Compliant World-Class Collaboration
As the healthcare industry moves towards a new era of patient and employee engagement, more people are experiencing innovative ways to connect with their healthcare providers. Whether its remote video consults with doctors, messaging your provider for quick questions, or checking in on loved ones from a distance, everyone wants to know, is my data secure? At Cisco Webex, we take our customers’ data security seriously and we are dedicated to providing world-class collaboration that is simple, scalable, and designed to meet your HIPAA compliance needs.
What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. healthcare law that establishes requirements for the use, disclosure, and safeguarding of individually identifiable health information. It applies to doctors’ offices, hospitals, health insurers, and other healthcare companies with access to patients’ protected health information (PHI).
How Do Cisco’s Webex Services Enable HIPAA Compliance?
Cisco has conducted a HIPAA self-assessment on Cisco Webex services (Teams, Meetings, Control Hub, and Webex for Developers). This self-assessment is based on a shared responsibility model where the Cisco Webex services platform is responsible for maintaining customer data including Confidentiality, Privacy, and Security. In line with the HIPAA Security Rule, Cisco implements all the addressable specifications that are relevant to Cisco Webex services. These are segmented into three safeguards – Administrative, Physical, and Technical.
Administrative
The administrative safeguard covers standards that relate to the administration for the Webex platform by Cisco such as, but not limited to, security management processes, assigning security responsibilities, ensuring workforce security, incident reporting procedures, periodic evaluations, and more. The Cisco Webex cloud security team has established formal policies, standards, and procedures relevant to the design and operations of controls over Cisco Webex services. These policies and procedures prevent unauthorized access to Webex data, ensure reporting and management of potential security issues, and protect your PHI through a contingency plan for disasters and the like.
Physical
The physical safeguard covers physical access (limited and authorized) to electronic information systems. To meet this standard, Cisco Webex services use Cisco owned data centers, co-location data centers, or Cloud Service Providers (CSP). Each data center is certified (ISO/IEC 27001:2013 certification) to ensure the location has a facility security plan, access control and validation, maintenance records, protections from power failures, and other utility disruptions. Cisco also has a Business Associate Agreement (BAA) with each CSP. Being a global platform, Cisco Webex services are hosted throughout multiple locations, ensuring the loss of a single location will not cause data or functionality loss.
Technical
The technical safeguard covers the utilization of Webex services and address standards such as access and audit controls, integrity, authentication, and transmission security. Cisco distinguishes a user’s identity between their “real identity” and their “obfuscated identity”. For each user, Cisco Webex services generate a random 128-bit universally unique identifier (UUID), which is the user’s obfuscated identity. Similarly, for enterprises, Cisco Webex services utilize a random 128-bit “organization ID” as the obfuscated identity of each enterprise. These obfuscations are then used everywhere possible such as in message routing and cloud internal inquires. Additionally, the PHI that is transmitted when using Webex services is encrypted from client devices to the Cisco Webex services cloud using Transport Layer Security (TLS), and all media in Cisco Webex services, such as voice, video, and desktop share, is transmitted using Secure Real-Time Transport Protocol (SRTP). Not only is content encrypted, but the end-to-end encryption services also helps to prevent data from being altered or destroyed in transit or at rest in an unauthorized manner. There are additional policies in place that enable user and enterprise privacy choices such as single-sign-on, directory synchronization, device permissions, proximity features, and more. For a detailed review of Cisco Webex services’ safeguard standards, please review the Cisco HIPAA compliance white paper. For access to the Cisco HIPAA self-assessment, reach out to your local account team.
Everyone has the right to data privacy. Whether you are a patient, doctor, medical staff, or insurer, the protection of personal data is critical. By enabling policies and guidelines that adhere to security, privacy, confidentiality, availability, and integrity we can enable users to safely experience a new world of healthcare, on an unprecedented scale. Users of Webex services can feel secure knowing their messaging, voice, and video data are protected.
Need a BAA?
Click here to initiate a BAA
New to Cisco?
For more information on how Cisco secures customer data across technologies,
visit the Cisco Trust Center.
Welcome to a new world of collaboration possibilities.
Learn More
Healthcare Moments that Matter
What’s New in Security and Compliance for Webex
Cisco Webex- Building and Maintaining Trust with Collaboration Administrators
Improving healthcare by accelerating digital transformation
Thanks for sharing this content.
I believe I need to have a signed BAA on file but I don’t see how to do that on your site. I am a mental health counselor and was looking to use Webex for counseling sessions. You can leave a response on thecenter110@gmail.com
I also need a BAA. Please provide information as to how one can be obtained and respond to: caryfamilypsych@gmail.com.
Thank you.
Is this a free service? How quick is this to put in place at my PT practice?
Hello Beth, If you have any questions or need help with WebEx message me at mpowell@covene.com. There are free options to consider send me an email and we can jump on a quick WebEx to review. Thank you!
I love Cisco’s generosity in this time of great need. How can I get a BAA signed for me, an individual practitioner, to meet the level of accountability required for my specific patients? What is the process? I don’t see guidance on that anywhere. I have about a dozen BAAs with other SaaS, web, and practice product providers. How do I get one with Cisco?
I have this same question! I hope Cisco responds….thank you!
Same issue. We HAVE to have a BAA. Webex broadly proclaims its compliance but gives no opportunity to enter into a BAA that I can find.
