- Status
Just as an update, as of now I'm considering migrating over to Netsapien just for the fact that they will handle the Hipaa requirements, is this my only solution or is there a way to be HIPAA compliant with Fusion?
Personally I love fusion better because of the flexibility, but this Hipaa thing is driving me crazy and I lost a few customer becuase of not being compliant, can anyone shed some light to this topic?
Personally I love fusion better because of the flexibility, but this Hipaa thing is driving me crazy and I lost a few customer becuase of not being compliant, can anyone shed some light to this topic?
I'm not exactly sure what HIPAA is, I guess it's like a US version of the UKs General Data Protection Regulations (GDPR).
We have has a good number of customers asking: "are you X compliant?" or "are you Y compliant" and I know that they do not really understand what it is they are asking. It's like they want to use the latest buzz words.
There was a big panic in the UK in 2018 when the GDPR regulation came in, but after talking at length with the Information Commissioner's Office, I realised that most of what was actually required was just plain and simple common sense.
We never claim to be "Anything" compliant, we simply state openly exactly what we do and what we do not do. Then we can let the customer decide if we comply with whatever it is they are worried about.
A device like a router or a piece of software, can never be "compliant" in isolation, the important thing is the environment in which it operates - the people and processes that surround it.
We have has a good number of customers asking: "are you X compliant?" or "are you Y compliant" and I know that they do not really understand what it is they are asking. It's like they want to use the latest buzz words.
There was a big panic in the UK in 2018 when the GDPR regulation came in, but after talking at length with the Information Commissioner's Office, I realised that most of what was actually required was just plain and simple common sense.
We never claim to be "Anything" compliant, we simply state openly exactly what we do and what we do not do. Then we can let the customer decide if we comply with whatever it is they are worried about.
A device like a router or a piece of software, can never be "compliant" in isolation, the important thing is the environment in which it operates - the people and processes that surround it.
Thanks for your response!.
HIPAA is basically the privacy law, the customer I came across is in the medical field, I understood from a company I spoke to yesterday that is HIPAA compliant, that basically all it boils down is to have track on who has access or who is accessing the Call records, Call Recordings, Faxes and so on, so maybe if there's anyway to have alike a full log of every step that every user does (Like example the "Transaction log") it might be helpful to be compliant.
OK I understand.
I'm not sure if FusionPBX has any advanced activity logging built it. It's certainly not something I have seen in the member documentation - having said that, I have not looked for it.
For a quick and dirty fix, how about this for an idea:
Every request to the Web GUI makes a call to the check_auth.php function. If you add something like this near the top of the function:
Then in /var/log/fusionpbx/access.log you get something like this (this is me logging in and then listing CDRs and then viewing a CDR record):
As I say quick and dirty and it could be greatly improved upon with very little effort.
I'm not sure if FusionPBX has any advanced activity logging built it. It's certainly not something I have seen in the member documentation - having said that, I have not looked for it.
For a quick and dirty fix, how about this for an idea:
Every request to the Web GUI makes a call to the check_auth.php function. If you add something like this near the top of the function:
Code:
// Log the activity
$target_path = ($_REQUEST["path"] != '') ? $_REQUEST["path"] : $_SERVER["REQUEST_URI"];
file_put_contents('/var/log/fusionpbx/access.log', date("Y-m-d h:i:sa") . "[".$_SESSION["user"]["username"]."@".$_SESSION["user"]["domain_name"]."]: " . $target_path. "\n", FILE_APPEND);Then in /var/log/fusionpbx/access.log you get something like this (this is me logging in and then listing CDRs and then viewing a CDR record):
Code:
2022-01-11 07:24:35pm[@]: /core/user_settings/user_dashboard.php
2022-01-11 07:24:38pm[adrian@af-test.a2es.uk]: /app/xml_cdr/xml_cdr.php
2022-01-11 07:25:31pm[adrian@af-test.a2es.uk]: /app/xml_cdr/xml_cdr_details.php?id=b7a74eab-32e4-4ac2-a4b8-4f9a9cbaaaf7As I say quick and dirty and it could be greatly improved upon with very little effort.
