Is Sinch HIPAA compliant?
HIPAA rules apply to “covered entities” and their “business associates.” A “covered entity” is a health plan, a clearinghouse, or a health care provider; a “business associate” is someone engaged by a covered entity to help carry out health care activities and functions that involve PHI. Both covered entities and business associates need to comply with HIPAA privacy rules.
Sinch is neither a covered entity nor a business associate, so our services and networks do not comply with HIPAA rules.
However, there is an exception called the “conduit” exception, promoted by the HHS which applies to companies transmitting PHI, stating that a Business Associate Agreement (BAA) is not necessary when “a person or organization that acts merely as a conduit for protected health information, for example the US Postal Service, certain private couriers, and their electronic equivalents.”
The HHS goes on to clarify this exception, stating that “entities that act as mere conduits for the transport of PHI, but do not access the information other than on a random or infrequent basis are not seen as business associates.” We believe that Sinch falls under the “conduit” exception.
If you are either a covered entity or a business associate, we strongly encourage you to consult with legal counsel to ensure your use of our network complies with any HIPAA obligations you may have. If you are uncertain, you should avoid transmitting PHI directly over our networks in a way that could be accessed by someone other than the patient or their healthcare provider.
How can I design my applications to use the Sinch platform while maintaining HIPAA compliance?
Some techniques that our clients have used are as follows:
- Send a unique link (URL) to a page within a Text message pointing to the PHI data you wish to share. The page linked to should be encrypted and ideally behind a secure portal that requires user authentication before access is allowed
- Send generic reminders or communications that do not reveal any PHI information, e.g., “It’s flu season— have you gotten your flu shot?”
- Request the patient contact a call-center from a fixed line to enable verification of identity before going ahead
- Enable two-factor authentication on your portal, to allow a text message to be sent, or a phone call to be made containing a unique code that the patient can use to access their PHI
- Ensure that your application never transmits PHI over unencrypted channels including Voice, Video or Text
For more information on HIPAA privacy rules, we encourage you to visit the Department of Health and Human Services websites using the following links:
Please note that this information is provided solely as a courtesy, and constitutes a high-level summary of HIPAA, which is a complex statutory framework with numerous regulations enacted pursuant to that framework. This information is not legal advice and Sinch does not provide legal advice, or offer to interpret applicable law on behalf of its customers. Sinch strongly encourages you to seek the advice and consultation of a licensed attorney who specializes in HIPAA in order to ensure that your use of the Sinch services is in compliance with HIPAA and other applicable law.