ALTUS HIPAA Compliance Policy & Statement
The use of the Altus communications services does not require the use of PHI or ePHI. However, we have taken steps to ensure that our services are secure and, in their default settings, compliant the with HIPAA security rule. The HIPAA security rule is “technology neutral” meaning that compliance with the HIPAA security rule is not an attribute of a particular application or device, but rather of a system of physical, administrative and technology safeguards that support the HIPAA-compliant use of electronic communication. Any one or more compliance issues arising from the end user’s selection of voicemail delivery options shall be the end user’s sole responsibility.
The HIPAA privacy rules now apply to both covered entities (e.g., healthcare providers and health plans) and their business associates. The final rules clarify that entities who are mere “conduits” for PHI are not required to sign Business Associate Agreements (BAAs) under the HIPAA privacy rules. Accordingly, Altus does not enter into BAAs with its customers as a matter of policy.
The final rule promulgated in January of 2013 explains that entities that transmit PHI for a covered entity are not business associates if they are not required to access the PHI on a routine basis, i.e., they are merely “conduits” of the PHI (e.g., internet service providers, phone companies, etc.). (45 CFR 160.103; 78 FR 5571; 65 FR 82476):
“Regarding what it means to have access on a routine basis” to [PHI] with respect to determining which types of data transmission services are business associates versus mere conduits, such a determination will be fact specific based on the nature of the services provided and the extent to which the entity needs access to [PHI] to perform the service for the covered entity. The conduit exception is a narrow one and is intended to exclude only those entities providing mere courier services, such as the U.S. Postal Service or United Parcel Service and their electronic equivalents, such as internet service providers (ISPs) providing mere data transmission services. As we have stated in prior guidance, a conduit transports information but does not access it other than on a random or infrequent basis as necessary to perform the transportation service or as required by other law. For example, a telecommunications company may have occasional, random access to [PHI] when it reviews whether the data transmitted over its network is arriving at its intended destination. Such occasional, random access to [PHI] would not qualify the company as a business associate.”
(78 Federal Register 5571-72).
Notwithstanding the company policy with respect to BAAs, Altus does recognize the sensitive nature of certain information transmitted across its platform, and does treat all communications with the highest degree of care to ensure the utmost in security and customer satisfaction.