Convo supports HIPAA and HITECH regulations, as well as the ability to sign HIPAA Business Associate Agreements (BAAs) with customers. Convo is one of the few cloud-based
enterprise communication providers that signs HIPAA BAAs, demonstrating our ongoing investment in enterprise security, compliance and control for our customers.
All U.S. based healthcare Covered Entities (CE), such as providers, insurance plans and clearinghouses, are required by law to obtain a signed BAA from any Business Associate (BA) that receives, maintains or transmits Protected Health Information (PHI) on their behalf.
HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. It is a federal mandate that requires specific security and privacy protections for Protected Health Information (PHI). More information around HIPAA can be found on the Department of Health and Human Services' website.
The Health Information Technology for Economic and Clinical Health (HITECH) Act was signed into law in 2009, to promote the adoption and meaningful use of health information technology in the U.S.
In 2013, the final HIPAA Omnibus rule set further statutory requirements, which greatly enhanced a patient’s privacy rights and protections, including holding all custodians of Protected Health Information (PHI) — including HIPAA Business Associates (BA) — subject to the same security and privacy rules as Covered Entities under HIPAA.
Protected Health Information (PHI) refers to demographic information, medical history, test and laboratory results, insurance information and other data that is collected by a healthcare professional to identify an individual and determine appropriate care.
A HIPAA Business Associate (BA) refers to a person or organization that conducts business with the HIPAA Covered Entity (CE) and touches the Protected Health Information (PHI) that the covered entity is stewarding on behalf of the patient.
Business Associates (BAs) include those vendors that do business with a HIPAA Covered Entity (CE). Under the HIPAA Omnibus Final Rule any service that receives, maintains or transmits PHI on behalf of a Covered Entity is considered Business Associate even if the associate does not actually view the protected health information.
A Business Associate is a vendor or subcontractor who has access to PHI transmitted or stored by a covered entity. For example, if a medical clinic sends patient data through Convo, the medical clinic will be a Covered Entity and Convo will be a Business Associate.
Signing the BAA will ensure that Convo upholds its duty to safeguard and manage patient data in compliance with HIPAA. The BAA will also clearly outline what services Convo will provide and what Convo is responsible for. A BAA is necessary to complete HIPAA compliance for a Covered Entity.
The conduit exception is a narrow exception to HIPAA requirements and only covers those entities providing mere courier services, such as the U.S. Postal Service, FedEx or their electronic equivalents, such as internet service providers (ISPs) providing mere data transmission services.
The conduit exception does not apply to enterprise messaging, communication, collaboration or file storage services, even if those services encrypt or periodically delete their data. Covered Entities (CE) utilizing any of these services are required to obtain signed BAAs from each vendor.
The penalties for non-compliant texting of PHI are steep. A single violation for an unsecured communication can result in a fine of $50,000 and repeated violations can lead to millions of dollars in fines in a single year.
No. Generally, consumer messaging apps do not meet HIPAA security standard requirements and are not safe to use when communicating PHI.
Convo meets the obligations required by HIPAA, HITECH, and the final HIPAA Omnibus ruling. Additionally, Convo signs BAAs with customers who must maintain HIPAA compliance.
There are no official government or industry certifications for HIPAA compliance. In order to support HIPAA compliance, Convo keeps its product, policies and procedures updated to adhere to HIPAA security standard requirements.
In addition to signing HIPAA Business Associate Agreements (BAAs), Convo implements the following: