How Invoca Secures PHI and Ensures HIPAA Compliance

What Is HIPAA?

In the United States, the Health Insurance Portability and Accountability Act (HIPAA) is aimed at providing data security and privacy protections around access, use, and disclosure of protected health information (PHI) by organizations meeting the definition of “covered entities” or “business associates.”

Enforced by the Department of Health and Human Services (HHS), Office of Civil Rights (OCR) HIPAA protections were first signed into US law in 1996 as part of a larger healthcare reform. Over the years, the HHS has made several updates to and recommendations to maintain HIPAA compliance, for instance, in December 2022 the HHS issued a reminder bulletin outlining the use of online tracking as it relates to HIPAA.

Invoca’s Commitment to Protecting Sensitive Data

Proper handling of our customers’ protected data has always been and will continue to be a top priority at Invoca. Helping our customers understand how Invoca secures PHI and the ways Invoca can be used to maintain HIPAA compliance is important to us.

Invoca is HIPAA compliant and does not transmit PHI to third-party systems unless the customer explicitly creates such a data feed.

Business Associate Agreements and Invoca

A business associate agreement (BAA) establishes a legally-binding relationship between HIPAA-covered entities and business associates ensuring complete protection of PHI. This type of agreement is necessary in situations where business associates can potentially access PHI during their work to support the HIPAA-covered entity.

For customers who are subject to HIPAA, Invoca offers an industry-standard BAA template easing the process of obtaining legal review and signature. Customers who have a BAA template tailored for software vendors that they prefer can request Invoca review and sign their version.

How Invoca Protects Customer Data

Healthcare customers need assurance that their technology providers treat their data with the utmost care. To maintain this trust, Invoca regularly reviews policies, procedures, and platform security to adhere to the latest standards ensuring the information collected by Invoca is secure and only accessible to authenticated users.

Invoca Maintains SOC 2 Type 2 Certification

SOC 2 Type 2 certification examines a service provider’s internal controls and systems related to security, availability, processing integrity, confidentiality, and privacy of data. Maintaining this certification affirms Invoca has implemented critical controls to safeguard customer data and protect against cyber threats.

Invoca Encrypts Data at Rest and in Transit

To ensure that all covered entities using Invoca, as well as the agencies that service them, maintain HIPAA and HITECH compliance, Invoca has implemented end-to-end technological safeguards to ensure patient call data is secure, fully encrypted, and protected within the Invoca platform. Starting with Enterprise-Grade Security with support for both two-factor authentication and Security Assertion Markup Language (SAML).

In addition to data being encrypted at rest, Invoca data is encrypted in transit. When transmitting data to third parties and to de-identify caller phone numbers, Invoca uses SHA-256, a one-way encryption method, meaning the result cannot be decrypted back to the original value. Currently, SHA-2 hashing is widely used and is widely considered the most secure hashing algorithm in the cryptographic arena.

You can find more information about Invoca’s security and compliance here.

Learn more about how Invoca secures PHI and ensures HIPAA compliance here.

This is some text inside of a div block.
Initial Response
Temporary Resolution
Final Resolution
Severity Level
Initial Response: After receiving Customer’s initial notice of, or otherwise discovering, an error, Invoca will endeavor to provide its Initial Response within the following target timelines
Severity Level 1: 1 Hour (24x7x365)
Severity Level 2: 4 Business Hours
Severity Level 3: 8 Business Hours
Temporary Resolution: After receiving Customer’s initial notice of, or otherwise discovering, an error, Invoca will endeavor to provide a Temporary Resolution within the following target timelines
Severity Level 1: 4 Hours (24x7x365)
Severity Level 2: 24 Business Hours
Severity Level 3: As determined by Invoca
Final Resolution: After receiving Customer’s initial notice of, or otherwise discovering, an error, Invoca will endeavor to provide a Final Resolution within the following target timeline
Severity Level 1:  7 Business Days
Severity Level 2: 10 Business Days
Severity Level 3: As determined by Invoca
Severity Level 1
1 Hour (24x7x365)
4 Hours (24x7x365)
7 Business Days
Severity Level 2
4 Business Hours
24 Business Hours
10 Business Days
Severity Level 3
8 Business Hours
As determined by Invoca
As determined by Invoca
CookiesCategory
Hostname
Cookie Name
Default description
Lifespan
Category: Performance
Hostname: invoca.com
Cookie Name: _ga
Default description: This cookie name is associated with Google Universal Analytics - which is a significant update to Google's more commonly used analytics service. This cookie is used to distinguish unique users by assigning a randomly generated number as a client identifier. It is included in each page request in a site and used to calculate visitor, session and campaign data for the sites analytics reports. By default it is set to expire after 2 years, although this is customisable by website
Lifespan: Persistent
Severity Level
Definition
United States – Hours of Operation
Hours: M-F, 8:00am - 5:00pm, Pacific Time (PT)
Customer Support Portal: https://invoca.force.com/community/s/
Customer Support Email: questions@invoca.com