HIPAA Compliance
The Health Insurance Portability and Accountability Act (HIPAA) provides standards to protect the confidentiality, integrity and availability of protected health information (PHI), including electronic protected health information (ePHI). HIPAA provides guidance for an acceptable level of protection for ePHI while giving healthcare providers access to information necessary to perform their daily business functions.
There are many considerations that a healthcare provider, or other Covered Entity (as defined in HIPAA), must meet in order to satisfy HIPAA guidelines. SightCall has been designed such that healthcare providers and other Covered Entities may use our services for video communication in a manner that is consistent with their HIPAA obligations. We do not have access to identifiable health information, and we protect and encrypt all audio, video, and screen sharing data.
How SightCall Supports HIPAA Compliance
SightCall employs the following additional safeguards to help Covered Entities meet applicable HIPAA technical standards:
Access Control
HIPAA Standard
- Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to authorized persons or software programs.
- Unique User Identification: Assign a unique name and/or number for identifying and tracking user identity.
- Emergency Access Procedure: Establish (and implement as needed) procedures for obtaining necessary electronic health information during an emergency.
- Automatic Logoff: Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.
How SightCall Supports the Standard
- One-to-one call data is secured using strong cryptographic protocols including Secured Real Time Protocol (SRTP) with AES-256 keys. The keys are dynamic and negotiated via DTLS for each call.
- Meeting data transmitted across the network is protected using the same mechanism for each participant.
- Multi-layered access control for staff, admin, and agents.
- Web and application access are protected by verified email address and password. Customers can also choose to use their own system and integrate through a SAML interface or ad-hoc SSO through integration with third party systems such as Salesforce, ServiceNow, Zendesk, etc.
- Meeting access is pin code protected, sent by SMS, email or customer specific integration.
- Meetings are not listed publicly.
- SightCall leverages a redundant and distributed architecture to offer a high level of availability and redundancy. In addition, SightCall performs daily backups of our data and can quickly assist the customer with data restoration and access to their data kept in SightCall’s cloud. Note that none of the data are protected health information
- Meeting host can easily disconnect attendees or terminate sessions in progress.
- Delay for disconnection of an idle agent is fully configurable.
Audit Controls
HIPAA Standard
- Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.
How SightCall Supports the Standard
- Although SightCall does not store any protected Health Information, SightCall has implemented strong processes and mechanisms to control access to data.
- All controls are yearly audited by an external auditor in a SOC 2 process.
Integrity
HIPAA Standard
- Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.
How SightCall Supports the Standard
- Multilayer integration protection is designed to protect both data and service layers.
- Controls are in place to protect data in motion and at-rest.
Integrity Mechanism
HIPAA Standard
- Mechanism to authenticate electronic protected health information.
- Implemented methods to corroborate that information has not been destroyed of altered.
How SightCall Supports the Standard
- Application executables are digitally signed.
- Web application communication is based on TLS with well-known certificate authorities.
- SRTP protocol prevent any changes or replay of previously created packets to ensure integrity of transmission.
Person or Entity Authentication
HIPAA Standard
- Verify that the person or entity seeking access is the one claimed.
How SightCall Supports the Standard
- Agent access is verified either through SightCall login mechanism (verified email, password) or customer own SAML mechanisms.
- External user access is ensured through a pin code send by SMS or email and destroyed at the end of the call.
- Access to desktop or window for screen sharing is under the host’s control.
Transmission Security
HIPAA Standard
- Protect electronic health information that is being transmitted over a network.
- Integrity controls: Ensure that protected health information is not improperly modified without detection.
- Encryption: Encrypt protected health information.
How SightCall Supports the Standard
- No protected health information stored
- SightCall employs industry-standard Advanced Encryption Standard (AES) encryption using 256-bit keys in SRTP Protocol to protect calls.
- Web Services are protected with industry standard TLS.
Other Security and Privacy Compliance
In addition to supporting healthcare organizations to be HIPAA compliant when using SightCall we also operate the SightCall platform with the following:
Summary
Compliance with all aspects of HIPAA is ultimately the responsibility of the Covered Entity. SightCall partners with our healthcare customers to help them implement our solutions in a manner that will assist Covered Entities in meeting their compliance obligations, including by applying industry standard encryption to the communications channels among endpoint clients and SightCall infrastructure. SightCall does not store or access Protected Health Information for a Covered Entity. These aspects, together with the power and flexibility of the SightCall platform, will allow healthcare customers to implement SightCall in a HIPAA-compliant manner.
