CallRail helps businesses and marketers continue to close the attribution gap by tracking inbound phone calls and form submissions from the marketing sources that drove them. But with that tracking comes a great responsibility, especially in the healthcare industry.
From scheduling appointments to billing, referrals, and prescription refills, a lot of private information is communicated over the phone between patients and their healthcare provider. All of these calls are protected under the Health Insurance Portability and Accountability Act (HIPAA) and its expansion, Health Information Technology for Economic and Clinical Health Act (HITECH). If you’re a healthcare provider or marketing agency that services one, you need to ensure the data from these calls stay secure.
At CallRail, we take HIPAA compliance seriously; that’s why we’ve not only created an end-to-end solution for health care providers, ensuring covered entities and the agencies that serve them maintain compliance with the regulations of HIPAA and HITECH. We also sign a business associate agreement (BAA) with each of our HIPAA clients.
How CallRail keeps Protected Health Information (PHI) secure
All data encrypted “in transit”
|
All access to CallRail is encrypted via SSL to protect data from interception on network points between the user and CallRail.
|
All data encrypted “at rest”
|
All call records, web visitor sessions, and call routing data are fully encrypted when stored on disk. This data is seamlessly decrypted as-needed for reporting purposes when accessed by the customer. These precautions protect the data even if hard drives fail, or are decommissioned or stolen.
|
Protection for external systems
|
CallRail prevents transmissions of call details considered Protected Health Information, like call recordings and caller ID, to external systems that aren't considered in compliance with HIPAA requirements and instead provides a link that requires the user to log in to review the information.
|
Secure access
|
Individual users are granted their own login credentials, which can be controlled by an administrator. Login sessions automatically expire after a brief period of inactivity to prevent unauthorized access.
|
Full audit history
|
For HIPAA plans, all access to the application is logged by user, timestamp, and IP address. Playback of any call recording, as well as all changes to calls, tags, or configuration are similarly logged.
|
Dedicated, single-tenant equipment
|
HIPAA requires that the data owner have “hands on” access to all equipment used for data processing. CallRail uses only dedicated hardware and does not make use of virtual machines on shared-tenancy hardware for customers covered by BAA.
|
Firewalls and private network gaps
|
The databases, application servers, and other machines responsible for routing calls through CallRail are isolated and inaccessible via the public internet (except the web application itself, of course). This private network is protected by a pair of redundant hardware firewalls to ensure only expected traffic is allowed.
|
Frequently asked questions
What security enhancements were made for CallRailʼs healthcare plans?
Numerous changes support CallRailʼs healthcare services, including:
- Full data encryption, both in transit and at rest
- Secure, encrypted recording storage
- Full access and modification audit logs
- Elimination of third-party tools to prevent disclosure of PHI
- Dedicated, redundant, single-tenant hardware for all HIPAA plans
- All machines containing PHI isolated from public internet via firewalled private network
- Session timeout enforcement for all users of HIPAA accounts
Are any additional features added for the CallRail healthcare plans?
Two security-related features are added for CallRailʼs healthcare plans. First, users of HIPAA accounts will have sessions that automatically expire after a short period of inactivity. This helps protect against prying eyes when computers are left unlocked. Second, full audit trail logging is enabled to document all access and modification history.
What are the differences between a standard CallRail account and a healthcare account?
In a CallRail healthcare account:
- CallRail will enter into a Business Associate Agreement (BAA) with the covered entity or business associate
- Users will be logged out every 30 minutes
- There will be restrictions on integrations that send PHI to third parties
- Voicemail transcriptions will not be available
- Accessing the recording link will require a login. In this case, Notification Only users will need to be promoted to Client Manager or Client Reporting users so that they can log into the account to listen to call recordings
- Caller ID information for the caller wonʼt be included in the Call Notification email, but will be available upon logging into CallRail
- Form submissions alerts received via text message wonʼt include any message from the lead, only the telephone number; however, this information will be available upon logging into CallRail
- Text notification emails wonʼt include the message, only the phone number; however, the message will be available upon logging into CallRail
Will CallRail sign a Business Associate Agreement (BAA) with my business?
Yes, CallRail will provide a BAA to cover the agreements with customers. This BAA can be enacted quickly by electronic signature.
Are any features unavailable in the CallRail healthcare plans?
It is not possible to secure a BAA with all third-party providers. Because of this, we are unable to provide voicemail transcription for customers with HIPAA compliance needs. In addition, Zapier, Google Ads Lead Form Extension, ADF, and Housecall Pro integrations would expose PHI to those systems, and so those integrations are not available for customers using the HIPAA-compliant version of CallRail.
As mentioned in the question above, alert emails are modified to ensure no PHI is included. For call alerts this means the callerʼs name and phone number will not be included, and the recording link (if applicable) will require a login. Text message and lead capture alerts will primarily consist of a link back to CallRail for reviewing the content. Note that since Notification Only users cannot log in, they will only be able to see alerts about when these events happen. If these users need access to PHI, they will need to be prompted to Client Reporting users.
Will CallRail alert me if my use of the service falls under the scope of HIPAA?
No, CallRail cannot audit customers to determine if their use of the application is subject to HIPAA regulations. Knowing the regulations that apply to a particular scenario is solely the customerʼs responsibility.
What protections exist if I donʼt have a Business Associate Agreement (BAA) on file with CallRail?
CallRail is confident in its security, even without a BAA in place. However, use of CallRail involving PHI without a BAA in place is strictly prohibited by the Terms of Service. In that case no legal protections are afforded, which places significant financial and legal liability on the healthcare provider. In addition, the extra security measures enabled for HIPAA-compliant customers cannot be activated without a BAA and healthcare plan.
Does CallRail maintain a BAA with any third-parties?
Yes, CallRail maintains Business Associate Agreements with third-party providers of hardware equipment and infrastructure services.
Does CallRail maintain access logs to all PHI?
Yes, CallRail logs all access to the application with the logged-in user, timestamp, and their IP address. Any changes to data and configuration are logged for audit purposes as well. In the case of a suspected breach or misuse, this audit log can provide a confirmed history of access. This data is highly technical, and therefore not currently available within the application. Access to this data can be obtained by contacting Support. For complex requests, a research fee may apply.
Can I simply prevent my call tracking provider from gaining access to PHI?
A call tracking provider must handle both the source caller ID and the destination phone number in order to route a call. This data alone is enough to connect an individual to a marketing campaign or medical practice, which creates PHI. Simply hiding this data in the tool or asking that it be deleted does not absolve the call tracking provider from responsibility.