Inference Studio HIPAA Compliance Guidelines

23 June 2020 - Version 1.3

Where you have a need to secure Protected Health Information (PHI) that is collected or used by a Studio application, Studio provides a platform for you to create HIPAA compliant tasks. The below guidelines must be followed when creating or modifying a Task within Studio that will be implemented and used as a HIPAA compliant application. As a Studio user, it is your responsibility to follow these requirements to ensure that your task is HIPAA compliant.

HIPAA Compliance Requirements:

  1. Verify or execute a Business Associate Agreement with your service provider. Your service provider in turn will verify or execute a Business Associate Agreement with Inference. Inference has in turn executed HIPAA BAA with third party providers including Google.

  2. Request telephony numbers from your service provider that are provisioned on a SIP trunk to connect to Inference’s secure network.

  3. Studio provides a secure channel to capture Protected Health Information (PHI) and transmit it to the relevant organization. Studio does not provide a mechanism to store patient information within its data center. Therefore, it is important that you never store PHI in Studio using the Datastore, Table, or Log nodes. Furthermore, you must consider this in any guidance you give callers before using features such as  capturing verbatim recordings (available in Cloud Speech to Text and Open Form nodes), or recording audio via the Record node, including where used in conjunction with the Premium QforMe recorded message feature.

  4. When assigning a phone number to your HIPAA Compliant task, you must assign a phone number that resides on the SIP trunk(s) configured for HIPAA. 

    1. It is best practice to contact Inference Customer Success to verify the assigned phone number resides on a SIP trunk connected to Inference’s secure network..

    2. In depth evaluation of a task can be provided by our professional services team if requested on a fee for service basis.

  5. Always use Task-level variables to capture PHI. Never use global variables when capturing sensitive PHI data.

  6. You are free to use the standard Form, Menu, Cloud Speech to Text or Open Form nodes to capture PHI data from the user, however any verbatim recording variable cannot be used.

  7. When sending sensitive data to third-party CRM systems, those APIs must be via secure transport (HTTPS) and use authentication (Basic, OAuth, etc).

  8. Chatbot and messaging channels are outside the scope of HIPAA. Therefore you cannot send ePHI data as part of a chatbot or messaging task.