Paubox blog: HIPAA compliant email made easy

Is Otter.ai HIPAA compliant?

Written by Kapua Iao | December 29, 2022

Otter.ai develops speech-to-text transcription and translation apps using artificial intelligence (AI) and machine learning. Many healthcare organizations use such solutions to properly record and backup communication with employees, patients, and other healthcare providers. To do so, however, those within the healthcare industry need to work with companies that are HIPAA compliant.

In the healthcare industry, sensitive protected health information (PHI) must be safeguarded under HIPAA. A major part of this compliance is working with vendors who will sign a business associate agreement (BAA) and ensure the security of PHI. Otter.ai does not mention a BAA on its website and may not be HIPAA compliant.

 

What is Otter.ai?

Otter.ai is a California-based company that creates speech-to-text transcriptions and translations. Its software, called Otter, shows captions of live speakers and uses AI to generate written transcriptions of speeches. Today, there are several Otter.ai apps and integrations available, including:

  • OtterPilot (for Zoom, Google Meet, Microsoft Teams)
  • Chrome extension
  • Otter app for Slack
  • Otter for Dropbox

According to Otter, the idea is to have an AI assistant to record audio, write notes, caption action items, and generate summaries.

LEARN ABOUTThe future of machine learning and AI in healthcare security

 

Is Otter.ai a business associate?

HIPAA applies to covered entities, which include healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates (i.e., vendors) of these covered entities. These are entities that perform certain functions or activities on behalf of the covered entity.

A BAA is a written contract between a covered entity and a business associate. It outlines the responsibilities and obligations of each party regarding the handling of PHI. Typical provisions within a BAA include:

  • Permitted uses and disclosures of PHI
  • Safeguards for protecting PHI
  • Reporting and mitigation of security incidents
  • Compliance with HIPAA regulations
  • Dispute resolution and termination clauses

The agreement is required by law for HIPAA compliance and is considered the primary item to consider when it comes to Otter.ai and its ability to be HIPAA compliant. Otter.ai is a business associate of a healthcare organization if it is transcribing storing, processing, or transmitting PHI.

RELATEDHow to know if you're a business associate

 

Otter.ai and the BAA

Generally, the HIPAA Privacy Rule allows healthcare providers to disclose PHI if they receive assurance that the information is protected through a signed BAA. We checked the Otter.ai website in 2022 for mention of healthcare and found no reference to HIPAA or a BAA. Questions about HIPAA compliance were asked (but not answered) on Reddit and Quora.

Today, there is still no mention of HIPAA or a BAA on the Otter.ai website. The Reddit and Quora questions were never answered completely.

 

Otter.ai and data security

Covered entities must consider the administrative, physical, and technical safeguards that a vendor utilizes to protect PHI. Healthcare websites function as a source of information, providing services and facilitating communication between patients and healthcare providers. With the increasing importance of data privacy and security, healthcare websites that collect, store, or process PHI are subject to HIPAA regulations.

According to Otter.ai’s privacy policy, the company utilizes physical, managerial, and technical safeguards. A privacy & security web page states that the company uses AWS (Amazon Web Services) cybersecurity for data at rest but not for data in transit. Other specific features mentioned by Otter.ai include access controls and data segregation.

Customers, however, are responsible for the information they provide to Otter.ai. Additionally, the user agreement states that customers “grant Otter.ai the right to collect, process, transmit, store, use, and disclose Data.”

SEE ALSOIs voice recognition technology HIPAA compliant?

 

Is Otter.ai HIPAA compliant?

The BAA is a necessary component of HIPAA compliance and Otter.ai still does not appear to sign a BAA. Conclusion: Otter.ai may not be HIPAA compliant.

 

Understanding HIPAA compliance

Healthcare providers know that clear and efficient communication with patients is necessary to run a successful practice. When evaluating a platform’s HIPAA compliance, especially on the cloud, consider the following security needs beyond a BAA:

  • Technical safeguards: Mitigate risks associated with cyber threats, hacking, malware, and other security incidents with strong technical safeguards. Such tools as perimeter defenses (e.g., firewalls) and HIPAA compliant email are equally vital for extra protection.
  • Employee training: Ensure all staff members have up-to-date knowledge of HIPAA regulations and best practices. Regular training sessions can help prevent unintentional, employee-related breaches.
  • Regular audits: Perform periodic assessments of all systems and processes to ensure that they remain compliant. Adapt to any changes in regulations or technology.
  • Data access controls: Implement stringent controls, such as multifactor authentication, on who can access PHI and under what circumstances.