Guidelines for Using Ooma Enterprise in HIPAA Covered Entities

The Health Insurance Portability and Accountability Act of 1996, commonly known as HIPAA, applies to many organizations in the United States that provide healthcare services, including hospitals, dental practices, medical clinics and physicians’ offices.

Unified communications systems such as Ooma Enterprise should be used consistent with HIPAA requirements regarding the confidentiality and security of patient information, known under the law as Protected Health Information or PHI.

Administrators managing communications systems at healthcare providers should be aware that the U.S. Department of Health and Human Services (HHS), which enforces HIPAA, does not offer any certification program to confirm that a third-party offering – such as telecommunications services – meets HIPAA requirements. Nor does any other government agency. There are private firms that audit healthcare service providers and award their own home-grown HIPAA compliance logos – typically for a fee. But these awards are in no way a get out of jail free card.

Covered entities therefore have responsibility for maintaining the confidentiality and security of PHI, and HIPAA regulations can be complex and confusing.

Here are guidelines for using Ooma Enterprise with HIPAA compliance in mind:

• Phone calls and videoconferences. Unrecorded phone calls and videoconferences are generally not subject to HIPAA rules because no patient information is recorded.
• Recordings of voicemail messages, because they are stored on Ooma Enterprise servers without encryption, can be regarded as non-compliant if the patient talks about health issues. Messages on topics such as appointment scheduling and billing are less likely to include PHI. There are two options for using Ooma Enterprise consistent with HIPAA:
• Configure the Ooma Enterprise account to store voicemail messages on Amazon Web Services (AWS) or other third-party storage solutions, where data is encrypted.
• Set up a voicemail instructing patients not to leave protected health information in their messages and instead ask them to request a return call if they have a health issue to discuss.
• Voicemail notifications and transcriptions. Ooma Enterprise notifies users by email when a new voicemail message is received and includes an attached audio file of the message and a transcription of the message. Because email may not be secure, voicemail messages containing PHI should not be shared through email. Administrators can disable these features in Ooma Enterprise.
• Call and videoconference recording. As with voicemail messages, Ooma Enterprise does not encrypt call or videoconference recordings by default. Administrators can configure Ooma Enterprise for encrypted storage to retain call and videoconference recordings that are HIPAA compliant or can set a policy where recordings are only made for calls or meetings where no PHI is discussed. The Call Recording feature of Ooma Enterprise is turned off by default. If an organization has enabled Call Recording and wants to turn it off, Ooma customer support can disable the feature on request.
• Virtual faxing. As with voicemail messages, Ooma Enterprise does not encrypt virtual faxes, also known as electronic faxes or e-faxes, by default. Administrators can configure Ooma Enterprise for encrypted storage to retain virtual faxes in a HIPAA compliant manner or can set a policy where virtual faxes are not used to send or receive PHI. Also, administrators can use traditional analog fax machines with Ooma Enterprise because they do not store data.
• As with voice messages, Ooma Enterprise does not encrypt stored text messages by default. Administrators can configure Ooma Enterprise for encrypted storage to retain text messages or can set a policy where text messages are not used to discuss PHI. Texting is disabled by default in Ooma Enterprise. If an organization has enabled Texting and wants to turn it off, Ooma customer support can disable the feature on request.

It is important to remember that third-party service providers such as Ooma cannot guarantee HIPAA compliance within your organization. As we state in our Terms and Conditions (https://www.ooma.com/legal/terms/):

“HIPAA: You acknowledge and agree that the use of the Services are not designed, intended, or recommended for use as a repository or means by which to store ‘protected health information’, as defined under the Health Insurance Portability and Accountability Act of 1996, the Health Information Technology for Economic and Clinical Health Act, and similar legislation in other jurisdictions, and the regulations promulgated pursuant thereto (such laws and regulations, ‘HIPAA’) on a non-temporary basis, and you represent and warrant that neither the Services nor any ancillary product or service that is a part thereof will be used for such purpose. OOMA SPECIFICALLY MAKES NO REPRESENTATION, WARRANTY, OR GUARANTEE THAT YOUR SERVICES, THE ACCOUNT(S), OR THE EQUIPMENT (OR THE USE OF ANY OF THE FOREGOING BY ANY PARTY) COMPLIES OR WILL COMPLY WITH HIPAA OR ANY OTHER LAW OR WILL RENDER ANY PARTY COMPLIANT WITH HIPAA OR ANY OTHER LAW.”

Contact your Ooma customer success rep if you have questions.