HIPAA Compliance

Introduction to Privacy at CTICloud

At CTICloud, we are committed to delivering exceptional contact center services while upholding the highest standards of privacy and data protection for our users. We understand the importance of balancing service quality with the need to respect and protect personal and sensitive information, especially in healthcare environments. Our privacy policies and practices are designed to give you control over your data while benefiting from the full capabilities of our platform.

Understanding HIPAA Compliance Basics

The Health Insurance Portability and Accountability Act (HIPAA) is United States legislation that provides data privacy and security provisions for safeguarding medical information. HIPAA compliance is crucial for any entity that deals with protected health information (PHI), ensuring that sensitive patient data is handled, stored, and transmitted with the highest standards of security and confidentiality.

The key concepts of HIPAA compliance include:

Privacy Rule - Protects the privacy of individually identifiable health information
Security Rule - Sets standards for the security of electronic protected health information (e-PHI)
Breach Notification Rule - Requires covered entities to notify individuals, HHS, and in some cases, the media of a breach of unsecured PHI

Compliance with these rules is not just about adhering to legal requirements but also about building trust with your customers by demonstrating your commitment to protecting their sensitive data. By enabling HIPAA compliance features in CTICloud's contact center platform, you are taking a significant step towards aligning your operations with these HIPAA principles, ensuring that your use of technology adheres to these critical privacy and security standards.

Understanding Default Settings

By default, CTICloud records calls and stores call logs, recordings, and transcriptions. This practice is aimed at continuously improving service quality, training purposes, and ensuring compliance with quality assurance standards. However, we recognize the importance of privacy and provide options for organizations that must comply with HIPAA regulations.

HIPAA Compliance Option for Healthcare Organizations

For organizations in healthcare or those handling protected health information (PHI), CTICloud offers comprehensive HIPAA compliance features. When enabled, these features ensure that you can use our contact center services while maintaining full compliance with HIPAA requirements.

Enabling HIPAA Compliance

HIPAA compliance can be enabled at the tenant level through your CTICloud configuration. When HIPAA mode is activated, the following protections are automatically applied:

No call recording storage - Call recordings are not retained on CTICloud servers
No transcription storage - Call transcriptions are not stored permanently
Minimal logging - Only essential system logs are maintained for operational purposes
Encrypted transmission - All data in transit is encrypted using TLS 1.2 or higher
Secure data at rest - Any temporary data is encrypted using AES-256 encryption

Configuration

HIPAA compliance is configured through the CTICloud API or dashboard:

{
  "tenantId": "7001234",
  "complianceSettings": {
    "hipaaEnabled": true,
    "dataRetentionDays": 0,
    "recordingEnabled": false,
    "transcriptionStorage": false
  }
}

Note: The default value for hipaaEnabled is false. Organizations handling PHI must explicitly enable this setting.

HIPAA Compliant Components

When HIPAA compliance is enabled, CTICloud ensures that all components in the call flow are HIPAA compliant:

Voice Services

SIP Trunking - HIPAA-compliant voice carriers
IVR Systems - Secure interactive voice response
Call Recording - Optional, with encryption at rest and in transit
Voice Quality Monitoring - Real-time monitoring without data retention

AI and Analytics Services (Optional)

When using AI features with PHI:

Speech-to-Text (STT) - Azure Speech Services, Google Cloud Speech-to-Text
Natural Language Processing - Azure OpenAI, Google Vertex AI, Anthropic
Text-to-Speech (TTS) - Azure Neural Voices, Google Cloud Text-to-Speech

Integration Services

Webhook Endpoints - TLS-encrypted callbacks with mutual authentication
CRM Integration - Secure API connections with HIPAA-compliant CRM systems
Data Export - Encrypted export with access controls

Where Can PHI Be Used?

