HIPAA Guidelines for Switchvox
March 28, 2014
This document provides a brief overview of Digium’s Switchvox Unified Communications Product, Digium’s understanding of HIPAA guidelines as applied to Unified Communications Systems, and guidance on how to best implement and configure Switchvox in an environment where HIPAA compliance is a requirement.
Is Switchvox HIPAA Certified?
As there is not an official HIPAA certification process for telephony solutions, it is impossible for any vendor to say their solution (premise or hosted) is HIPAA certified. What a vendor can state is that based on their understanding of the HIPAA regulations, their solution is in line with the regulation under a certain set of configuration guidelines. Digium recommends you consult with a security consultant to ensure your network, including any Digium components, is HIPAA compliant.
Switchvox is a Unified Communications solution that supports many advanced features. A number of these features, if utilized, could be in conflict with HIPAA requirements for the protection of patient information. That said, it is critical that customers understand the HIPAA guidelines and configure Switchvox appropriately.
Security and Controlled Access
The majority of information provided in this this document is based on Digium’s interpretation of HIPAA regulations as for security and controlled access, specifically, 45 CFR § 164.530 (c) of the Privacy Rule states:
(c)(1) Standard: safeguards. A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information.
(2) Implementation specification: safeguards.
(i) A covered entity must reasonably safeguard protected health information from any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications or other requirements of this subpart.
(ii) A covered entity must reasonably safeguard protected health information to limit incidental uses or disclosures made pursuant to an otherwise permitted or required use or disclosure.
When properly configured, Switchvox has safeguards in place to limit access to:
- The administrative interface
- The user interface
- Device connectivity
- External IP Connectivity
Although security measures are available, it is up to the Network Administrator to ensure they are properly implemented and utilized. While Switchvox will alert users and administrators to some security risks, such as weak passwords, it does not prohibit their use.
Switchvox appliances have an administrative LCD and keypad that can be used to reset admin password should it be necessary. Therefore, Digium recommends that a premise based Switchvox system be installed in a cabinet or telephony closet that can be adequately secured.
In the HIPAA Security Standard it states:
“Certain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media if the information being exchanged did not exist in electronic form immediately before the transmission.”
Based on this requirement, telephone calls via Switchvox would be considered HIPAA compliant. Some will state that VoIP is more prone to security threats than traditional telephone calls, but in general, it is easier to tap a traditional PSTN line than a VOIP line.
Digium has plans to add call encryption in the future, but in order to have an encrypted call; both the calling party and receiving party must have the ability to support encryption and it is highly unlikely that residential users will have that capability.
Digium recommends health care providers should always consider who is listening when using the telephone as the means of communication.
While HIPAA does not explicitly state that voicemail cannot be utilized it does provide guidelines for what should be left on answering machines.
It states that minimal information should be left. As an example, location, time, and date of appointment are acceptable but not details on medical conditions or specific diagnosis. Note that inbound voicemails may be received from labs, other providers, patients, etc., and you have no control over what information they leave. Since Switchvox does provide secure control of voicemail when properly configured, that information is considered protected and therefore compliant.
These are best practices that should be reviewed to ensure HIPAA compliance with regards to voicemail:
- Ensure that all passwords (admin and user) are strong and complex.
- Disable the ability to receive voicemail attachments via email.
- On Digium phones configure the MSGS button to Dial Voicemail Extension such that a user must manually enter their voice mail password. (A future release of Switchvox will enable the ability to require the password with the MSGS button.)
HIPAA does not provide clear guidance on call recordings within Unified Communications Systems. Since those call recordings would be stored, they would need to be password protected which the Switchvox integrated security features will accomplish, when properly configured.
Digium recommends not utilizing this feature to eliminate any gray areas. Since scheduled Call Recording is disabled by default no action is necessary. However, when creating extensions, be sure that “Record Own Call” is disabled. Consult a HIPAA knowledgeable Security Expert for additional guidance if call recoding is an important or needed element of your installation.
The Switchvox IVR feature allows system administrators the ability to build complex IVRs that could potentially be used to allow access to confidential information. As Switchvox does not store information passed through an IVR (ie account numbers, passwords, etc.) the use of the IVR feature should meet the HIPAA requirement when properly configured
The intent here is to provide insight as to how Digium interprets the HIPAA Security standard, how it applies to Switchvox implementations, and provide guidance on how to best configure Switchvox such that it is line with HIPAA guidelines. As stated previously, there are no standards bodies that do HIPAA based testing and certification of Unified Communications systems, so it is impossible for Digium or any other UC vendor to state they are HIPAA Certified.
This brief overview of Switchvox and HIPAA compliance is not intended to be an all encompassing Switchvox configuration guide or a commitment by Digium that Switchvox is HIPAA compliant. Digium takes security and compliance seriously and recommends you consult with a Security Consultant to ensure your network, including Digium components, is HIPAA compliant.