Lately we’ve been discussing in the office whether certain cloud-based solutions are HIPAA compliant or not. Jabber by Cisco is a provider of presence and messaging software.
We know the HIPAA industry is vast so we can empathize with just how many people need to use cloud-based services in this sector.
UPDATE: In April 2020, in connection with the COVID-19 pandemic, the Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) announced the Notification of Enforcement Discretion, which allows healthcare providers to use widely available communication apps, such as [name of the app], for telehealth services without the risk of incurring HIPAA fines. For more information, check out this recent Paubox blog post.
In previous posts, we’ve covered the following cloud solutions and their capabilities for HIPAA compliance:
- Amazon CloudFront
- Apple iCloud
- Citrix ShareFile
- Google Drive
- Google Forms
- Google Hangouts
- Microsoft 365
The purpose of this post is to determine if Cisco Jabber offers HIPAA compliance or not.
SEE ALSO: HIPAA Breaches and Cloud Providers
Jabber is a provider of presence and messaging software.
It’s important to note that Cisco acquired the company called Jabber (jabber.com) in 2008. The open standard Jabber (jabber.org) is a stand-alone entity.
The Jabber protocol, now called XMPP, is an open standard for Instant Messaging.
Jabber and the Business Associate Agreement
We’ve previously talked about how a Business Associate Agreement (BAA) is a written contract between a Covered Entity and a Business Associate. It is required by law for HIPAA compliance to ensure security and privacy.
Jabber XCP Frequently Asked Questions
We checked the Cisco Jabber site and found a page called Jabber XCP Frequently Asked Questions.
In it, Cisco points out:
Q: How secure is Jabber XCP?
A: Jabber XCP is secure enough to support compliance regulations such as the Securities Exchange Commission (SEC) and Health Insurance Portability and Accountability (HIPAA). Jabber XCP security is used and trusted by the U.S. federal government.
The page does not make any mention however, of Cisco being willing to sign a Business Associate Agreement for use with Jabber.
The Cisco Approach to Telehealth White Paper
We also found a White Paper on Cisco’s site called The Cisco Approach to Telehealth.
It’s written in marketing speak and does not dive into any details around whether the company will actually sign a BAA with its customers.
Cisco Compliance Solution for HIPAA Security Rule Design and Implementation Guide
We next found the Cisco Compliance Solution for HIPAA Security Rule Design and Implementation Guide.
The Implementation Guide is comprehensive and overwhelmingly demonstrates Cisco’s focus on the U.S. Healthcare market.
There are two issues remaining however:
- Cisco still does not mention signing a BAA.
- Jabber is not mentioned as being HIPAA compliant.
We were unable to find any other evidence on Cisco’s site that mentions it signing a BAA.
Does Cisco Jabber Offer HIPAA Compliant Service?
The Business Associate Agreement is a key component to HIPAA compliance between a Covered Entity and a Business Associate.
While Cisco is obviously focused on the U.S. Healthcare market, we were left with the impression that they do not actually sign Business Associate Agreements with their customers.
Instead, we believe they’ve determined themselves to fall in the HIPAA Conduit Exception Rule category.
It’s also possible we fundamentally do not understand the nature of Jabber. Perhaps it’s not a cloud-based service at all and instead must be installed on-premises. If that’s the case, a BAA from Cisco would most likely not be required.
Conclusion: We are unable to conclusively determine if Jabber is HIPAA Compliant or not. We’re also unable to determine if it’s even a cloud-based service.