Permitted PHI Usage

Protected Health Information may only be transmitted through:

Live call audio - Voice conversations between agents and patients
Real-time transcription (if configured) - Temporary transcription for agent assistance
Secure webhooks - Real-time call events to your HIPAA-compliant systems

Prohibited PHI Storage

PHI must not be stored in:

Agent notes - Unless your external CRM is HIPAA compliant
Queue configurations - Do not include PHI in queue names or descriptions
IVR prompts - Avoid recording PHI in static IVR messages
System metadata - Labels, tags, or custom fields should not contain PHI
Call disposition codes - Use generic categories, not diagnostic information

Data Flow and Retention

During Active Calls

When HIPAA mode is enabled:

Voice data flows through encrypted channels
Real-time processing occurs without persistent storage
Call metadata includes only non-PHI information (duration, timestamps, agent ID)
Temporary buffers are cleared immediately after call completion

After Call Completion

Call recordings - Automatically deleted or never created
Transcriptions - Not stored on CTICloud servers
Call logs - Contain only non-PHI metadata (call ID, duration, queue, agent)
CDR (Call Detail Records) - Limited to technical details without PHI content

End-of-Call Reports

An end-of-call report containing non-PHI information can be sent to your server:

{
  "callId": "call_abc123",
  "startTime": "2024-01-09T10:30:00Z",
  "endTime": "2024-01-09T10:45:00Z",
  "duration": 900,
  "agentId": "agent_001",
  "queueId": "queue_healthcare",
  "disposition": "completed",
  "containedPHI": true
}

Network Security for HIPAA

Encryption Requirements

In Transit: TLS 1.2+ for all API communications
At Rest: AES-256 encryption for any cached data
SIP/RTP: SRTP (Secure Real-time Transport Protocol) for voice

Access Controls

Authentication: API key + tenant context required
Authorization: Role-based access control (RBAC)
Audit Logs: Access attempts and configuration changes logged
IP Whitelisting: Static IP addresses for secure integration

Physical Security

CTICloud infrastructure:

Data Centers: SOC 2 Type II certified facilities
Geographic Controls: Data residency options available
Redundancy: Multi-zone deployment for high availability
Incident Response: 24/7 security monitoring

Business Associate Agreement (BAA)

CTICloud's Responsibilities

Under the BAA, CTICloud commits to:

Implement safeguards to protect e-PHI
Report breaches within required timeframes
Ensure subcontractors comply with HIPAA requirements
Make available information required for compliance audits
Return or destroy PHI at contract termination (where applicable)

Your Responsibilities

As a covered entity or business associate, you must:

Enable HIPAA compliance at the tenant level before handling PHI
Configure systems properly to avoid storing PHI in prohibited locations
Train your agents on HIPAA requirements and CTICloud features
Use compliant third-party services for any external integrations
Monitor and audit your use of the platform regularly
Report incidents promptly if you suspect a breach

Requesting a BAA

To obtain a Business Associate Agreement:

Enterprise Customers: Contact your account manager
New Customers: Request during onboarding
Email: [email protected]
Documentation Required: Proof of covered entity status or upstream BAA

Best Practices

Configuration

✅ Enable HIPAA mode at the tenant level before going live
✅ Disable call recording for queues handling PHI
✅ Use generic queue names and labels
✅ Configure secure webhooks with your HIPAA-compliant backend
✅ Implement proper authentication for all API calls

Operational

✅ Train agents on what constitutes PHI
✅ Regularly audit system configurations
✅ Use role-based access controls
✅ Monitor access logs for unauthorized attempts
✅ Conduct periodic HIPAA compliance reviews

Integration

✅ Ensure CRM systems are HIPAA compliant
✅ Use encrypted connections for all integrations
✅ Validate webhook endpoints use HTTPS
✅ Implement proper error handling to avoid PHI leaks
✅ Test integrations in non-production environment first

Frequently Asked Questions

General Questions

Q: Will enabling HIPAA compliance affect call quality?

A: No. HIPAA compliance mode does not degrade call quality or platform performance. It only affects data retention and storage policies.

Q: Can I have both HIPAA and non-HIPAA queues?

A: Yes, but this requires careful configuration. We recommend enabling HIPAA at the tenant level to avoid accidental misconfigurations. If you need mixed environments, consider using separate tenants.

Q: What happens to existing recordings when I enable HIPAA mode?

A: Existing recordings are not automatically deleted. You must work with CTICloud support to properly handle pre-existing data according to your retention policies and HIPAA requirements.

Q: Can agents still take notes during calls?

A: Yes, but notes must be stored in your HIPAA-compliant CRM or system, not in CTICloud. Configure your agent desktop to integrate with your compliant storage solution.

Technical Questions

Q: How do I verify that HIPAA mode is enabled?

