My team and I created a web app that transfers data from a VOIP system (recorded calls, voicemails, faxes, texts) to cloud storage (Google Drive, Amazon S3, Box.com). In and of itself, our app follows HIPAA guidelines. I have a background in medical software, and have created several medical apps that meet HIPAA requirements for data storage and data transfer. And I made sure we did the same with this app.
But I ask this question because this app is just a bridge. This app stores very little data. (And the data we do store is encrypted and protected). The real content of the phone systems data is stored in our customers' own storage (their Google Drive, their Amazon account, etc) after our app transfers it. Of course our app has access points to their storage, but we have ensured that the access we provide is protected and HIPAA compliant from our side.
My concern is our reliance on these third party providers. Even our login procedure piggy-backs onto third-party VOIP providers for authentication. The VOIP provider does state that they are HIPAA compliant, however.
Just for clarification, we are using OAuth to provide authentication (via the VOIP's authentication api), and we are using OAuth to provide a connector to Google Drive and Box.com. Amazon does not provide an OAuth api, but the process is similar using security tokens via their Amazon S3 api and federated login control panel.
I know that we have done all we can to make our app HIPAA compliant (short of storing their data in our own system), but with all the reliance we have on these third party providers, can I accurately state that we are HIPAA compliant?
