This isn’t a technical question, this is a “is the product producer willing to SAY they are compliant” question.
According to the following:
Compliance Solution for HIPAA Security Rule At-A-Glance
The Cisco UCM products are not even included on the list of HIPAA compliance.
Webex isn’t on that list either, but Cisco maintains a separate link that says it’s compliant, here:
Webex Compliance and Certifications
However, in order for an org to have Cisco Webex be HIPAA compliant they must sign a BAA. And of course, the cost is much higher for the HIPAA-compliant version of webex.
This is identical to Microsoft Teams, by the way. Microsoft has it’s own BAA you must sign, and the cost for Teams that is compliant is much higher
Note that both Cisco and Microsoft count on “Cisco Partners” and “Microsoft Partners” to do the heavy lifting on support and deployment of these products - and most partners that do deployments of these products won’t get involved with healthcare organizations in the first place because of the additional regulations. There are partners out there who specialize ONLY in healthcare businesses, of course, but once more, they are much more expensive than the ones who don’t. There are also product producers who even specialize in tech that IS 42 CFR Part 2 compliant - but mainly for Electronic Health Record (EHR) systems. I have NOT found one yet that lists this for phone systems.
There is no legal requirement for a product producer to be HIPAA compliant or 42 CFR Part 2 compliant.
Also a provider doesn’t get to pick between compliances. You are either HIPAA-only compliant or you are both HIPAA and 42 CFR Part 2 compliant.
As I mentioned in the other post the HIPAA encryption requirement does not apply to data that is stored entirely within the building, only data that is transmitted between entities. There is no requirement for a hospital to encrypt data that is stored on it’s servers as long as it’s got physical control of those servers and their storage medium.
There’s no question that a LOT of systems are TECHNICALLY HIPAA compliant. A USB thumb drive you plug into a PC, turn encryption on, then save patient data to then remove the drive, is HIPAA compliant. However, you are NOT going to be able to get PNY or Scandisk or whoever manufactured the drive to officially state the thumb drive is HIPAA compliant.
There’s also no question many systems are 42 CFR Compliant. But once more, that is meaningless to a healthcare entity unless the maker of that system is willing to make that commitment under contract.
It does NOT matter if Cisco or Microsoft advertises HIPAA or 42 CFR Part 2 compliancy in it’s products. It ONLY matters if those companies are willing to enter into a contractual relationship with a customer that guarantees that their products are compliant. In the case of HIPAA, they are both willing to. In the case of 42 CFR Part 2, they are not willing to.
As to why that is for 42 CFR Part 2? Who the F knows. The last time I got one of those denial letters was from Adobe when I had a user who was dying to use Acrobat for some medical thing or other, and when I asked Adobe to explain their reasoning why they wouldn’t sign a BAA that included 42 CFR Part 2 - they told me to go pound sand.