Back to Blog

HIPAA-compliant VoIP: What it is and how to choose one

Preston Thomas

Senior Privacy and Compliance Counsel

Shabnam Kakar

Senior Content Marketing Manager

Hipaa compliant voip header
Table of contents

A business phone service has to meet a lot of requirements—reliability, features, cost—and in the healthcare business, there’s one that jumps to the top of the list: HIPAA compliance.

The Healthcare Insurance Portability and Accountability Act (HIPAA), has been the defining privacy law for American healthcare providers since 1996, and it’s just as relevant today as it was back then. The purpose of HIPAA, together with its 2009 update Health Information Technology for Economic and Clinical Health Act (HITECH), is to protect patients’ personal health information (PHI and ePHI) from data breaches and unauthorized access. Providers that breach this law can face hefty penalties and even imprisonment. So yeah, it’s a big deal.

A phone system is an integral part of healthcare operations, but choosing the right provider is crucial to stay HIPAA compliant. In this guide, we'll walk you through how to do this.

What is a HIPAA-compliant phone service?

Put simply, a phone system that’s “HIPAA compliant” meets all the requirements that HIPAA lays out for safeguarding patient data, specifically the aptly named Privacy and Security Rules, which together lay out the standards for protecting ePHI.

The Privacy Rule

The Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information, sets the national standard for the protection of health information. At the same time, this rule also assures that health information is available to healthcare providers as needed to provide optimal care to patients. In other words, the Privacy Rule strikes a balance that allows information to be used while also protecting the privacy of the people seeking care.

The Security Rule

The Security Rule, or Security Standards for the Protection of Electronic Protected Health Information, sets the national standard for protecting certain health information that is held or transferred in electronic form. This rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical measures that organizations (aka. Covered Entities) need to have in place to keep individuals’ ePHI safe. So a phone service that’s HIPAA-compliant needs to take into consideration sources of ePHI, such as:

  • Caller ID information. Even without a recording, the call log links an individual to a medical practice and the types of services they provide.

  • Call recording. Conversations are ephemeral and are not PHI, but recordings may contain PHI.

  • Voicemail. Anywhere there’s content, there is potential for detailed personal data.

  • Voicemail transcription. Turning voice messages into text accessible via email or text is convenient, and another source of data.

  • SMS. Convenient, useful, and another channel to examine carefully for personal data.

  • Fax to email. Traditional faxing doesn’t create stored records data, but fax to email does.

  • Unified communications. A communications platform that offers more than just voice can have electronic data in the form of stored chat or even video conferencing history.

“What if I just turned those features off? Would that make my phone service HIPAA compliant?”

We mean, it could… but 1996 is calling and it wants its phone system back. Why limit the usefulness of your VoIP service to ‘90s-era technology? Instead, stick with us and we’ll help you use cloud-based, AI-powered business VoIP to keep your patients well and their data safe.

🧠 Dialpad tip:

By partnering with a VoIP provider with a healthcare phone system tailored to the industry, you’ll also gain a trusted advisor to help you address any HIPAA compliance concerns. (More on healthcare contact center best practices here.)

The Business Associate Agreement

Before anything else, a business phone service provider must be willing and able to sign a Business Associate Agreement per HIPAA regulations. Doing so assures clients that the vendor takes responsibility for the HIPAA compliance of the platform, and is required by law for HIPAA compliance.

A Business Associate Agreement (BAA) is a written contract between the provider (a Business Associate) and another party, whether that’s a Covered Entity (like a hospital or clinic) or another Business Associate (like an insurer, IT contractor, or billing consultant).

A BAA has 10 provisions that need to be covered:

  1. Determine what PHI can be used by the business associate and under what circumstances.

  2. Assure the business associate will not use or release PHI unless required by the contract or by law.

  3. Require the business associate to use appropriate safety measures to prevent unauthorized access to PHI, including up-to-date encryption for electronic PHI (ePHI).

  4. Require the business associate to report to the covered entity any data breaches of unsecured protected health information.

  5. Make sure the business associate releases PHI when a patient asks for it.

  6. Define what components of the HIPAA Privacy Rule the business associate is responsible for and make sure it’s following them.

  7. Require the business associate to make its internal practices, books, and records available to the US Department of Health and Human Services.

  8. If the contract ends, require the business associate to return or delete all PHI it received from the covered entity.

  9. If a business associate uses subcontractors that have access to PHI, the business associate must ensure those subcontractors also sign a BAA.

  10. Let the covered entity terminate the agreement if the business associate violates terms.

🚨 Dialpad tip:

If you’re dealing with a VoIP provider that stores ePHI information for you and doesn’t ask for a Business Associate Agreement, run! You could be faced with some serious penalties.

Can VoIP phones be HIPAA-compliant?

