HIPAA (the Health Insurance Portability and Accountability Act of 1996) is U.S. legislation created to improve healthcare standards.
Covered entities and their business associates must be HIPAA compliant to protect the rights and privacy of patients and their protected health information (PHI).
We know the HIPAA industry is vast and that it is important to easily communicate while remaining HIPAA compliant.
SEE ALSO: HIPAA compliant email
This is especially true with the recent move toward remote working and the increase in cyberattacks against healthcare.
Today, we will determine if Otter.ai is HIPAA compliant or not.
About Otter.ai
Otter.ai is a California-based company that develops speech-to-text transcription and translation apps using artificial intelligence (AI) and machine learning.
RELATED: The future of machine learning and AI in healthcare security
The software displays captions for live speakers and generates written transcriptions of speeches.
In 2018, the company first partnered with Zoom to transcribe video meetings after they were held and now, in real-time as well. Today, there are several Otter.ai apps
- Live Meeting Notes
- Otter for Education
- Otter for Teams
- Live Notes for Zoom
Otter.ai and the business associate agreement
A major part of HIPAA compliance is ensuring a business associate will sign a business associate agreement (BAA). A business associate is a person or entity that performs certain functions or activities that involves the use or disclosure of PHI.
In this instance, Otter.ai is a business associate of a healthcare organization if any stored or transmitted data includes electronic PHI (ePHI), like a name or an email address.
Generally, the HIPAA Privacy Rule allows healthcare providers to disclose PHI if they receive assurance that the information is protected through a signed BAA.
There is no mention of HIPAA or a BAA on the Otter.ai website. Questions about HIPAA compliance were asked (but not answered) on Reddit and Quora.
Otter.ai and cybersecurity
According to Otter.ai’s Privacy Policy, the company utilizes physical, managerial, and technical safeguards but not for data in transit. An Otter.ai article mentions using AWS (Amazon Web Services) for data at rest.
Customers are “solely responsible” for the information they provide to Otter.ai. Additionally, the user agreement states that customers “grant Otter.ai the right to collect, process, transmit, store, use, and disclose Data.”
Finally, the Otter.ai privacy policy also that it may share personal information (e.g., PHI) with other users or vendors.
It further reiterates that customers should get permission from “co-workers, friends or other third parties before sharing Personal Information or referring them to [Otter.ai].”
Is Otter.ai HIPAA compliant?
The BAA is a key component of HIPAA compliance and Otter.ai does not appear to sign a BAA and may also share data with others.
Conclusion
Otter.ai is not HIPAA compliant.
