Hipaa compliant voip header

A business phone service has to meet a lot of requirements—reliability, features, cost—and in the healthcare business, there’s one that jumps to the top of the list: HIPAA compliance.

The Healthcare Insurance Portability and Accountability Act (HIPAA), has been the defining privacy law for American healthcare providers since 1996, and it’s just as relevant today as it was back then. The purpose of HIPAA, together with its 2009 update Health Information Technology for Economic and Clinical Health Act (HITECH), is to protect patients’ personal health information (PHI and ePHI) from data breaches and unauthorized access. Providers that breach this law can face hefty penalties and even imprisonment. So yeah, it’s a big deal.

A phone system is an integral part of healthcare operations, but choosing the right provider is crucial to stay HIPAA compliant.

In this article, we’re going to cover the following:

  • What makes a phone system HIPAA-compliant
  • What the best HIPAA-compliant VoIP providers are
  • FAQs about HIPAA-compliant VoIP

Let’s get into it.

What is a HIPAA-compliant phone service?

Put simply, a phone system that’s “HIPAA compliant” meets all the requirements that HIPAA lays out for safeguarding patient data, specifically the aptly named Privacy and Security Rules, which together lay out the standards for protecting ePHI.

The Privacy Rule

The Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information, sets the national standard for the protection of health information. At the same time, this rule also assures that health information is available to healthcare providers as needed to provide optimal care to patients. In other words, the Privacy Rule strikes a balance that allows information to be used while also protecting the privacy of the people seeking care.

The Security Rule

The Security Rule, or Security Standards for the Protection of Electronic Protected Health Information, sets the national standard for protecting certain health information that is held or transferred in electronic form. This rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical measures that organizations (aka. Covered Entities) need to have in place to keep individuals’ ePHI safe. So a phone service that’s HIPAA-compliant needs to take into consideration sources of ePHI, such as:

  • Caller ID information. Even without a recording, the call log links an individual to a medical practice and the types of services they provide.

  • Call recording. Conversations are ephemeral and are not PHI, but recordings may contain PHI.

  • Voicemail. Anywhere there’s content, there is potential for detailed personal data.

  • Voicemail transcription. Turning voice messages into text accessible via email or text is convenient, and another source of data.

  • SMS. Convenient, useful, and another channel to examine carefully for personal data.

  • Fax to email. Traditional faxing doesn’t create stored records data, but fax to email does.

  • Unified communications. A communications platform that offers more than just voice can have electronic data in the form of stored chat or even video conferencing history.

“What if I just turned those features off? Would that make my phone service HIPAA compliant?”

We mean, it could… but 1996 is calling and it wants its phone system back. Why limit the usefulness of your VoIP service to ‘90s-era technology? Instead, stick with us and we’ll help you use cloud-based, AI-powered business VoIP to keep your patients well and their data safe.

🧠 Dialpad tip: By partnering with a VoIP provider that’s well versed in the healthcare industry, you’ll also gain a trusted advisor to help you address any HIPAA compliance concerns. (More on healthcare contact center best practices here.)

The Business Associate Agreement

Before anything else, a business phone service provider must be willing and able to sign a Business Associate Agreement per HIPAA regulations. Doing so assures clients that the vendor takes responsibility for the HIPAA compliance of the platform, and is required by law for HIPAA compliance.

A Business Associate Agreement (BAA) is a written contract between the provider (a Business Associate) and another party, whether that’s a Covered Entity (like a hospital or clinic) or another Business Associate (like an insurer, IT contractor, or billing consultant).

A BAA has 10 provisions that need to be covered:

  1. Determine what PHI can be used by the business associate and under what circumstances.

  2. Assure the business associate will not use or release PHI unless required by the contract or by law.

  3. Require the business associate to use appropriate safety measures to prevent unauthorized access to PHI, including up-to-date encryption for electronic PHI (ePHI).

  4. Require the business associate to report to the covered entity any data breaches of unsecured protected health information.

  5. Make sure the business associate releases PHI when a patient asks for it.

  6. Define what components of the HIPAA Privacy Rule the business associate is responsible for and make sure it’s following them.

  7. Require the business associate to make its internal practices, books, and records available to the US Department of Health and Human Services.

  8. If the contract ends, require the business associate to return or delete all PHI it received from the covered entity.

  9. If a business associate uses subcontractors that have access to PHI, the business associate must ensure those subcontractors also sign a BAA.

  10. Let the covered entity terminate the agreement if the business associate violates terms.

🚨 Dialpad tip: If you’re dealing with a VoIP provider that stores ePHI information for you and doesn’t ask for a Business Associate Agreement, run! You could be faced with some serious penalties.

Can VoIP phones be HIPAA-compliant?

Yes! Healthcare providers and their vendors need VoIP that follows HIPAA guidelines because calls could contain sensitive data stored electronically as ePHI. Many VoIP systems are totally able to abide by HIPAA criteria—they just need to meet the following requirements.