Yes! Healthcare providers and their vendors need VoIP that follows HIPAA guidelines because calls could contain sensitive data stored electronically as ePHI. Many VoIP systems are totally able to abide by HIPAA criteria—they just need to meet the following requirements.

  • Business Associate Agreement: We covered this in the previous section, but this is the contract that mandates HIPAA compliance by all business parties involved.

  • Authentication: Every phone is able to present a unique user ID.

  • Encryption: Transport Layer Security (TLS), virtual private networks (VPN), and other encryption technologies are in place to safeguard data.

What are the best HIPAA-compliant VoIP providers?

There are a lot of VoIP providers out there, but only a handful are HIPAA compliant. Unfortunately, it isn’t always obvious which ones are and which ones aren’t by skimming their homepage. To make things easier—and save you some time—we did the digging for you.

Here’s a quick rundown of HIPAA compliant vs. non-compliant VoIP providers:

VoIP providers that can be HIPAA compliant

VoIP providers that aren’t HIPAA-compliant

🩺 Get the guide to healthcare communications

Does your healthcare practice or organization have a distributed team? Download this guide to learn more about best practices for healthcare teams that aren't all in the office!

Dialpad: The HIPAA compliant unified communications platform that’s healthcare ready

Screenshot of a video conference happening in Dialpad's unified communications platform and being transcribed in real time

Dialpad offers more than just VoIP. Get HIPAA-compliant unified communications with talk, messaging, video conferencing, and more.

Now you have a few options for VoIP providers willing to enter into a BAA and that can have their phone systems configured to meet HIPAA guidelines—in our opinion, Dialpad is the best option, hands down.

Are we a little biased? Sure. Does that make it any less true though? You can be the judge of that—it’s why we offer a 14-day free trial.

There are also many practices and organizations in the healthcare space that use Dialpad—you can check out their stories here:

Here’s how Dialpad keeps communications HIPAA compliant, as well as uses the power of the cloud to keep your data managed, protected, and private:

  • Rigorous security risk assessment: Dialpad is SOC2 Type 2 certified and has completed the Cloud Security Alliance’s Consensus Assessment Initiative Questionnaire (CAIQ) which addresses the controls listed in the HIPAA Security and Privacy Rule and meets the needs of the HIPAA Security Risk Assessment.

  • BAA: Dialpad provides contractual assurance to implement HIPAA safeguards protecting ePHI. This also ensures that any subcontractors partnered with Dialpad will also follow these safeguards.

  • Identity and access management. Single sign-on (SSO) and automated user provisioning through providers like Azure, Google Workspace, OneLogin, and Okta mean that the right people on your team always have access to the right data. No less, no more. And if you’re using passwords, authorization is communicated over HTTPS and is secured under the admin’s choice of OAuth2.0, SAML 2.0, or by email and password combination (that’s stored and encrypted using a secure cryptographic one-way hash function of the salted password).

  • Google Cloud Platform: Dialpad websites, web apps, smartphone back-end, and customer-sensitive data is processed and stored using trusted and reliable Google Cloud Platform services.

  • Failovers and backups: Automatic backups are built into our system. Every aspect of our system has been designed with redundancy in mind so that in the event of a failure, there’s always an alternative to take its place immediately.

  • 24/7 emergency response: Dialpad’s team is available 24/7/365 and employs a “follow the sun” support model so that no matter where you are, Dialpad is available when you need us.

  • Proactive logs and monitoring: We monitor log access to sensitive information and systems and have event monitoring in place, complete with staff who are trained to proactively identify unusual activity.

  • Customizable retention policies: From call recording to cutting-edge speech recognition and real-time analytics, use Dialpad’s full range of tools with confidence knowing that you can keep the data you need, for as long as you need it (and no longer). Dialpad’s BAA includes a suggested 30-day retention policy for BAA customers to reduce your exposure. This period can be extended if needed.

A quote from Dialpad's customer saying that Dialpad is HIPAA-compliant and helps them connect securely with patients and staff from anywhere.

Looking for a HIPAA-compliant VoIP communications provider?

See why healthcare organizations love using Dialpad to work from anywhere. Book a product demo or take a self-guided interactive tour of the app on your own first!

FAQs about HIPAA-compliant VoIP

Is Google Voice HIPAA-compliant?

It can be, yes.

There’s a free version and paid version of Google Voice—you need the paid one if you want to be HIPAA compliant. That’s because Google won’t provide a BAA with their free plans. Oh, and you’ll need to use Google Workspace to get the paid version.

Keep in mind though, Google Workspace isn’t going to be properly configured to be HIPAA compliant when you buy the subscription. Signing the BAA with Google is the first step, but not the only one. So you might want to get in touch with their support team to make sure you’ve got all your bases covered.

Why does Dialpad’s BAA exclude SMS and fax?