What can I do to keep my IVRHQ application process HIPAA compliant?
The HIPAA Privacy Rule provides federal protections for individually identifiable health information held by “covered entities” and their “business associates” and gives patients an array of rights with respect to that information. At the same time, the Privacy Rule is balanced so that it permits the disclosure of health information needed for patient care and other important purposes. The Security Rule specifies a series of administrative, physical, and technical safeguards for covered entities and their business associates to use so they can assure the confidentiality, integrity, and availability of electronic protected health information.
More information is available on the official HIPAA website.
By law, the HIPAA Privacy Rule applies only to covered entities – health plans, healthcare clearinghouses, and certain health care providers. IVRHQ is not a covered entity and not a business associate.
A business associate is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.
One way to be compliant is not to process, store, or transmit individual protected health information (PHI) data on IVRHQ.
Ensure that the customer application never transmits PHI over unencrypted channels including voice, SMS or DTMF.
IVRHQ recommends that customers familiarize themselves with the HIPAA requirements and security assessment procedures.
Also IVRHQ recommends that customers seek guidance from their legal counsel if they have any compliance questions concerning their applications.
According to the HIPAA website, PHI generally includes individually identifiable health information” is information, including demographic
data, that relates to the following items.
The individual’s past, present or future physical or mental health or condition,
The provision of health care to the individual, or
The past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual.13 Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number)
IVRHQ’s position is that it is not a business associate. However, IVRHQ is open to working with our customers in order to help our customers with their business needs.
What can I do to keep my IVRHQ application process PCI Compliant?
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle cardholder information for the major debit, credit, prepaid and ATM cards. All merchants that process credit cards must be PCI compliant.
More information is available on the official PCI website.
IVRHQ is a PCI Compliant merchant and can securely accept credit card payments for its services.
Applications built with IVRHQ are not covered under IVRHQ ’s compliant status as a merchant.
IVRHQ recommends that customers seek guidance from their legal counsel for any compliance questions concerning their applications.See questions below for further details.
According the the official PCI website, if a customer application processes, transmits or stores credit, debit or prepaid card data, then they are responsible for ensuring that their application is PCI compliant. Merely using IVRHQ for customer transactions does not exclude any company from PCI compliance regulations, as PCI compliance obligations apply to all organizations and merchants, regardless of size or number of transactions, that accept, transmit or store any cardholder data.
Many businesses have architected their applications in a PCI compliant manner, while still using IVRHQ for part(s) of their workflow. The key is to avoid processing, storing and transmitting cardholder data on IVRHQ . Some techniques that customers have used are as follows:
Verifying a customer’s account using only the last few digits of the PAN via voice, SMS (short messaging services) or DTMF (dual tone multi frequency) dialing.
Ensuring that the customer application never transmits entire cardholder data over unencrypted channels including voice, SMS or DTMF.
Not retaining sensitive authentication data after authorization
For telephone operations, “sensitive authentication data” means the CAV2/CVC2/CVV2/CID and/or PIN values that may be taken during a telephone call.”
The Payment Application Data Security Standard (PA DSS) applies to payment processors. IVRHQ recommends that customers familiarize themselves with the PA DSS requirements and security assessment procedures. Use of a PA DSS compliant application by itself does not make an entity PCI DSS compliant, because the application must be implemented in conformity with the overall PA-DSS Implementation Guide.
Also, the list above is not meant to be comprehensive or replace the PCI standards and guidelines described above. Customers will need to ensure that their applications meet those guidelines. As always, IVRHQ recommends that customers seek guidance from their legal counsel if they have any compliance questions concerning their applications.
According to the PCI website, cardholder data is any personally identifiable data associated with a cardholder. This could be an account number, expiration date, name, address, social security number, etc. All personally identifiable information associated with the cardholder that is stored, processed, or transmitted is also considered cardholder data.
Cardholder Data is Full magnetic stripe or the PAN plus any of the following items.
Primary Account Number (PAN)
What is considered Sensitive Authentication Data (SAD)?
Full Magnetic Stripe Data
IVRHQ utilizes a third party to process all credit card payments (a tokenization service). Because of this, IVRHQ does not store any customer Cardholder Data.