HIPAA Compliance

NUSO Customers subject to the federal regulation known as HIPAA that are already subscribed or will subscribe to NUSO telephony and fax services to create, receive, transmit, or maintain Protected Health Information (PHI) may request a NUSO Business Associate Agreement (BAA). The BAA is a tool that describes and delineates obligations under HIPAA for both NUSO and our Customer(s).

NUSO Customers can request a BAA, when needed, from their NUSO partner or assigned NUSO Channel Account Manager. When requesting a NUSO BAA, please be sure to provide the email address of the person that will be signing the BAA for the NUSO Customer requesting the BAA.

HIPAA Compliance Practices

NUSO has implemented safeguards and encryption to keep Protected Health Information safe and secure. While there is no government certification, NUSO adheres to our responsibilities under our Business Associate Agreement with organizations subject to HIPAA requirements.

NUSO Customers have substantial flexibility in configuring their services. They should always consult their own counsel or consultants as to their specific needs and requirements to maintain secure communication on their own network.

A common set of best practices to meet the BAA and to be certain that NUSO Customers maintain their responsibility the following steps need to be confirmed in their NUSO Management Portal for each of the following services:

Unified Communication or Hosted PBX

  1. Voice Service
    1. NUSO can deliver secure signaling and voice delivery
    2. Customers must use phone models that support secure messaging (TLS) and voice (SRTP).
  2. Voicemail delivery
    1. Individual users should not allow their voicemail that may contain PHI to be sent via email without secure email and proper retention policies established. The moment voicemail is delivered securely from the NUSO network to the Customer, the Customer is then responsible for protection of the PHI as NUSO no longer has control.
    2. For NUSO to be compliant with our BAA, the Customer needs to only receive voicemail through the phone interface and set the retention policy to their internal safeguard policies.
  3. Fax Sending and Delivery
    1. If our Customers are interested in Fax sending or delivery that includes PHI, we require the use of our Secure IP Fax Service that includes data encryption, secure delivery, and configurable retention policies.
  4. Call recording Services
    1. NUSO Call Recording is available, but the policy configuration of the system needs to be delivered by the Customer HIPAA consultant or advisor to NUSO. The Customer will be responsible for the configuration of all policies related to the storage, delivery, and access of the recordings. NUSO will be responsible for the secure storage and implementation of the policies defined by the Customer and their advisors.
  5. Retention of Call Information
    1. NUSO does not store the content of phone calls as a normal course of business. We do store and evaluate, for the purpose of service troubleshooting and billing, the metadata of a call. That metadata is not correlated to the content of the call in any way.
  6. Messaging
    1. If a NUSO Customer subscribes to messaging services, they acknowledge that they will not deliver any PHI on any of their text or SMS messages delivered via the NUSO network. SMS and text messages are not secure by definition. Messaging is stored in the local application and must be governed by the company retention policies.

SIP Trunking Customers

  1. NUSO SIP Trunking service provides voice services via the Internet to our Customer’s premise-based phone systems. The Customer is responsible for the security of the system and information stored in the system as it is in the Customer’s network and outside the control of NUSO.
    1. NUSO delivers SIP Trunking via TLS and SRTP to secure the call content
  2. Voicemail delivery (if subscribed)
    1. Individual users should not allow their voicemail that may contain PHI to be sent via email without secure email and proper retention policies established. The moment voicemail is delivered securely from the NUSO network to the Customer, the Customer is then responsible for protection of the PHI as NUSO no longer has control.
    2. For NUSO to be compliant with our BAA, the Customer needs to only receive voicemail through the phone interface and set the retention policy to their internal safeguard policies.
  3. Call recording Services
    1. NUSO Call Recording is available, but the policy configuration of the system needs to be delivered by the Customer HIPAA consultant or advisor to NUSO. The Customer will be responsible for the configuration of all policies related to the storage, delivery, and access of the recordings. NUSO will be responsible for the secure storage and implementation of the policies defined by the Customer and their advisors.
  4. Retention of Call Information
    1. NUSO does not store the content of phone calls as a normal course of business. We do store and evaluate, for the purpose of service troubleshooting and billing, the metadata of a call. That metadata is not correlated to the content of the call in any way.
  5. Messaging
    1. If a NUSO Customer subscribes to messaging services, they acknowledge that they will not deliver any PHI on any of their text or SMS messages delivered via the NUSO network. SMS and text messages are not secure by definition. Messaging is stored in the local application and must be governed by the company retention policies.