Last updated: 11 April 2023
We’ve been getting asked by customers and prospects about various telehealth solutions and whether they can use them in a HIPAA compliant manner.
We know the HIPAA industry is vast so we can empathize with just how many people need to use cloud-based services in this sector.
When we first wrote this post in 2017, we were unable to conclude whether Cisco Jabber was HIPAA compliant. With the onset of COVID-19, a lot has changed since then. As such, today we’ll revisit the topic: can Cisco Jabber be considered a HIPAA compliant telehealth service?
About Cisco Jabber
Jabberis a decentralized and open-standard instant messaging (IM) and presence protocol, which means that it is a system that allows users to communicate with each other in real-time using IM and presence information. Jabber is based on the Extensible Messaging and Presence Protocol (XMPP), which is an open-source protocol for messaging and presence that is designed to be extensible, meaning that it can be easily extended and customized for different use cases.
Jabber is often used as a synonym for XMPP, but it can also refer to a specific implementation of the XMPP protocol. Jabber servers are used to provide IM and presence services to users, and Jabber clients are used to connect to these servers and communicate with other users. Jabber can be used for a variety of purposes, including one-to-one messaging, group chat, and file sharing. It is available on various platforms, including desktop and mobile devices.
It’s important to note that Cisco acquired the company called Jabber (jabber.com) in 2008. The open standard Jabber (jabber.org) is a stand-alone entity.
Cisco Jabber and the business associate agreement
We’ve previously talked about how a business associate agreement (BAA) is a written contract between a covered entity and a business associate. It is required by law for HIPAA compliance.
We checked the Cisco site and found several relevant results:
After reading these links, I came away with several takeaways:
- Cisco does not make any specific claims of Jabber being a part of their BAA.
- The Business Associate Agreement PDF is geared solely toward business associates of Cisco.
- Cisco is willing to sign a BAA for Webex, but does not specifically include Jabber as being in scope.
Notification of Enforcement Discretion
Note: With the expiration of COVID-19 related HIPAA Enforcement Discretion measures on May 11, 2023, and the subsequent 90-calendar day transition period ending on August 9, 2023, using non-compliant apps for healthcare may expose providers to penalties and privacy risks. It is crucial to evaluate current technology and procedures and transition to HIPAA compliant solutions during this period to ensure patient privacy, data security, and compliance with federal regulations.
When the pandemic first hit in March 2020, the U.S. Department of Health and Human Services (HHS) quickly announced the Notification of Enforcement Discretion, which allowed health care providers to use widely available communication apps without the risk of incurring HIPAA fines.
This notice allows health care providers to use popular applications to provide telehealth services, so long as they are “non-public facing.”
Examples of non-public facing applications include:
- Amazon Chime
- Apple FaceTime
- Doxy.me
- Facebook Messenger
- Google Hangouts video
- Google Hangouts
- iMessage
- Jabber
- Signal
- Skype
- Spruce Health Care Messenger
- Updox
- VSee
- WhatsApp
- Zoom
See also: HIPAA privacy and security guidelines as they relate to telehealth
Does Cisco Jabber offer HIPAA compliant telehealth service?
The business associate agreement is a key component to HIPAA compliance between a covered entity and a business associate.
As we noted earlier, Cisco still does not publicly mention a BAA is available for Jabber.
It should be noted however, Cisco Jabber is considered by HHS as a telehealth solution that can be used in a non-public facing manner. While the HHS Notification of Enforcement Discretion is not indefinite, it currently allows healthcare entities to use Jabber and not be liable for HIPAA fines.
Conclusion: When the Notification of Enforcement Discretion expires on March 11, 2023, Cisco Jabber may no longer be HIPAA compliant.
See related: OCR issues notification of enforcement discretion for business associates in response to COVID-19 pandemic
Hoala Greevy
