Advanced IVR HIPAA compliance requirements

The below guidelines must be followed when creating or modifying a task within the IVR tool to maintain HIPAA compliance. As an IVR user, it is your responsibility to follow these requirements to ensure that your task is HIPAA compliant.

  • Verify or establish a line of service to connect to the IVR platform provider (Inference) secure network. All accounts that require access to HIPAA-compliant tasks must be configured on this trunk.
    • Please contact your Nextiva account executive for verification or next steps.
  • IVR provides a secure channel to capture protected health information (PHI) and transmit it to the relevant organization. Therefore, you must never store PHI in the Advanced IVR platform using the datastore, table, or log nodes. 
  • When assigning a phone number to your HIPAA-compliant task, you must assign a phone number that resides on the HIPAA account. 
    • It is best practice to contact the Inference customer success team to verify the assigned phone number resides on the HIPAA account.
    • In-depth evaluation of a task can be provided by our professional services team if requested, at per hour rates agreed upon in your master services agreement (MSA). 
  • Always use task-level variables to capture PHI. Never use global variables when capturing sensitive PHI data.
  • You are free to use the standard form, menu, cloud speech to text, or open form nodes to capture PHI data from the user, however, any verbatim recording variable cannot be used.
  • When sending sensitive data to third-party CRM systems, those APIs must be via secure transport (HTTPS) and use authentication (Basic, OAuth, etc.).
  • Chatbot and messaging channels are outside the scope of HIPAA. Therefore, you cannot send ePHI data as part of a chatbot or messaging task.

For more information on Nextiva HIPAA Compliance, click here. 

Need additional help? Click here.

Was this article helpful?