As a psychologist, I agree with the others commenting about a signed BAA. If Cisco can provide the needed BAA contracts, that could make using a Webex for the telehealth a ready option
Hi Catherine. We are working to get a public page up shortly and will post it to this blog, if you need the BAA immediately please provide your contact information and I will connect you.
Thank you Raisa. I am interested in obtaining in BAA.
Please contact me at jt@jefftrueman.com
Jeff
Hello Adriana, Did you see the link to the BAA? If you have any questions or need help with WebEx message me at mpowell@covene.com. Thank you!
I agree with others in the comment section, I/We HAVE to have a BAA between myself and Cisco/Webex. Webex broadly proclaims its compliance but gives no opportunity to enter into a BAA with its users that I can find. How do we obtain a BAA between myself and Cisco/Webex?
Hi Paul, we are working to get a public page up shortly and will post it to this blog, if you need the BAA immediately please provide your contact information and I will connect you.
Hello, I need a BAA ASAP, thank you. My contact information is sjbradley66@gmail.com. I am a new user and also a provider who needs the BAA ASAP for HIPAA Compliance. Thank you!
We need a BAA now, if that is possible. Please contact privacy@gritman.org
Thank you.
Raisa, please connect me as our provider needs a BAA for HIPAA Compliance as well. Thank you.
Contact e-mail is office@bmscti.org .
I also need a BAA for HIPAA compliance for mental health before I can use the service. Please email at trcharisse@gmail.com
I also need to have a BAA ASAP before I can use your service. Please contact me at saren@starhealing.org. Thank you!
Hi Raisa,
As a mental health counselor, I also need to have a BAA before I can use your service.
Please contact me at joanne@compassbuford.com Thank you!
Need BAA as well: incouragehealingministries@gmail.com
We need a BAA, please. Contact privacy@gritman.org
I run a small non-profit agency and need the ability to run HIPAA compliant individual and group sessions with up to 15 people at once that can all participate via video. And, I need a BAA. Are these things possible with your platform?
Can you please contact me at heidirid@gmail.com
I run a small non-profit agency and need the ability to run HIPAA compliant individual and group sessions with up to 15 people at once that can all participate via video. And, I need a BAA. Are these things possible with your platform?
I need a BAA as well. JAR.janetmitchell@gmail.com. Thank you in advance . . .
Hello, I need a BAA asap for HIPAA compliance. My contact information is Loretta.St.John@Montgomerycountymd.gov. Thank you!
I have been trying to find out how to secure a signed BAA with Cisco so I can use WebEx for sessions with patients and know that I am compliant with HIPAA. Does anyone have a link that takes me to instructions on how to accomplish this? Thanks.
Hi David, please provide your email and I will connect you.
Hi Raisa,
I also need a BAA. You can contact me at susanhuebert@counselingpro.com
Raisa, I am also in need of the BAA with Cisco. I appreciate the opportunity to use a reliable and high-quality platform in this emergency situation. I did not want to put my
email address publicly.
Hi Raisa, I’d like a BAA. Please contact me at bradley.brummett@va.gov. Thank you.
Hi Raisa, I would like a BAA. Please contact me at Bradley.Brummett[at]va.gov
I’m glad to know I’m not the only one who can’t figure out how to get a signed BAA with Webex– I just spent quite a bit of time bouncing around your help center until I thought to read the comments under this article. It does not feel respectful to promote this service to healthcare providers as HIPAA compliant, and then for Cisco to make finding the pathway so difficult.
I cannot use your service with patients without a signed BAA. Please let me know ASAP when this is available. My contact email is robyn@attunedfamilytherapy.com
Hi Raisa, can you please contact me at pearson.sarah.s2@edumail.vic.gov.au to access a BAA. Thank you, Sarah
Hello. We have an account and need BAA for HIPAA compliance. My my contact is chris@lipmantpa.com
No link to a BAA for client review?
Hi Ry, if you provide your email I can get you connected.
Raisa,
Please contact us also at keith.jones.mrpt@gmail.com as we also require a BAA for HIPAA compliance.
Thank you,
Keith
I have read the comments and I, too need a signed BAA. I do not see the public page posted yet. Please contact me at xana@backontrackcounseling.com. Thank you for taking the time to take care of this!!
I need a BAA as well. My contact info is dmelbouci@tcc4change.com. Thank you.
I also need a BAA on file but can’t find it on your site. I am planning to use this for counseling sessions. Please send to ncchristiancounselor@gmail.com
Thank you
Raisa,
Please contact me at vgonzales@hsag.com as we also require a BAA for HIPAA compliance as we conduct audit activities via Webex.
Thank you
I have just signed up for the Free level of Webex to be able to provide teletherapy during the Covid crisis. I need to have a signed BAA, is this available on the Free level? How do I access it? Also, is the Free level FERPA compliant?
My contact information is jannmorehouse2001@yahoo.com
Raisa, please connect me as our provider needs a BAA for HIPAA Compliance as well. Thank you.
Contact e-mail is RobChester97@gmail.com.
Can you tell me if Cisco Webex is approved on the CMS approved HIPAA compliant vendors list for telemed services? Thank you.
Please respond to dpage@cpnorthcountry.org
Who can I speak with concerning a question in regards to a BAA?