Skip to main content

HIPAA Compliance at Five9

HIPAA Overview

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the regulations issued pursuant to HIPAA are a set of rules that, among other things, regulate the use, disclosure, and safeguarding of protected health information (PHI). PHI includes a wide range of individually identifiable health information that is transmitted or maintained in any form or medium (i.e., electronic, paper, or oral) and that relates to: (i) an individual’s past, present, or future physical or mental health or condition; (ii) the provision of health care to an individual; or (iii) the past, present, or future payment for the provision of health care to an individual. In 2009, the scope of HIPAA was extended and its protections for PHI were strengthened with the enactment of the Health Information Technology for Economic and Clinical Health (HITECH) Act.

HIPAA applies to “covered entities,” which are individuals, institutions, and organizations that transmit PHI electronically for specific transactions outlined by the Department of Health and Human Services, including: (i) health plans; (ii) health care clearinghouses; and (iii) health care providers who electronically transmit health information in connection with specific transactions.

HIPAA also applies to “business associates,” which are third parties engaged by a covered entity to help it carry out its health care activities and functions.

Together, HIPAA and the HITECH Act include the following rules:

  • The HIPAA Privacy Rule, which requires the implementation of appropriate safeguards to protect the privacy of PHI and regulates the use and disclosure of such information without an individual’s authorization.
  • The HIPAA Security Rule, which requires the implementation of reasonable and appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of PHI that a covered entity creates, receives, maintains, or transmits in electronic form (ePHI).
  • The HIPAA Breach Notification Rule, which requires covered entities and their business associates to provide notification following a breach of unsecured PHI.

HIPAA requires a covered entity and its business associate to enter into a written contract to ensure that the business associate will appropriately safeguard PHI. Among other things, this contract, which is referred to as a Business Associate Agreement (BAA), must impose limits on a business associate’s use and disclosure of PHI based on the relationship between the parties and the activities or services being performed by the business associate.

For additional information about HIPAA, please visit the Health Information Privacy section of the U.S. Department of Health and Human Services’ website.


HIPAA and Five9

Five9 is committed to respecting the privacy of its customers’ information, including PHI. As part of this commitment, when we provide services to customers that are covered entities or business associates, we take steps necessary to meet our obligations as a business associate.

In particular, we will enter into BAAs with our covered entity and business associate customers to satisfy HIPAA’s contracting requirements. Additionally, we have implemented and maintain administrative, physical, and technical safeguards that are consistent with the size and complexity of our operations and that reasonably and appropriately protect the confidentiality, integrity, and availability of the PHI that we create, receive, maintain, and/or transmit on behalf of our customers. A list of the safeguards we have implemented to protect customers’ PHI can be found in the Five9 Trust Office.

If you have any HIPAA-related questions, please contact us at