We've been getting asked by customers and prospects about various telehealth solutions and whether they can use them in a HIPAA compliant manner.
We know the HIPAA industry is vast so we can empathize with just how many people need to use cloud-based services in this sector.
Today we will determine if Amazon Chime is a HIPAA compliant telehealth service or not.
About Amazon Chime
Amazon Chime is a communication service developed by Amazon Web Services (AWS). It provides video conferencing, online meetings, chat, and voice call functionality. It is designed to be a secure and scalable solution for businesses, organizations, and individuals to communicate and collaborate online.
With Amazon Chime, users can hold virtual meetings with audio and video, share their screens, and collaborate on documents in real-time. The service also includes features such as chat rooms, file sharing, and integration with other productivity tools. It is available on a range of devices, including desktop computers, mobile phones, and tablets.
Amazon Chime is offered as a pay-as-you-go service, with pricing based on usage. It is also available as part of the AWS Business and Enterprise Support plans.
Amazon Chime and the business associate agreement
We’ve previously talked about how a business associate agreement (BAA) is a written contract between a covered entity and a business associate. It is required by law for HIPAA compliance.
We checked the AWS site and found an article entitled, "Amazon Chime Achieves HIPAA Eligibility."
Published in 2019, it states:
Amazon Chime is now a HIPAA Eligible Service. If you have a HIPAA Business Associate Addendum (BAA) in place with AWS, you can now start using Amazon Chime for your HIPAA eligible workloads.
Notification of Enforcement Discretion
Note: With the expiration of COVID-19 related HIPAA Enforcement Discretion measures on May 11, 2023, and the subsequent 90-calendar day transition period ending on August 9, 2023, using non-compliant apps for healthcare may expose providers to penalties and privacy risks. It is crucial to evaluate current technology and procedures and transition to HIPAA compliant solutions during this period to ensure patient privacy, data security, and compliance with federal regulations.
When the pandemic first hit in March 2020, the U.S. Department of Health and Human Services (HHS) quickly announced the Notification of Enforcement Discretion, which allowed health care providers to use widely available communication apps without the risk of incurring HIPAA fines.
This notice allows health care providers to use popular applications to provide telehealth services, so long as they are “non-public facing.”
Examples of non-public facing applications include:
- Amazon Chime
- Apple FaceTime
- Doxy.me
- Facebook Messenger
- Google Hangouts video
- Google Hangouts
- iMessage
- Jabber
- Signal
- Skype
- Spruce Health Care Messenger
- Updox
- VSee
- WhatsApp
- Zoom
See also: HIPAA privacy and security guidelines as they relate to telehealth
Is Amazon Chime HIPAA compliant?
The business associate agreement is a key component to HIPAA compliance between a covered entity and a business associate.
As we noted earlier, Amazon is willing to sign a BAA with its customers for Amazon Chime.
In addition, Amazon Chime is considered by HHS as a telehealth solution that can be used in a non-public facing manner. While the HHS Notification of Enforcement Discretion is not indefinite, it would allow healthcare entities to use Amazon Chime and not be liable for HIPAA fines even if they did not offer a BAA to their customers.
Conclusion: Amazon Chime is HIPAA compliant. Make sure you get a BAA in place with AWS.
Hoala Greevy