I'm pretty sure you only need HIPPA compliance when storing call recording and fax's for patient data. You can integrate Freeswitch with CallCabinet pretty easily, their solution is fully HIPPA compliant and while still expensive it's still very competitive with against other HIPPA compliant call/fax recording HIPPA solutions. You can also scale from very small clients to large enterprises with them.
They store all the recordings/faxes, fully encrypted, AI to auto redact patent data and credit card information, full searchable transcripts of all calls. It has everything. I'm 99% sure this is all you need to say that your system is fully HIPPA compliant, give them a call and they'll be able to confirm for you.
They store all the recordings/faxes, fully encrypted, AI to auto redact patent data and credit card information, full searchable transcripts of all calls. It has everything. I'm 99% sure this is all you need to say that your system is fully HIPPA compliant, give them a call and they'll be able to confirm for you.
Stick the customer on its own instance of fusion, if running on a vps make sure it is only accessible via customers IP(s), as for recordings, they aren't required to be encrypted or anything special. make sure ur not giving random people superadmin access and remember it is a federal law to protect the patient from having and health related issue being disclosed to anyone without their permission and this is a very very very un-enforced law, in general if you make best effort to secure any patient health information which would only exist in a recording or VM, then your good. only company who are completely negligent and illegally advertised they werent to the customer will be held accountable.... this is annoying because the common misbelief is that hipaa is often misunderstood by idiots who think it is your job to fully lock everything down and impliement preventive measure to stop any and all kinds of leaks. this couldn't be further from the truth...
so like i said putting them on their own fusion instance, locking down iptables and keeping 90 day retention on things like transactions logs and CDRs, you should be fine and will never be prosecuted anything hipaa related.
now i'm not a lawyer but for about a year my job was to manage network acquisitions of hospitals and surgery centers across the US and part of that was doing hipaa compliancy checks, we just used some software and ran it in their networks, and look for signs of obvious negligence. so if you just do your due diligence you will be fine. and if you need a safe agreement to have your customer sign and protect you, fiverr is your best friend or if you purchase any descent compliancy scanning software they self generate reports with findings you get signed by the customer which is also fine.
**Just my 5 cents lol
so like i said putting them on their own fusion instance, locking down iptables and keeping 90 day retention on things like transactions logs and CDRs, you should be fine and will never be prosecuted anything hipaa related.
now i'm not a lawyer but for about a year my job was to manage network acquisitions of hospitals and surgery centers across the US and part of that was doing hipaa compliancy checks, we just used some software and ran it in their networks, and look for signs of obvious negligence. so if you just do your due diligence you will be fine. and if you need a safe agreement to have your customer sign and protect you, fiverr is your best friend or if you purchase any descent compliancy scanning software they self generate reports with findings you get signed by the customer which is also fine.
**Just my 5 cents lol
Netsapien will take care of the HIPPA so why not use them for the health care customers?
Lol, after all i wrote the "Why" it very obvious.... I understand why someone who isn't experienced with hipaa would delegate as when your new to this compliancy and can seem intimidating but really it is nothing. But the biggest reason why you don't use netsapien is the same reason you don't use them for all your customers or resell ring central, jive, 8x8 or anything else... if you use your own fusion, you have much more control and larger margins so... in the end just do what your more comfortable with but as stated above hipaa is a joke and if you follow the basics of my previous post you will be fine.
I would take this very seriously as it can mean more than just losing a few clients. I just read this on a website: "With HIPAA penalties as much as $1.5 million per violation, health-related businesses can't afford to not be HIPAA compliant, and this extends to their business partners. Companies paid a staggering $28,683,400 for violations in 2018."
Last edited:
Yeah the fear is important but only completely negligent companies have have ever been healed accountable… best effort by using the stuff I said before is enough…. Read all u want but the fact is I did this for a long time with large companies on large scales… not debating on the forum… if ur not confident then just outsource it and don’t waste time debating
Agreed, if you're not confident then you should outsource it or at least have a professional check for compliance.
- Status