A: Check your tenant configuration via API or dashboard. The complianceSettings.hipaaEnabled field should return true.

curl -X GET "https://api.cticloud.cn/v2/tenants/7001234/compliance" \
  -H "X-CTI-ApiKey: your-api-key"

Q: Can I export call metadata for analytics?

A: Yes, you can export non-PHI call metadata (duration, queue times, agent performance) for analytics purposes. Ensure your export process does not include any PHI content.

Q: What about AI-powered features like sentiment analysis?

A: AI features can be used with PHI when:

HIPAA mode is enabled
You use HIPAA-compliant AI providers (Azure, Google, Anthropic)
Processing happens in real-time without storage
You have proper BAAs with AI providers

Compliance Questions

Q: Do I need to conduct a risk assessment?

A: Yes. As a covered entity or business associate, you are required to conduct regular risk assessments. CTICloud can provide documentation about our security measures to support your assessment.

Q: How are breaches reported?

A: CTICloud will notify you within the timeframes required by HIPAA (typically within 60 days). You remain responsible for notifying affected individuals and HHS as required by law.

Q: What about offshore agents or data processing?

A: CTICloud supports data residency requirements. Configure your tenant to ensure data processing occurs only in compliant jurisdictions. Contact your account manager for geographic restrictions.

Limitations When HIPAA is Enabled

When HIPAA compliance mode is active, the following features are restricted:

Feature	Standard Mode	HIPAA Mode
Call Recording Storage	✅ Available	❌ Disabled
Transcription Storage	✅ Available	❌ Disabled
Recording Playback in Dashboard	✅ Available	❌ Not Available
Historical Transcripts	✅ Available	❌ Not Available
Quality Monitoring Review	✅ Full Access	⚠️ Real-time Only
Speech Analytics	✅ Stored Analytics	⚠️ Real-time Only
Call Notes in Platform	✅ Available	❌ Use External System
Detailed Call History	✅ Full Details	⚠️ Metadata Only

Note: Real-time features (live monitoring, whisper coaching, barge-in) remain fully functional in HIPAA mode.

Audit and Monitoring

Available Audit Logs

Even in HIPAA mode, CTICloud maintains audit logs for:

Configuration changes - Who modified HIPAA settings and when
Access attempts - Authentication and authorization events
API calls - Non-PHI request/response metadata
System events - Service status, errors, performance metrics

Accessing Audit Logs

curl -X GET "https://api.cticloud.cn/v2/audit-logs" \
  -H "X-CTI-ApiKey: your-api-key" \
  -H "X-CTI-Tenant-ID: 7001234" \
  -d '{
    "startDate": "2024-01-01",
    "endDate": "2024-01-31",
    "eventTypes": ["config_change", "access_attempt"]
  }'

Recommended Monitoring

Weekly: Review access logs for unusual patterns
Monthly: Audit configuration settings
Quarterly: Conduct compliance review with CTICloud support
Annually: Complete formal risk assessment

Regional Compliance

CTICloud supports HIPAA compliance in the following regions:

Region	HIPAA Support	Data Residency	Notes
United States	✅ Full Support	US data centers	Primary HIPAA region
Canada	✅ Full Support	Canadian data centers	Subject to PIPEDA
Europe	⚠️ GDPR Primary	EU data centers	HIPAA for US entities in EU
China	⚠️ Limited	China data centers	Contact support

Incident Response

If You Suspect a Breach

Immediately contact CTICloud security team: [email protected]
Document what happened, when, and what data may be affected
Preserve any relevant logs or evidence
Do not delete or modify system configurations
Follow your organization's incident response plan

CTICloud's Incident Response

Upon notification of a potential breach:

Immediate assessment within 24 hours
Investigation with dedicated security team
Containment measures implemented
Root cause analysis conducted
Written report provided within required timeframes
Remediation plan developed and executed

Need Further Assistance?

For questions about HIPAA compliance, BAA agreements, or secure configuration:

Security Team: [email protected]
Compliance Documentation: docs.cticloud.cn/security
Technical Support: [email protected]
Account Manager: Contact your dedicated CTICloud representative

Disclaimer: This document provides information about CTICloud's HIPAA compliance features. It does not constitute legal advice. Organizations must conduct their own compliance assessments and consult with legal counsel to ensure full HIPAA compliance.

Last Updated: January 2025