customers who must maintain HIPAA compliance.

Is there any kind of industry certification that Convo has undergone to prove it supports HIPAA compliance?

There are no official government or industry certifications for HIPAA compliance. In order to support HIPAA compliance, Convo keeps its product, policies and procedures updated to adhere to HIPAA security standard requirements.

How does the Convo product support HIPAA compliance?

In addition to signing HIPAA Business Associate Agreements (BAAs), Convo implements the following:

  • Data encryption in transit and at rest
  • Restricted physical access to production systems
  • Strict logical system access controls
  • Reporting and audit trail of account activities on both users and content
  • Formally defined and tested breach notification policy
  • Training of employees on security policies and controls

What types of administrative controls does Convo have that are relevant to HIPAA requirements?

  • Controls to provide reasonable assurance that instructions and information provided to Convo by the customer are in accordance with the provisions of the Convo Service Agreement with the customer, or other applicable governing agreements or documents between Convo and its customers.
  • Controls to provide reasonable assurance that only authorized individuals from the user entity are granted the ability to access, modify, and delete information from Convo’s application.
  • Controls to provide reasonable assurance that the user entity’s method for accessing Convo’s application is configured with proper logical security protocols.
  • Controls to provide reasonable assurance that the confidentiality of the user entity’s sensitive information is not compromised by its users.
  • Controls to provide reasonable assurance for defining and granting access to users permitted by the user entity.
  • Controls to provide reasonable assurance that user accounts and access permissions are correctly specified on an ongoing basis, including revoking accounts.
© Convo 2020