42 CFR Part 2, HIPAA and other fancy regulations

@tmittelstaedt made this post, and I wanted to see if he or anyone else is open to expanding the conversation without derailing the original topic.

From my “not a lawyer, but I can Google sometimes” perspective, 42 CFR Part 2 is essentially HIPAA for entities that deal with substance abuse but aren’t technically covered by HIPAA. Both aim to protect PHI, but some legal distinctions exist because the individuals being served aren’t always classified as patients.

Not that I’d ever suggest buying anything I don’t financially benefit from, and you’ll never catch me defending Cisco UCM unless I’ve been kidnapped, but I would be surprised if Cisco isn’t compliant with all relevant regulatory requirements.

So, with that in mind, why do you think (or know) they’re not compliant? Outside of voicemails, call recordings, or maybe even CDRs (which might be a stretch), I don’t see a clear risk to PHI on either system.

If those items are the concern, it’s worth pointing out that FreePBX doesn’t encrypt data at rest out of the box, so it is technically not compliant either.

It might not always come across this way, but my goal here is to learn. I’m not a lawyer, but I do moonlight as a medical professional, and I’ve had the PHI mantras drilled into my brain just to be able to tell someone their PHI while behind a thin cloth curtain, because government.

This isn’t a technical question, this is a “is the product producer willing to SAY they are compliant” question.

According to the following:

Compliance Solution for HIPAA Security Rule At-A-Glance

The Cisco UCM products are not even included on the list of HIPAA compliance.

Webex isn’t on that list either, but Cisco maintains a separate link that says it’s compliant, here:

Webex Compliance and Certifications

However, in order for an org to have Cisco Webex be HIPAA compliant they must sign a BAA. And of course, the cost is much higher for the HIPAA-compliant version of webex.

This is identical to Microsoft Teams, by the way. Microsoft has it’s own BAA you must sign, and the cost for Teams that is compliant is much higher

Note that both Cisco and Microsoft count on “Cisco Partners” and “Microsoft Partners” to do the heavy lifting on support and deployment of these products - and most partners that do deployments of these products won’t get involved with healthcare organizations in the first place because of the additional regulations. There are partners out there who specialize ONLY in healthcare businesses, of course, but once more, they are much more expensive than the ones who don’t. There are also product producers who even specialize in tech that IS 42 CFR Part 2 compliant - but mainly for Electronic Health Record (EHR) systems. I have NOT found one yet that lists this for phone systems.

There is no legal requirement for a product producer to be HIPAA compliant or 42 CFR Part 2 compliant.

Also a provider doesn’t get to pick between compliances. You are either HIPAA-only compliant or you are both HIPAA and 42 CFR Part 2 compliant.

As I mentioned in the other post the HIPAA encryption requirement does not apply to data that is stored entirely within the building, only data that is transmitted between entities. There is no requirement for a hospital to encrypt data that is stored on it’s servers as long as it’s got physical control of those servers and their storage medium.

There’s no question that a LOT of systems are TECHNICALLY HIPAA compliant. A USB thumb drive you plug into a PC, turn encryption on, then save patient data to then remove the drive, is HIPAA compliant. However, you are NOT going to be able to get PNY or Scandisk or whoever manufactured the drive to officially state the thumb drive is HIPAA compliant.

There’s also no question many systems are 42 CFR Compliant. But once more, that is meaningless to a healthcare entity unless the maker of that system is willing to make that commitment under contract.

It does NOT matter if Cisco or Microsoft advertises HIPAA or 42 CFR Part 2 compliancy in it’s products. It ONLY matters if those companies are willing to enter into a contractual relationship with a customer that guarantees that their products are compliant. In the case of HIPAA, they are both willing to. In the case of 42 CFR Part 2, they are not willing to.

As to why that is for 42 CFR Part 2? Who the F knows. The last time I got one of those denial letters was from Adobe when I had a user who was dying to use Acrobat for some medical thing or other, and when I asked Adobe to explain their reasoning why they wouldn’t sign a BAA that included 42 CFR Part 2 - they told me to go pound sand.

That document was generated 12 years ago. I’m not sure it applies to things now.

I’m sure it does because Cisco has made it well known they want to move all their customers to Cloud Calling. They advertise HIPAA compliance for the cloud system but not for the UCM because small providers like the 6 person doctor’s office with 20 extensions does not employ a telco zealot who is a lost cause like you and I are, LOL. They employ a consultant who comes in, spends 15 minutes Googling to make sure that the most expensive system in the entire universe is HIPAA compliant, then sells them that. And they pay it because the additional cost is small potatoes.

A large firm can afford to hire a telephone guy who spends all day dealing with the UCM or whatever other on-premise phone system. And they have the call volume to save tons of money using on-premise with per-minute SIP trunks.

This is how it is with IT today. The entire point of Cloud isn’t to make tons of money off selling 10 Fortune 1000’s a cloud product. That’s a risky proposition because if 1 of those customers gets POed at you and leaves, you have just taken a 10% revenue hit in that year. And those large customers have people who’s entire job is extracting as much work as possible from you and beating the cost down into the ground as much as possible.

The entire point of Cloud is to make tons of money off selling 1000 20 person customers a cloud product. Then you can do what you want and treat them like dirt if you want, give them the least service for the most money. And if 1 of them gets POed and leaves, then that doesn’t even move the needle on your revenue.