8×8 and HIPAA Compliance

Important: HIPAApropriateness reviews, including their summaries, are for informational purposes only. They are neither consultation nor legal advice. Be aware that while we do our best to be thorough and complete, information may be missing or possibly even inaccurate. Products also change quickly, and the review may become out of date. By continuing to read, you agree to use the information in HIPAApropriateness reviews and their summaries at your own risk.

Vital Stats

HIPAA compliance with this product appears possible?: Maybe.

Recommend for your HIPAA risk management needs?: Yes. Be sure to read the notes and caveat for a couple of important points.

# of Caveats: 1 view caveats→

# of Usage Notes: 6 view notes→

Relevant Product Characteristics

This product does not appear to have been designed specifically with healthcare in mind. Note that many products that are useful and appropriate for health care professionals are not designed specifically with health care in mind.
The features and/or settings for this product are different for health care customers as compared to general customers.
- Often this means the product adjusts for health care customers in order to meet HIPAA requirements, and/or to offer features that are only useable by health care practices (e.g. Square only allows health care customers to run HSA and FSA cards.)

What Is This Product?

8×8 is a cloud-based VOIP (“Internet phone”) company that offers many options. We tested and reviewed their VOIP phone (telephone and SMS texting), internet fax, and videoconferencing options. They also offer physical phone connections through their VOIP service, and virtual routing/phone tree options, but we did not test those.

8×8 also offers a mobile app for iOS (iPhones and iPads) and Android that allows SMS, voice calls, and faxing.

Our Impressions

8×8 was highly responsive to all of our questions, and forthcoming with information and documents. When we called to cancel our test account we were connected with a human in less than a minute, and she was quite helpful.

The mobile app for iOS and Android means that 8×8 can act as a “second phone line” that allows to keep separate business and personal phone numbers without carrying two phones.

Caveats

Caveats are criticsms of the company or product that we feel are relevant to your risk management or other important considerations.

1) Quality of Service

We have received input from several members that the quality of service at 8×8 can be poor. There are some users who have reported outages of service, texts that disappear and then reappear long after the message was sent, the inability to fax certain numbers, and texts being sent to incorrect numbers.

Loss of data and messages being sent to incorrect numbers both effect a user’s ability for compliance and security.

Notes

Notes cover points where the product can’t ensure compliance or ethical action for you. These help you know what your part of the compliance puzzle looks like when using this product. A high note count usually correlates with a feature-rich product, and not necessarily with a product that has problems.

1) Be sure to request, sign, and submit your BAA

8×8 does not automatically execute a Business Associate Agreement with you. In order to agree to the BAA, you must request one as part of the new account creation process. You will need to sign it and submit it.

2) Set faxes and voicemails to not be sent via e-mail.

By default, 8×8 sends notifications of faxes and voicemails via e-mail, and those e-mails contain attachments that contain a PDF of the fax or a sound file of the voicemail. In order to prevent the possibility of exposing PHI, we recommend you change both of those settings to only notify that a fax or message has been received. See the screenshot below for details.

3) Change certain options when using the videoconference feature to ensure privacy

There are several options that should be disabled if you are conducting telemental health sessions over 8×8’s videoconferencing system. While these can be disabled in global settings, it is your responsibility to be sure they are also disabled in each conference’s settings.

The recommended settings are:

Turn off “participants can invite” to prevent participants from inviting other participants.
Turn off the “group chat” feature, which retains a record of what is typed into a group text chat.
Turn off the “participants can see each other” unless you need this feature – in group therapy, for example.
Turn on “host required to start the meeting.”
Set the maximum number of participants to the number of clients you will have in that session.

4) Don’t view faxes in the 8×8 app on Android

If one receives a fax and, using the Android 8×8 app (or via the web interface on the phone), opens it, that fax PDF is then stored locally on the phone. This means that any other app with rights to access files on the phone can access that file too. This could be risky if your faxes contain PHI.

This isn’t as risky on iOS devices (iPhones and iPads) as files and permissions on iOS are much more tightly controlled. We recommend only viewing faxes on your desktop or on iOS devices.

5) Informed consent around e-mailing videoconference invites

By default, 8×8 sends your client(s) an unsecured email to invite them into video sessions with you. The client needs the information in this email in order to join the call with you. There may be clients with whom the emails are fine and you can let this be. That’s not an assumption you should make initially, however. It’s possible, on a client-by-client basis, to make determinations with the client as to whether or not it’s safe, legal, and ethical to let 8×8 send these emails to them. And you’ll need a plan for working around the email issue with clients who need you to do that.

Read our article on unsecure communications here for some guidance to help you decide what you need to do around unsecured communication to stay legal and ethical in your practice. It is also covered in Engaging in HIPAA Security and Digital Confidentiality as a Mental Health Professional, Module 4: Using Email, Text, Phone, and Video in a HIPAA-Compliant Manner in detail.

If you had an informed consent discussion with your client about sending e-mail invites to videoconference sessions with you and they agree this will work for them, read no further!

If, on the other hand, you had an informed consent discussion with your client and they don’t want you to send e-mails with videoconference invites in them, see the workaround below:

When you make your invite for the session, give the software your own email address instead of the client’s. That way, the invite email gets sent to you instead of to the client. The Meeting ID that the client needs to join the session will be in the email. You then send the Meeting ID to the client by your own secure means — e.g. secure text message, secure email, phone call, or whatever you’ve worked out for secure communication with your client.

6) Caller ID and Contacts

The 8×8 apps on Android, iPhones, and iPads, and the desktop application on Windows and Mac OSX all may ask for or be automatically granted access to your contacts. There isn’t anything wrong with this, but it means that clients who use your 8×8 number to contact you will appear as their full name if you have them stored as a contact on your phone or desktop. This means that you may want to be mindful of who might be able to see your phone or notifications, and what your clients’ names are in your phone.

It’s always important to also be sure your phone is hardened. For a how-to checklist for hardening practice devices, take our CE Course, How to Protect Clients and Comply with HIPAA’s Device Security Standards in One Afternoon. Our Device Security Instruction Center has step-by-step tutorials on how to secure smartphones, computers, and tablets for proper use within your practice.