HIPAA-compliant VoIP: What it is and how to choose one

A business phone service has to meet a lot of requirements — reliability, features, cost — and in the healthcare business, there's one that jumps to the top of the list: HIPAA compliance.

The Healthcare Insurance Portability and Accountability Act (HIPAA) has been the defining privacy law for American healthcare providers since 1996, and it's just as relevant today as it was back then. The purpose of HIPAA, together with its 2009 update the Health Information Technology for Economic and Clinical Health Act (HITECH), is to protect patients' personal health information (PHI and ePHI) from data breaches and unauthorized access. Providers that violate this law can face significant financial penalties and, in serious cases, criminal liability.

A phone system is an integral part of healthcare operations, and choosing the right provider is a key part of meeting your HIPAA obligations. In this guide, we'll cover what makes a VoIP system capable of supporting HIPAA compliance, what to look for in a provider, and how Dialpad approaches security and compliance for healthcare customers.

What is a HIPAA-compliant phone service?

A HIPAA-compliant phone service is one that's built to handle protected health information (PHI) and electronic protected health information (ePHI) securely — through features like encryption, access controls, and secure storage — in a way that can help your organization meet the requirements set out in HIPAA's Privacy and Security Rules.

In practice, "HIPAA-compliant" is a useful shorthand, but it's worth understanding what it actually means for a phone system. HIPAA compliance isn't a certification a vendor earns once and keeps forever. It's an ongoing shared responsibility: the vendor needs to have the right technical safeguards in place, and the healthcare organization needs to configure and use the system correctly.

That's why the most accurate way to think about a phone service in this context is whether it's HIPAA-ready — meaning it provides the infrastructure and controls that enable your organization to meet its own compliance obligations. For Dialpad, that starts with signing a Business Associate Agreement (BAA), which establishes the contractual foundation for HIPAA-aligned use.

A HIPAA-ready phone service needs to account for every place ePHI can appear, including:

• Caller ID and call logs, which can link an individual to a medical practice even without a recording

• Call recordings and voicemails, which may contain detailed patient information

• Voicemail transcriptions and SMS, which convert voice or text content into stored electronic data

• Fax to email and unified communications, where chat history, video conferencing records, and other content may also carry ePHI

What HIPAA requirements apply to phone services?

HIPAA applies to any communication system used to transmit or discuss protected health information, and that includes VoIP. When a patient calls to schedule an appointment, discuss a diagnosis, or ask about billing, that conversation can carry PHI. The phone system handling it needs to have the right safeguards in place to ensure that information stays protected, whether it's in transit or at rest.

For healthcare organizations, this means evaluating every layer of their communications stack: not just calls, but voicemail, transcription, fax, messaging, and any other channel where patient data might appear.

Who does this apply to? HIPAA requirements apply to Covered Entities — including hospitals, clinics, health plans, and healthcare clearinghouses — as well as their Business Associates: any vendor or contractor that creates, receives, maintains, or transmits PHI on their behalf. If you're using a VoIP provider that touches patient data in any way, that provider is a Business Associate under HIPAA.

The Privacy Rule

The Privacy Rule sets the national standard for protecting individually identifiable health information. It strikes a deliberate balance: PHI must be kept private, but it also needs to be accessible to providers when it's needed to deliver care. For phone services, this means having controls in place that govern who can access recordings, transcripts, voicemails, and other stored communications, and under what circumstances.

The Security Rule

The Security Rule builds on the Privacy Rule by specifying the technical and non-technical safeguards that Covered Entities and their Business Associates must have in place to protect ePHI. For VoIP systems specifically, the Security Rule is where the practical requirements live.

The key requirements most relevant to a HIPAA-ready phone service are:

• Encryption: To mitigate risk, ePHI should be protected in transit and at rest. For VoIP, this typically involves using protocols like Transport Layer Security (TLS) and Secure Real-Time Transport Protocol (SRTP) to ensure that calls, recordings, voicemails, and transcripts are less likely to be intercepted or accessed by unauthorized parties.

• Access controls: Only authorized users should be able to access systems that store or transmit ePHI. This includes role-based permissions, user-level licensing, and integrations with identity management tools like SSO to ensure access is granted and revoked appropriately.

• Audit trails: HIPAA requires organizations to be able to track who accessed PHI, when, and what they did with it. A HIPAA-ready phone system should log access to sensitive data and make those records available for review.

• Authentication: Every user accessing the system needs to be verifiably identified. This typically means unique user IDs and secure login methods, not shared credentials or generic lines that can't be traced back to an individual.

A phone service that's HIPAA-ready needs to account for ePHI wherever it can appear across the communications stack:

• Caller ID and call logs can link an individual to a medical practice even without a recording

• Call recordings and voicemails may contain detailed patient information

• Voicemail transcriptions and SMS convert voice or text content into stored electronic data

• Fax to email creates a stored record where traditional faxing did not

• Unified communications platforms may carry ePHI across chat, video, and other channels

The Business Associate Agreement

Before anything else, a business phone service provider must be willing and able to sign a Business Associate Agreement per HIPAA regulations. Doing so assures clients that the vendor takes responsibility for implementing the required safeguards on their end, and is subject to HIPAA's enforcement framework under HIPAA regulations.

