How Invoca Secures PHI and Ensures HIPAA Compliance

What Is HIPAA?

In the United States, the Health Insurance Portability and Accountability Act (HIPAA) is aimed at providing data security and privacy protections around access, use, and disclosure of protected health information (PHI) by organizations meeting the definition of “covered entities” or “business associates.”

Enforced by the Department of Health and Human Services (HHS), Office of Civil Rights (OCR) HIPAA protections were first signed into US law in 1996 as part of a larger healthcare reform. Over the years, the HHS has made several updates to and recommendations to maintain HIPAA compliance, for instance, in December 2022 the HHS issued a reminder bulletin outlining the use of online tracking as it relates to HIPAA.

Invoca’s Commitment to Protecting Sensitive Data

Proper handling of our customers’ protected data has always been and will continue to be a top priority at Invoca. Helping our customers understand how Invoca secures PHI and the ways Invoca can be used to maintain HIPAA compliance is important to us.

Invoca is HIPAA compliant and does not transmit PHI to third-party systems unless the customer explicitly creates such a data feed.

Business Associate Agreements and Invoca

A business associate agreement (BAA) establishes a legally-binding relationship between HIPAA-covered entities and business associates ensuring complete protection of PHI. This type of agreement is necessary in situations where business associates can potentially access PHI during their work to support the HIPAA-covered entity.

For customers who are subject to HIPAA, Invoca offers an industry-standard BAA template easing the process of obtaining legal review and signature. Customers who have a BAA template tailored for software vendors that they prefer can request Invoca review and sign their version.

How Invoca Protects Customer Data

Healthcare customers need assurance that their technology providers treat their data with the utmost care. To maintain this trust, Invoca regularly reviews policies, procedures, and platform security to adhere to the latest standards ensuring the information collected by Invoca is secure and only accessible to authenticated users.

Invoca Maintains SOC 2 Type 2 Certification

SOC 2 Type 2 certification examines a service provider’s internal controls and systems related to security, availability, processing integrity, confidentiality, and privacy of data. Maintaining this certification affirms Invoca has implemented critical controls to safeguard customer data and protect against cyber threats. 

Invoca Encrypts Data at Rest and in Transit

To ensure that all covered entities using Invoca, as well as the agencies that service them, maintain HIPAA and HITECH compliance, Invoca has implemented end-to-end technological safeguards to ensure patient call data is secure, fully encrypted, and protected within the Invoca platform. Starting with Enterprise-Grade Security with support for both two-factor authentication and Security Assertion Markup Language (SAML). 

In addition to data being encrypted at rest, Invoca data is encrypted in transit. When transmitting data to third parties and to de-identify caller phone numbers, Invoca uses SHA-256, a one-way encryption method, meaning the result cannot be decrypted back to the original value. Currently, SHA-2 hashing is widely used and is widely considered the most secure hashing algorithm in the cryptographic arena.

You can find more information about Invoca’s security and compliance here.

Learn more about how Invoca secures PHI and ensures HIPAA compliance here.