SendBird is proud to announce that its chat and messaging platform is now HIPAA compliant.
That means that Health Care Providers, including Telemedicine and virtual care providers, Health Plans, Health Care Clearing Houses, and Health Communities can send protected health information (PHI) and electronic PHI securely over the SendBird messaging platform using the SendBird SDK and API. You can read the release on Associated Press.
To achieve compliance, SendBird follows the Health and Human Services (HHS) guidance set out by HITECH in 2013. We’ve created the Organizational, Administrative, Technical, and Physical safeguards required to enable covered entities to protect PHI over in-app chat and messaging. And we’ve documented policies for reporting breaches, monitoring, assessing risk, and continuously improving our information management systems.
Communication Platforms as a Service and HIPAA/HITECH
Communication Platforms as a Service (CPaaS) are a natural fit for Healthcare companies, Telemedicine, virtual care providers, or other health providers because they allow patients to communicate with healthcare providers from the convenience of their mobile device – increasing patient access and, ultimately, improving health outcomes for patients.
Currently, there are two major ways that communications platforms transmit data to and from mobile devices:
- Traditional telephony networks
- Over-the-top (OTT) using internet protocol (IP)
IP Messaging and SMS – Are they both HIPAA compliant?
Currently SMS is one of the mainstays of the CPaaS category. But since SMS uses telephony networks and cannot be encrypted, SMS is not HIPAA compliant.
IP chat and messaging, on the other hand, can be encrypted in transit and in storage. It can, therefore, comply with both HIPAA and HITECH.
As a result of this division, CPaaS businesses tend to respond to requests for HIPAA along two lines: either (1) making recommendations to avoid passing PHI over unencrypted channels and, crucially, avoiding legal liability; or (2) proactively seeking HIPAA compliance.
Twilio, for example, uses traditional telephony for many of its products and requires that businesses seeking HIPAA compliance (1) not transmit any PHI along its unencrypted channels and (2) not consider Twilio a business associate.
HITECH defines a “business associate” as an entity that provides services, functions, or activities for a covered entity that requires access to PHI. So by claiming that they do not technically receive or store PHI, Twilio claims that they do not consider themselves a “business associate” of “covered entities.” In so arguing, they exclude themselves from any liability if a HIPAA violation occurs.
To more securely serve the Healthcare market, other CPaaS companies like SendBird, especially those that use IP, are proactively seeking HIPAA compliance. More and more, Healthcare companies require communications platforms to sign Business Associate Agreements (BAA) to commit their products to compliance with HIPAA and HITECH regulations.
As the mobile, on-demand, and virtual care industry continues to grow, more IP messaging companies are showing their commitment to privacy and security by complying with HIPAA
What does a HIPAA compliant SendBird mean for your Healthcare business or app?
To help you reach patients or those seeking health care with confidence, SendBird will sign a BAA as a commitment to the protection of your business’ ePHI and to compliance with HIPAA Privacy rules. This means, for example, that doctor-to-patient chat or a group discussion among specialists can remain secure, encrypted and HIPAA compliant.
2018 closed out a strong year for SendBird privacy. In addition to working for HIPAA compliance we also achieved compliance with GDPR and ISO27001 certification. We’re targeting SOC2 compliance for early this year.