Keep your patient's protected health information secure

Illustrated American Medical Association Symbol of Caduceus

CallRail helps businesses and marketers continue to close the attribution gap by tracking inbound phone calls and form submissions from the marketing sources that drove them. But with that tracking comes a great responsibility, especially in the healthcare industry.

From scheduling appointments to billing, referrals, and prescription refills, a lot of private information is communicated over the phone between patients and their healthcare provider. All of these calls are protected under the Health Insurance Portability and Accountability Act (HIPAA) and its expansion, Health Information Technology for Economic and Clinical Health Act (HITECH). If you’re a healthcare provider or marketing agency that services one, you need to ensure the data from these calls stay secure.

At CallRail, we take HIPAA compliance seriously; that’s why we’ve not only created an end-to-end solution for health care providers, ensuring covered entities and the agencies that serve them maintain compliance with the regulations of HIPAA and HITECH. We also sign a business associate agreement (BAA) with each of our HIPAA clients.

How CallRail keeps Protected Health Information (PHI) secure

All data encrypted “in transit”

All access to CallRail is encrypted via SSL to protect data from interception on network points between the user and CallRail.

All data encrypted “at rest”

All call records, web visitor sessions, and call routing data are fully encrypted when stored on disk. This data is seamlessly decrypted as-needed for reporting purposes when accessed by the customer. These precautions protect the data even if hard drives fail, or are decommissioned or stolen.

Protection for external systems

CallRail prevents transmissions of call details considered Protected Health Information, like call recordings and caller ID, to external systems that aren't considered in compliance with HIPAA requirements and instead provides a link that requires the user to log in to review the information.

Secure access

Individual users are granted their own login credentials, which can be controlled by an administrator. Login sessions automatically expire after a brief period of inactivity to prevent unauthorized access.

Full audit history

For HIPAA plans, all access to the application is logged by user, timestamp, and IP address. Playback of any call recording, as well as all changes to calls, tags, or configuration are similarly logged.

Dedicated, single-tenant equipment

HIPAA requires that the data owner have “hands on” access to all equipment used for data processing. CallRail uses only dedicated hardware and does not make use of virtual machines on shared-tenancy hardware for customers covered by BAA.

Firewalls and private network gaps

The databases, application servers, and other machines responsible for routing calls through CallRail are isolated and inaccessible via the public internet (except the web application itself, of course). This private network is protected by a pair of redundant hardware firewalls to ensure only expected traffic is allowed.