VoIP is a game-changer for the healthcare industry’s communication landscape, allowing for quicker, more reliable communication. It also brings with it a multitude of HIPAA concerns that can be confusing to navigate. We turned to IT risk and compliance expert Robbie Morris to explain why a VoIP solution is subject to HIPAA compliance and what measures should be taken to protect your patient data.
“VoIP is a wonderful tool for communicating until it’s not set up correctly and costs a company thousands in HIPAA fines,” says Robbie. Among VoIP’s rich features are voice messages transcribed into email, call recording, fax to email and more. However, these features also create electronic data of patient information. “When electronic data containing confidential patient information is created and stored on the VoIP system, it is subject to HIPAA compliance,” says Robbie. “But there’s no need to be alarmed if your VoIP provider has experience and expertise with HIPAA compliance for VoIP.”Protecting VoIP’s Electronic Data
Let’s start with identifying the VoIP features that can create electronic patient data:
- Voicemail transcription: Transcribes voice message to text and sends the info via email or text.
- Fax to email: Traditional faxing doesn’t create electronic data, but fax to email can create stored electronic patient data.
- Voicemail: These messages are electronic data that is stored in a VoIP phone system.
- Call recording: Talking on the phone doesn’t create electronic data but it can if VoIP is used to record the conversation.
- Unified communications: When VoIP is paired with unified communications, features such as instant messaging can be enabled. Stored chat histories are considered electronic data.
Some VoIP providers simply turn off these features to ensure a healthcare organization is compliant. “Hiding from these features that you likely paid for is not a good solution and dramatically reduces the usefulness of VoIP as a communication tool. If you have partnered with a smart and experienced hosted voice provider, they can advise you on common HIPAA compliance issues,” says Robbie.
Steps VoIP providers should take to keep patient data safe include:
- Phones must be authenticated with a unique ID. That involves a specific username and password assigned to each phone.
- Stored data such as call recording and chat logs should be encrypted.
- Detailed call records should be maintained.
- The system should have role-based access controls for administration.
“The C Spire Business team takes additional HIPAA-compliance steps with the organizations we are in partnership with,” says Robbie. “It’s part of our customer-inspired approach to business IT.”
C Spire Business' additional steps include:
- Business Associate Agreement: This agreement essentially says we agree to work with a company to help them be compliant. In other words, we are in it together to make a business compliant.
- Risk assessments: Our team of ethical hackers regularly analyze the VoIP network.
- Data Centers: The physical security in our data centers is tightly controlled.
- Security: We enforce and monitor network security via segmentation, password management, and access control monitoring
- Implementation: Secure implementation of a VoIP solution is key. Our team of in-house experts ensures the system was setup correctly from the beginning.
- Training: We offer regular training to our healthcare customers on VoIP features, ensuring the system is being used safely and fully.
- Reporting: The VoIP system can pull customized activity reports, which are important for HIPAA documentation efforts.
Internet & phone bundles + real support
C Spire Business is an industry leader in customer support for internet, VoIP phones and managed services. We have a wide range of internet and VoIP phone options available in Tennessee, Mississippi and Alabama, plus the customer support to back it up.