Architecting HIPAA on Telnyx

Introduction to Architecting HIPAA on Telnyx

This document is intended for Telnyx customers who have, or plan to enter into, a Business Associate Addendum (BAA) with Telnyx to use HIPAA-eligible services. It outlines specific guidelines on how to build HIPAA-compliant applications and workflows using Telnyx’s platform, which may be updated from time to time.

Security and compliance are a shared responsibility: Telnyx provides the necessary platform capabilities, while customers must ensure proper use of those tools and services. Only services explicitly designated as HIPAA-eligible should be used to process Protected Health Information (PHI). These guidelines do not constitute legal advice, and it is Customer's sole responsibility to confirm its applications and workflows conform with applicable law.

Customer Requirements Across All Telnyx Services

Required for HIPAA:

• Encrypted communication: All interactions with Telnyx APIs must use HTTPS.
• Signed/validated webhooks: Verify that incoming webhooks genuinely originate from Telnyx.
• No PHI in support tickets: Support requests may not include PHI; use Telnyx-specific IDs (e.g., call/message IDs) instead.
• Artificial Intelligence Features: Any AI-powered features or services currently available through Telnyx must only be used in workflows that process PHI via Telnyx-hosted models (e.g. llama and qwen) and store any such retained data on Telnyx-hosted infrastructure.

Recommended for HIPAA:

• HTTP authentication: Secure your endpoints through basic or digest auth.
• Static proxy or fixed IPs: If Telnyx supports, use fixed source addresses to simplify firewall rules.
• Public key validation: Use mutual TLS or key-based validation to ensure secure service-to-service communication.

Product-Specific Guidelines

Below are generic headers—replace with Telnyx’s actual product names and adjust as needed:

A. Programmatic Voice/Call Recording

Required:

• Enforce HTTP Basic authentication on recording URLs

Special:

• Enable encryption for call recording storage (e.g., client-side public-key wrapped recordings) or store on your own infrastructure.
• For media streaming or transcription, ensure destination services are Telnyx-hosted.

Not Eligible:

• Avoid third-party integrations not covered by a BAA.
• Do not use automatic transcription or analysis features unless explicitly HIPAA-enabled.

B. Messaging (SMS/MMS)

Required:

• Use HTTP Basic auth for media URLs in MMS.
• Only U.S.-based messaging traffic is HIPAA eligible.

Special:

• Enable message body/number redaction features, if available.
• Filter metadata (e.g., tags) to avoid PHI leakage.

Not Eligible:

• Avoid marketplace add-ons or bot integrations without BAA coverage.

C. Chat / Multi-Channel Conversations

Required:

• Use only private channels for any PHI exchange.

Special:

• Evaluate and control third-party integrations—ensure BAAs in place.

Not Eligible:

• Do not use public chat channels or unsupported calling/chat features.

D. Unified Conversations / Omni-Channel

Required & Special:

• Comply with HIPAA requirements for each channel used (e.g., SMS, voice, chat).

Not Eligible:

• Avoid channels not HIPAA-eligible in their standalone sections (e.g., social messaging platforms without BAA).

E. Contact Center or Agent Tools

For contact-center tooling:

Required:

• Secure media playback endpoints (HTTP auth, encryption).
• Ensure agent screens do not expose PHI without proper training/access control.
• Implement session timeouts (auto-logout or VPN inactivity enforcement).

Special:

• Restrict plugins/customizations to be HIPAA-compliant (avoid PHI in error messages or logs).
• Any third-party app integrations require a valid BAA.

Not Eligible:

• Do not enable channels (e.g., email, social integrations) without HIPAA eligibility.

4. Privacy Controls & Protocols

Required:

• Implement tracking plans or validation to prevent non-compliant data from entering workflows.

Special:

• Use privacy portals or data labeling tools to classify and block/mask PHI.