Need Help? Call (562) 236-4000

Vendor-Compliant Certified Explained

Whether you work in a multi-hospital healthcare system or a private credit union, protecting patient, client and customer data is required by compliance institutions like HIPAA, NIST, and PCI. Businesses that fail to meet compliance can even be held responsible for stolen data. This may not be new news, but there is a twist that many businesses do not anticipate.

Any business that uses cloud applications to run software, transmit information, and store client data, should (and in some cases must) work with voice and data vendors who are vendor compliant certified.

Compliance Basics

Compliance regulations require healthcare and financial providers and their vendors establish three types of controls when handling custom data: administrative, physical and technical.
  • Policies and procedures are examples of administrative controls.  
  • Protecting hardware is a physical control. 
  • Implementing data encryption is an administrative control. 

Covered entities need technical vendors that offer multi-layer security frameworks with physical and technical safeguards enforced by stringent administrative policies. They should be certified compliant and offer something like a Business Associate Agreement (BAA). Thus, as a best practice, it’s a good idea to work with vendors who offer compliant solutions like MiCloud Connect, built on Google Cloud.

Vendor-Compliant Certified

The law is clear when it comes to the responsibility of third-party vendors like cloud providers providing even voice and video services to mandatory-compliant organizations. In the case of healthcare providers, 3rd party vendors are required to show proof of the following as mandated by the Guidance on HIPAA & Cloud Computing.
  • “When a covered entity engages the services of a CSP [cloud service provider] to create, receive, maintain, or transmit ePHI (such as to process and/or store ePHI), on its behalf, the CSP is a business associate under HIPAA. Further, when a business associate subcontracts with a CSP to create, receive, maintain, or transmit ePHI on its behalf, the CSP subcontractor itself is a business associate.
  • “As a result, the covered entity (or business associate) and the CSP must enter into a HIPAA-compliant business associate agreement (BAA), and the CSP is...directly liable for compliance with the applicable requirements of the HIPAA Rules.
  • “If a covered entity (or business associate) uses a CSP to maintain (e.g., to process or store) electronic protected health information (ePHI) without entering into a BAA with the CSP, the covered entity (or business associate) is in violation of the HIPAA Rules.”

The bottom line: Any vendor you choose to host the transmitting and storage of customer data must provide a BAA that spells out in detail each party’s responsibilities. The agreement can specify how the data will be used, stored, protected and transmitted; what will happen in case of a security breach or natural disaster; disposition of data at termination of contract; and any other requirements or conditions the covered entity deems important.

In addition to the BAA, clients can include provisions in a Service Level Agreement (SLA) to address compliance concerns, such as backup and data recovery. Use the SLA to specify the vendor’s security responsibilities.

Many regulatory agencies will require that both covered entities and business associates abide by the Security Rule. Even when clients control access to the data via encryption, vendors still must be compliant certified.

Mitel Connect - Vendor Compliant Certified

Mitel Connect is a certified compliant unified communications vendor enabling businesses to protect sensitive client data (on the phone, email, video, etc.) on a secure platform.  Mitel MiCloud Connect is also are:

  • Certified SOC 2 Compliant
  • Equipped with automatic data encryption in transit and while at rest
  • Proactively monitored with automated infrastructure scanning and end-to-end encryption

About KTS Networks

At the end of the day, anyone can install a telephone system. Our only mission is to present the voice and collaboration option and deliver everything you need to get the most out of that investment. Of course, we are here for any questions or issues, and we offer free training and virtual seminars to share what we know with you. Your confidence and expertise in managing your own unified communication system is our ultimate goal at KTS Networks.

No Comments