HIPAA

NICE CXone policy dictates the company will sign a Business Associates Agreement (BAA) with business units. The BAA requires the business unit to define themselves as one of the following:

• A Covered Entity (CE)

• A Business Associate (BA)

This definition will cover the BAA requirements within federal regulations.

Within the BAA, business units must observe the following HIPAA security safeguards:

• Technical safeguards.

  • RBAC (Role-based Access Control).

  • Unique identity.

  • VPN encryption requirements.

  • Logging and monitoring.

  • Redundancy and backups.

  • Secure data storage, transport, and portable media encryption.

  • Intrusion Detection System (IDS).

  • Intrusion Prevention System (IPS).

  • AV/Malware.

  • Port Where information transfers, over a network, between a computer and a server. restrictions.

  • Implementation practices converted to process.

  • Patching.

  • Secure development lifecycle, testing, and reviews.

  • Change control.

• Training safeguards.

  • Annual security awareness.

  • Role-based HIPAA training.

• Vendor Assessment safeguards.

  • Vendor security assessment.

  • Restricted and monitored vendor access.

• Administrative safeguards.

  • Computer security.

  • Risk management.

  • Resiliency and incident management plans and tests.

  • Defined security and audit roles.

  • Hiring practices, including third-party background checks.

  • Non-disclosure, non-compete agreements with employees and prospective business units.

  • User audits.

  • Business associate proforma with legal staff review.

  • Dedicated security team.

NICE CXone requires vendors who bundle Protected Health Information (PHI) to sign a BAA.