Executive Summary
Health Insurance Portability and Accountability (HIPAA) compliance may be table stakes for some of our customers. This article identifies and addresses scenarios Outreach customers may want to consider regarding the security of PHI when implementing, configuring, and adopting Outreach service. This article is intended for informational purposes only, and is not intended to provide a comprehensive risk assessment of the platform, its features, or related customer notices for HIPAA compliance nor does it offer comprehensive HIPAA traceability.
Outreach customers must consult their legal counsel and compliance officers for advice regarding HIPAA compliance.
Data Protection Considerations for Healthcare and Life Sciences
Healthcare and life sciences companies are steadily continuing adoption of Outreach to help more efficiently align sales teams. While a sales team may be focused on the revenue and operational benefits of Outreach, it is important for these customers to focus on HIPAA compliance during configuration and adoption of our services. As with any Software as a Service and AI technologies, if compliance best practices are not followed, the potential exists to expose an organization to new impermissible or reportable incidents involving (electronic) protected health information (“ePHI”).
This article is intended as informational for Chief Information Officers, IT directors, IT managers, legal counsel, and data governance professionals responsible for their organization’s HIPAA obligations. This article highlights features with elevated risks and offers best practices for avoidance of increased threat exposure for organizations that handle ePHI.
Risk Considerations
Synchronization of ePHI to Outreach Platform
Outreach is a sales execution platform intended to power the sales lifecycle. Therefore, the synchronization of ePHI into the Outreach platform would not be appropriate handling of ePHI, so compliance efforts should focus on avoidance of entry of ePHI into the platform. The most likely incidental entry points for ePHI within the Outreach platform are emails synchronized from user inboxes, call recordings, transcripts processed by Kaia’s conversation intelligence AI model, and user notes (e.g. prospect notes, tags, etc.).
Example Risk: At a hypothetical company, an employee of a healthcare company holds a cross-functional role, which requires access to ePHI as well as involvement in the sales process. During an email synchronization with Outreach, an email containing ePHI is processed by the Outreach platform.
Example Best Practices to Avoid Risk:
- Segregate ePHI from other operational data using centrally-managed data storage which cannot be synchronized to the Outreach platform.
- Implement role-based access controls limiting access to ePHI.
- Implement internal data governance policies restricting the communication of ePHI via email (particularly during sales processes).
- Leverage the Outreach platform administrative role to disable features where appropriate for Outreach users with access to ePHI.
Outreach Voice with Kaia Assistant
Outreach Voice with Kaia Assistant conversation intelligence enables teams to experience the ease of call recording, realtime transcription, and call analytics. These features are not designed to safely and securely ingest ePHI and other sensitive data. Recordings from these features may be shared across an organization and to external parties. Transcripts can be synchronized to other Outreach systems.
Example Risk: A health insurance company employee discusses the medical history of a customer insured by their company during an Outreach Voice call with Kaia recording.
Example Best Practices to Avoid Risk:
- Deploy mandatory HIPAA training to help staff identify ePHI across multiple formats, respond appropriately to reception and storage of ePHI, and report possible incidents.
- Train internal Outreach administrators to appropriately govern the visibility of meeting recordings and notes.
- Train internal Outreach users to appropriately limit access to their own recordings and notes.
- Enforce HIPAA-compliant internal data governance standards.
Smart Assist Features
Outreach Smart Assist features allow users to leverage generative AI capabilities to deploy communications based on past communications. Outreach Smart Assist features utilize off the shelf third-party LLM models which are not trained on customer data. The third-party LLM providers do not retain customer data after processing a request to them and the LLM providers never have access to any customer data. The features utilize prompts derived from customer data in the Outreach instance to return Smart Assist output from the LLM. The LLM is not intended to receive prompts or create outputs involving ePHI.
Example: At a healthcare company, ePHI was unintentionally synchronized into the customer’s Outreach instance. While using the Smart Email Assist feature, a salesperson unintentionally sends a sales email containing false or misleading information generated using a person’s ePHI.
Example Best Practices to Avoid Risk:
- Implement data cleanliness, validation, and minimization controls in any databases or systems synchronized with the Outreach platform to ensure ePHI is not processed.
- Train internal staff (particularly sales staff) on the appropriate use and maintenance of ePHI, with particular emphasis on excluding ePHI from the Outreach platform.
- Ensure appropriate personnel are assigned to governance profiles in the Outreach platform.
Outreach Collaboration
The challenge of securing a customer’s Outreach service is a collaborative effort. Outreach operates and secures our own infrastructure, host operating system, and platform application layers to reduce the risk of data mismanagement. However, customers are responsible for limiting access to ePHI (and other sensitive data types), configuring the controls offered in the service, and employing internal security and privacy measures.
The highlighted examples are intended to inform customers of potential risks and assist in meeting their responsibilities. While the Outreach service provides some of the administrative and organizational controls necessary to meet HIPAA obligations, additional protections must be provided by the layers of safeguards deployed outside and around the integration with our platform. In collaboration with our customers, we also recommend our customers in healthcare and life sciences take the following actions:
- Implement HIPAA risk assessments.
- Employ compliance traceability (data mapping) technologies.
- Maintain a robust audit log for ePHI.
- Actively engage internal legal counsel and data governance professionals in the Outreach implementation process.
Further information on Outreach features, configurations, settings, and administrative controls can be found in the Outreach Support Portal, Outreach University, and by contacting Outreach Support.