twilio-security-compliance-hipaa
$
npx mdskill add openai/plugins/twilio-security-compliance-hipaaConfigures Twilio accounts for HIPAA compliance and healthcare workflows
- Ensures Twilio accounts meet HIPAA BAA and service eligibility requirements
- Uses Twilio Console, Admin API, and product-specific HIPAA configurations
- Validates compliance steps based on BAA execution date and service eligibility
- Provides guidance for HIPAA project designation and PHI protection workflows
SKILL.md
.github/skills/twilio-security-compliance-hipaaView on GitHub ↗
--- name: twilio-security-compliance-hipaa description: > Configure Twilio accounts for HIPAA compliance. Covers BAA requirements, HIPAA Project designation (self-service and support), eligible services list, per-product requirements (Voice, SMS, ConversationRelay, Conversation Intelligence, Flex, Verify), message redaction, and what is NOT eligible. Use this skill when developers are building healthcare workflows on Twilio. --- ## Overview HIPAA compliance on Twilio is a **shared responsibility** — Twilio provides eligible services and configuration tools, but your application must architect correctly. Getting this wrong means PHI exposure and compliance violations. **Sequence:** Execute BAA → Designate HIPAA Project(s) → Use only eligible services → Follow per-product requirements --- ## Step 1: Execute a BAA - Contact your Twilio Account Representative to execute a Business Associate Addendum - Purchase a **Twilio Editions package** that includes HIPAA Accounts - BAA is required before any PHI touches Twilio infrastructure --- ## Step 2: Designate HIPAA Project(s) ### Self-Service (BAA initiated after June 6, 2024) 1. Create an Organization in Twilio Console 2. Link accounts/projects/subaccounts to the Organization 3. Console → Twilio Admin → Accounts → Select account → Enable HIPAA flag 4. Save ### Support Ticket (BAA initiated before June 6, 2024) Open a Support ticket through Console to request HIPAA designation for specific accounts/projects/subaccounts. ### Subaccount Behavior - **Existing subaccounts are NOT auto-designated** — Must be individually flagged - **New subaccounts created AFTER designation DO auto-inherit** HIPAA status - Verify each subaccount's HIPAA flag — don't assume inheritance ### What Changes When HIPAA Is Enabled - Console auto-logoff after 15 minutes of inactivity - Account exempt from certain content moderation (but still subject to carrier complaint review) - No PHI in support tickets — use SIDs (CallSid, MessageSid) instead of phone numbers --- ## HIPAA Eligible Services ### Eligible (use these for PHI workflows) | Category | Services | |----------|----------| | **Voice** | Programmable Voice, Recordings*, Transcription*, Media Streams*, ConversationRelay*, Conversational Intelligence for Voice*, SIP Interface*, Elastic SIP Trunking*, Voice Insights, AMD, `<Pay>`, Conference, Coaching, Transfers | | **SMS** | Programmable SMS, MMS, Long Codes, Toll-Free, Short Codes, Messaging Services (opt-out, fallback, geomatch, sticky sender, scheduling, link shortening) | | **Identity** | Verify (SMS + Voice + Push only), Lookup | | **Conversations** | Chat, SMS, MMS, Group Texting (NOT WhatsApp) | | **Flex** | Voice, SMS, Chat, Conversations, Webchat 3.x.x*, TaskRouter, Proxy, Flex Insights* | | **Segment** | Connections (Sources, Destinations*, Functions*), Reverse ETL*, Unify, Engage Foundations*, Protocols, Privacy Portal* | | **Runtime** | Studio*, Functions, Debugger, API Explorer, Sync, Private Assets*, TwiML Bin* | | **Data** | Event Streams | *Items marked with * require additional configuration per "Architecting for HIPAA on Twilio" guidance.