  • Business Associate Agreement: We covered this in the previous section, but this is the contract that mandates HIPAA compliance by all business parties involved.

  • Authentication: Every phone is able to present a unique user ID.

  • Encryption: Transport Layer Security (TLS), virtual private networks (VPN), and other encryption technologies are in place to safeguard data.

What are the best HIPAA-compliant VoIP providers?

There are a lot of VoIP providers out there, but only a handful are HIPAA compliant. Unfortunately, it isn’t always obvious which ones are and which ones aren’t by skimming their homepage. To make things easier—and save you some time—we did the digging for you.

Here’s a quick rundown of HIPAA compliant vs. non-compliant VoIP providers:

VoIP providers that can be HIPAA compliant

VoIP providers that aren’t HIPAA-compliant

Dialpad: The HIPAA compliant unified communications platform that’s healthcare ready

Dialpad offers more than just VoIP. Enjoy HIPAA-compliant unified communications with talk, messaging, video conferencing, and more.

Now you have a few options for VoIP providers willing to enter into a BAA and that can have their phone systems configured to meet HIPAA guidelines—Dialpad is the best option though, hands down.

Are we a little biased? Sure. Does that make it any less true though? You can be the judge of that—it’s why we offer a 14-day free trial of Dialpad.

Here’s how Dialpad keeps communications HIPAA compliant, as well as uses the power of the cloud to keep your data managed, protected, and private:

  • Rigorous security risk assessment: Dialpad is SOC2 Type 2 certified and has completed the Cloud Security Alliance’s Consensus Assessment Initiative Questionnaire (CAIQ) which addresses the controls listed in the HIPAA Security and Privacy Rule and meets the needs of the HIPAA Security Risk Assessment.

  • BAA: Dialpad provides contractual assurance to implement HIPAA safeguards protecting ePHI. This also ensures that any subcontractors partnered with Dialpad will also follow these safeguards.

  • Identity and access management. Single sign-on (SSO) and automated user provisioning through providers like Azure, Google Workspace, OneLogin, and Okta mean that the right people on your team always have access to the right data. No less, no more. And if you’re using passwords, authorization is communicated over HTTPS and is secured under the admin’s choice of OAuth2.0, SAML 2.0, or by email and password combination (that’s stored and encrypted using a secure cryptographic one-way hash function of the salted password).

  • Google Cloud Platform: Dialpad websites, web apps, smartphone back-end, and customer-sensitive data is processed and stored using trusted and reliable Google Cloud Platform services.

  • Failovers and backups: Automatic backups are built into our system. Every aspect of our system has been designed with redundancy in mind so that in the event of a failure, there’s always an alternative to take its place immediately.

  • 24/7 emergency response: Dialpad’s team is available 24/7/365 and employs a “follow the sun” support model so that no matter where you are, Dialpad is available when you need us.

  • Proactive logs and monitoring: We monitor log access to sensitive information and systems and have event monitoring in place, complete with staff who are trained to proactively identify unusual activity.

  • Customizable retention policies: From call recording to cutting-edge speech recognition and real-time analytics, use Dialpad’s full range of tools with confidence knowing that you can keep the data you need, for as long as you need it (and no longer). Dialpad’s BAA includes a suggested 30-day retention policy for BAA customers to reduce your exposure. This period can be extended if needed.

FAQs about HIPAA-compliant VoIP

Is Google Voice HIPAA-compliant?

It can be, yes.

There’s a free version and paid version of Google Voice—you need the paid one if you want to be HIPAA compliant. That’s because Google won’t provide a BAA with their free plans. Oh, and you’ll need to use Google Workspace to get the paid version.

Keep in mind though, Google Workspace isn’t going to be properly configured to be HIPAA compliant when you buy the subscription. Signing the BAA with Google is the first step, but not the only one. So you might want to get in touch with their support team to make sure you’ve got all your bases covered.

Why does Dialpad’s BAA exclude SMS and Fax?

Dialpad is HIPAA compliant because of both technical controls—such as encryption and individual user licenses--and contractual controls—specifically our signing a BAA with underlying providers like Google that may be used when processing customer data.

SMS and fax lack these controls, which is why industry-wide they’re generally not preferred for communicating PHI. Dialpad's BAA doesn’t cover SMS (traditional text and media messaging carried over a cellular carrier's network) for transmitting ePHI because they’re not encrypted and are potentially retained in clear text by the carrier or on the device.

For similar reasons, Dialpad's eFax provider does not offer a BAA with Dialpad, which means that Dialpad can’t, in turn, include virtual fax services within its BAA to its customers.

This is why Dialpad's BAA excludes those two features. Based on guidance from HHS, it may nonetheless be permissible for your office to use fax to transmit, potentially with a waiver between the patient and your office that acknowledges and accepts the technical limitations of those technologies. Those details would be worked out with your internal compliance counsel, and Dialpad would provide a BAA covering all of the elements that it controls.