A Business Associate Agreement (BAA) is a written contract between the provider (a Business Associate) and another party, whether that’s a Covered Entity (like a hospital or clinic) or another Business Associate (like an insurer, IT contractor, or billing consultant).

A BAA has a set of core provisions that need to be covered:

1. Determine what PHI can be used by the business associate and under what circumstances.

2. Assure the business associate will not use or release PHI unless required by the contract or by law.

3. Require the business associate to use appropriate safeguards to prevent unauthorized access to PHI, consistent with the HIPAA Security Rule (including administrative, physical, and technical controls that may include encryption for electronic PHI (ePHI)).

4. Require the business associate to report to the covered entity any data breaches of unsecured protected health information.

5. Make sure the business associate releases PHI when a patient asks for it.

6. Define what components of the HIPAA Privacy Rule the business associate is responsible for and make sure it’s following them.

7. Require the business associate to make its internal practices, books, and records available to the US Department of Health and Human Services.

8. If the contract ends, require the business associate to return or delete all PHI it received from the covered entity.

9. If a business associate uses subcontractors that have access to PHI, the business associate must ensure those subcontractors also sign a BAA.

10. Let the covered entity terminate the agreement if the business associate violates terms.

How to choose a HIPAA-ready VoIP provider

Not every VoIP provider is equipped to support healthcare organizations, and it's not always obvious from a website homepage which ones are. Evaluating a provider's security and compliance capabilities before signing a contract is essential. The right provider should be able to demonstrate specific technical safeguards, not just claim general compliance. The features below are the ones worth examining closely when making that decision.

• Business Associate Agreement (BAA): This is the non-negotiable starting point. A provider that handles ePHI on your behalf is a Business Associate under HIPAA, which means a signed BAA is legally required before you can use their platform for patient communications. If a provider is unwilling or unable to sign one, they're not a viable option for healthcare use.

• Encryption: Look for a provider that encrypts data both in transit and at rest. For VoIP specifically, this typically involves protocols like Transport Layer Security (TLS) and Secure Real-Time Transport Protocol (SRTP) for calls, as well as encrypted storage for recordings, voicemails, and transcripts.

• Access controls: The platform should support role-based permissions and user-level licensing so that access to sensitive data is limited to authorized individuals. SSO integrations and automated provisioning are worth looking for, since they make it easier to manage access at scale and ensure former employees are removed promptly.

• Audit logging: A HIPAA-ready provider should maintain detailed logs of who accessed the system, when, and what actions they took. These records are essential for demonstrating compliance and for investigating any potential incidents.

• Data retention controls: Your provider should give you the ability to set and customize retention policies for recordings, transcripts, and other stored communications so you can keep data as long as your compliance program requires, and no longer.

Dialpad: A HIPAA-ready unified communications platform for healthcare

Dialpad is designed to support the full range of healthcare communication needs (not just traditional hospital or clinic settings). For therapists, counselors, and independent practices, having a HIPAA-ready phone service that handles calls, voicemail, transcription, and messaging within a single platform can meaningfully reduce the administrative complexity of staying compliant. Whether you're running a multi-location health system or a specialized mental health practice, Dialpad can be configured to meet your compliance requirements once a BAA is signed.

Here's how Dialpad supports HIPAA-ready communications:

• Business Associate Agreement (BAA): Dialpad provides contractual assurance to implement HIPAA safeguards protecting ePHI. This also ensures that any subcontractors partnered with Dialpad follow those same safeguards, consistent with HIPAA requirements. BAAs are available to eligible healthcare customers as part of the contracting and onboarding process.

• Rigorous security standards: Dialpad has completed SOC 2 Type II audits and has completed the Cloud Security Alliance's Consensus Assessment Initiative Questionnaire (CAIQ), which helps address the controls listed in the HIPAA Security and Privacy Rule and supports customers’ the needs of the HIPAA Security Risk Assessment efforts.

• Identity and access management: Single sign-on (SSO) and automated user provisioning through providers like Azure, Google Workspace, OneLogin, and Okta help ensure the right people have access to the right data. Authorization is communicated over HTTPS and secured under the admin's choice of OAuth2.0, SAML 2.0, or encrypted email and password combination.

• Proactive monitoring: Dialpad maintains logging and monitoring for access to sensitive information and systems, with event monitoring in place and staff trained to identify unusual activity.

• Customizable retention policies: Dialpad's BAA is paired with configurable retention settings so you can align recordings, transcripts, and other stored communications with your organization’s retention and risk-management requirements.

• Infrastructure and reliability: Dialpad's web apps, smartphone back-end, and customer data are processed and stored on Google Cloud Platform in the United States, with automatic failovers and backups built in throughout.

Dialpad's HIPAA-ready platform gives healthcare organizations the security infrastructure, contractual safeguards, and unified communications capabilities they need to keep patient data protected — without sacrificing the features that make modern communication work. If you're evaluating VoIP providers for your healthcare organization, see how Dialpad approaches compliance and security firsthand.