[markolschesky]

I wouldn't think that a Fax API provider would be exempt under the conduit exception of HIPAA/HITECH. You couldn't guarantee that the API vendor wasn't sniffing/storing/protecting data while transmitting the data between entities. You can read more about this exception here: http://www.hitechanswers.net/when-does-the-hipaa-conduit-exc...

You would facilitate that transfer by having both parties of business associates/covered entities entering a legally binding business associates agreement to outline how PHI would be protected.

Scrypt is a company that does faxing in the health tech space today and they sign BAAs and went through a HITRUST assessment.

EDIT:

So, maybe let me clarify what I mean about facilitating that transfer of data.

So, let's say there is:

Vendor ----> Health Care Provider

Even if you are sending data over TLS or some other encrypted protocol, the Vendor and the Health Care Provider need to have an agreement to protect patient data and which restrict what can be done with the PHI being transmitted. If you add a new party to this equation, like:

Vendor ----> Twilio ----> Health Care Provider

Even if you encrypt the data to Twilio and Twilio "promises" to not store the data and promises to encrypt the data when sending it down stream, promises aren't good enough in the eyes of HIPAA/HITECH. You need to have an agreement in place like a Business Associates Agreement in which all parties agree to protect PHI. You can read more about what these agreements commonly outline here: https://datica.com/academy/business-associate-agreements/

There are exceptions to this referred to as the "Conduit Exception" of HIPAA which were clarified in 2013. This doesn't really apply to API vendors or someone like cloudflare. It applies more to phone carriers, postal services and ISPs.

It's a complex topic, but I can keep jamming to discuss some of the nuances.

[Edmond]

You actually can guarantee the transmission of information from one entity to another without sniffing or alteration...that is how internet transport layer security works....our API is built on those principles.

Of course there may be other caveats that I am not aware of, I don't know much about HIPAA.

EDIT:

You don't need to trust twilio (or any intermediary)...You can transmit encrypted information end-to-end without any risk that the intermediary can access it. That is the solution we've created with our API, you can see the full docs here: https://www.cipheredtrust.com/doc/

[markolschesky]

HIPAA doesn't care about the logistics of whether or not the intermediary can/cannot decrypt the data. If the intermediary touches the data and it's not exempt by the conduit exception, then there has to be a BAA in place. It's why even though FaceTime hypothetically has E2E encryption and Apple claims to not have the capability to decrypt the data, it's still inappropriate to use for patient-doctor communication due to the lack of that BAA being in place.

[dragonwriter]

> HIPAA doesn't care about the logistics of whether or not the intermediary can/cannot decrypt the data. If the intermediary touches the data and it's not exempt by the conduit exception, then there has to be a BAA in place.

HIPAA cares deeply about the logistics, which is what the privacy, security, breach notification, etc. rules largely address. The logistics just don't come into play until after the determination that you are a business associate and therefore required to sign a BAA and comply with the rules.

[Edmond]

got it.