How to ensure HIPAA compliance when using Nexmo's platform

Question

  • Is Nexmo HIPAA compliant?
  • Can I sent PHI using Nexmo?
  • Can I send Protected Health Information using Nexmo?

 

Answer

What is HIPAA compliance?

The Health Insurance Portability and Accountability Act (HIPAA) is a set of regulations designed to protect the privacy and security of certain health information. Within HIPAA is the Privacy Rule and Security Rule. The Privacy Rule is a set of standards for the privacy of individually identifiable health information (what should be kept private and secure). The Security Rule establishes a set of standards for protecting this health information when transferred in electronic form (how to secure health information when transmitting in electronic form).

By law, the HIPAA Privacy Rule applies only to covered entities – health plans, healthcare clearinghouses, and certain health care providers. Many healthcare providers do not carry out all their health care activities and functions themselves. The Privacy Rule does allow these covered entities to use and share information to their partners, also know as business associates. Nexmo does not consider itself to be a business associate to covered entities. Therefore, protected health information should never be transmitted through any of Nexmo’s APIs.

 

What is protected health information (PHI)?

Under HIPAA, protected health information:

  • Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or healthcare clearinghouse; and
  • Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.

For more information, please refer to the HIPAA website.

 

How can I build my Nexmo application and remain in HIPAA security rule compliance?

Businesses related to and in healthcare have successfully built their communications on top of the Nexmo platform. They key factor is to avoid transmitting over the Nexmo platform protected health information (PHI) in a way which could be accessed by someone other than the patient or their clinician/healthcare organization.

For instance, rather than sending a text message which has PHI in the body, you could:

  • Store the PHI separately on your own system, and send a text message with a link to your system, as long as accessing the link requires strong authentication by the patient.
  • Call the customer using the Voice API, and do not record the call.

 

A legal reminder:

Nexmo’s services are not HIPAA-compliant, nor does Nexmo consider itself to be either a covered entity or a business associate under the HIPAA Rules.  As a provider of voice calling services, Nexmo would act under the “conduit” exception to the HIPAA Rules.

Nexmo’s SMS services facilitate the transmission of communications via an extensive network of partner providers. Nexmo is unable to monitor or enforce whether or how those communications are encrypted on these partner provider networks; Nexmo cannot control whether and how records of those communications are stored on those networks; and Nexmo cannot guarantee receipt by the intended recipient. As such, to ensure your compliance with the HIPAA Security Rule, you should avoid transmitting PHI via our SMS services.

The foregoing is provided solely as a courtesy and not as legal advice. We cannot guarantee compliance with applicable law, and strongly urge you to consult with your own licensed legal advisor with expertise in the relevant laws and regulations.

Have more questions? Submit a request