* ### NOT Eligible (do NOT use for PHI) - **WhatsApp** — Meta does not offer a BAA - **SendGrid Email** (including Email in Flex and Verify Email channel) - **AI Assistants** (including Voice for AI Assistants) - **Verify Fraud Guard** - **Conversational Intelligence for Conversations** (only Voice channel is eligible) - **Agent Copilot**, **Unified Profiles** in Flex - **Engage Premier**, **Generative Audiences**, **Campaigns** - **Twilio Marketplace add-ons** — even with third-party BAA - **Autopilot** - **Flex Webchat 2.x.x** (must migrate to 3.x.x) **Geographic restriction:** Only US area codes for Voice and SMS HIPAA traffic. --- ## Per-Product Requirements ### Voice & Recordings - **HTTP auth required for recording URLs** — Enable in Console → Voice Settings. Recording URLs are public by default. - **Voice Recording Encryption recommended** — Encrypts with your public key before cloud storage - **ConversationRelay:** Your AI Provider must have their own BAA. Cannot use for clinical/medical decision-making. - **Conversation Intelligence for Voice:** Only Azure OpenAI for generative operators. No PHI in operator prompts. Data use auto-disabled for HIPAA accounts. PII Redaction recommended (auto-redacts 21 PHI field types). ### SMS & MMS - **HTTP auth required for MMS Media URLs** — Enable in Console → Messaging → Settings → General - **Message Redaction recommended** — Redacts message bodies and phone numbers from Console/API/support - **No PHI in Message Tags** — custom attributes in Message Tagging must not contain PHI - **Message Redaction prerequisites:** 1. Disable Sticky Sender and Fallback to Long Code on Messaging Services 2. Contact Support to disable built-in STOP filtering (then implement custom STOP handling) 3. Set all webhooks to POST (GET logs params for 7 days, defeating redaction) 4. Incompatible with Studio, Flex, and Conversations ### Verify - **Only SMS, Voice, and Push channels** — Email channel is NOT eligible - **Fraud Guard is NOT eligible** — do not enable for HIPAA workflows ### Flex - **Flex Insights:** Twilio auto-redacts PII from TaskRouter attributes (names, phone, email). Visual waveform and speech metrics disabled. - **Customer must:** Ensure no PHI in preserved Attribute fields, Comments, or Assessments. Implement session timeout (Flex has no built-in timeout). Secure Flex Plugins for HIPAA. - **No WhatsApp, Facebook Messenger, or SendGrid Email** in Flex HIPAA workflows ### Event Streams - Customer responsible for HIPAA-compliant sink configuration (e.g., AWS Kinesis requires Amazon's HIPAA architecture) - Non-eligible product event types must not process PHI --- ## CANNOT - **Cannot use WhatsApp for HIPAA workflows** — Meta does not offer a BAA. Applies to all Twilio products (Conversations, Flex, Frontline). - **Cannot use SendGrid Email** — Not HIPAA eligible in any context (Verify, Flex, standalone). - **Cannot use Verify Fraud Guard or Email channel** — Not eligible. Only SMS, Voice, Push. - **Cannot use AI Assistants** — Even with ConversationRelay, AI Assistants integration is not eligible. - **Cannot use non-US area codes** — Voice and SMS HIPAA traffic limited to US area codes. - **Cannot put PHI in support tickets** — Use SIDs for troubleshooting. Use Console chat, email, or Support Center. - **Cannot assume subaccount HIPAA inheritance** — Existing subaccounts must be individually flagged. - **Cannot use GET webhooks with Message Redaction** — GET parameters are logged for 7 days. - **Cannot use Marketplace add-ons** — Even with a third-party BAA, Marketplace is not eligible. - **Cannot use Conversation Intelligence for Conversations** — Only Voice channel is HIPAA eligible. --- ## Next Steps - **Authentication setup:** `twilio-security-api-auth` - **Account structure for HIPAA isolation:** `twilio-account-setup` - **Credential security:** `twilio-security-hardening` - **Traffic compliance (TCPA, GDPR, PCI):** `twilio-compliance-traffic` **Official docs:** [HIPAA Eligible Services (PDF)](https://www.twilio.com/content/dam/twilio-com/global/en/other/hipaa/pdf/HIPAA-Eligible-Services.pdf) | [Architecting for HIPAA (PDF)](https://www.twilio.com/content/dam/twilio-com/global/en/other/hipaa/pdf/Architecting-for-HIPAA.pdf) | [HIPAA account flag](https://www.twilio.com/docs/iam/organizations#turn-on-hipaa-and-eligible-accounts) | [Message Redaction](https://www.twilio.com/docs/messaging/guides/privacy-message-redaction)