Learn more about Twilio and HIPAA:
1. What are the HIPAA Privacy and Security Rules? Is Twilio subject to the Rules?
A: The HIPAA Privacy Rule provides federal protections for individually identifiable health information held by covered entities and their business associates and gives patients an array of rights with respect to that information. At the same time, the Privacy Rule is balanced so that it permits the disclosure of health information needed for patient care and other important purposes. The Security Rule specifies a series of administrative, physical, and technical safeguards for covered entities and their business associates to use so they can assure the confidentiality, integrity, and availability of electronic protected health information.
More information is available on the official HIPAA website.
By law, the HIPAA Privacy Rule applies only to covered entities – health plans, healthcare clearinghouses, and certain health care providers. Twilio is not a covered entity, and does not consider itself a “business associate.” A business associate is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.
2. How can a business architect their Twilio application workflows to be compliant with the HIPAA Privacy and Security Rules?
A: Many businesses have architected their applications in a manner to be compliant with the HIPAA Privacy and Security Rules, while still using Twilio for part(s) of their workflow. One way to be compliant is not to process, store, or transmit individual protected health information (PHI) data on Twilio. Some techniques that customers have used are as follows:
- Request Inspector should be “Disabled.” This will disable logging, however, and may make it difficult to develop applications on Twilio. A workaround is to have a separate project to debug new code and turn request inspector on for debugging, but at the same time not log any PHI to Twilio.
- HTTP Auth on Media URLs should be “Enabled,” which means customers will have to authenticate themselves to get to their recordings. This will send a username and password with every HTTP request to be able to access recordings. However, this may also require updating the source code.
- Two-factor authentication can be turned on, which will send a text message or make a phone call with a code to enter every time customers have to log into the console, or once every thirty days.
- Ensure that the customer application never transmits PHI over unencrypted channels including voice, SMS or DTMF. If this is necessary, an online solution or landline implementation should be developed.
- The HIPAA rules for VOIP are the same as mentioned above for DTMF. When collecting PHI via VOIP, the signaling and media transmission must both occur over secured networks (TLS/IPSec and SRTP).
Twilio recommends that customers familiarize themselves with the HIPAA requirements and security assessment procedures.
Also, the list above is not meant to be comprehensive or replace the official HIPAA standards and guidelines. Customers will need to ensure that their applications meet those guidelines. As always, Twilio recommends that customers seek guidance from their legal counsel if they have any compliance questions concerning their applications. Twilio does not provide legal advice and it is up to the customer to determine how to best architect their application in order to comply with applicable law, including HIPAA and regulations relating thereto.
3. What is considered “protected health information” (PHI)?
A: According to the HIPAA website, PHI generally includes individually identifiable health information” is information, including demographic
data, that relates to:
- The individual’s past, present or future physical or mental health or condition,
- The provision of health care to the individual, or
- The past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual.
- Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number)
A complete list is available on the HIPAA website as well.
Please note that Twilio is providing this information only as a courtesy, and this does not constitute the provision of legal advice. This information should not be used as a substitute for obtaining legal advice from a licensed attorney with appropriate expertise and authorization to practice in your jurisdiction. Twilio is not in a position to interpret any laws, rules, or regulations on behalf of its customers or other third parties. Determinations of whether you are using Twilio as a “conduit” will be fact specific based on how you use Twilio products. You should consult with your legal advisors to ensure that your use of Twilio products is compliant with HIPAA and all other applicable laws, regulations, and requirements.