What makes a VoIP phone system HIPAA compliant?

By: Christina Southern on Feb 19, 2020 8:11:00 AM

VoIP HIPAA blogVoIP is a game-changer for the healthcare industry’s communication landscape, allowing for quicker, more reliable communication. It also brings with it a multitude of HIPAA concerns that can be confusing to navigate. We turned to IT risk and compliance expert Robbie Morris to explain why a VoIP solution is subject to HIPAA compliance and what measures should be taken to protect your patient data.

[Ready for VoIP? Click here.]

“VoIP is a wonderful tool for communicating until it’s not set up correctly and costs a company thousands in HIPAA fines,” says Robbie. Among VoIP’s rich features are voice messages transcribed into email, call recording, fax to email and more. However, these features also create electronic data of patient information. “When electronic data containing confidential patient information is created and stored on the VoIP system, it is subject to HIPAA compliance,” says Robbie. “But there’s no need to be alarmed if your VoIP provider has experience and expertise with HIPAA compliance for VoIP.”

Protecting VoIP’s Electronic Data

Let’s start with identifying the VoIP features that can create electronic patient data:

  • Voicemail transcription: Transcribes voice message to text and sends the info via email or text.
  • Fax to email: Traditional faxing doesn’t create electronic data, but fax to email can create stored electronic patient data.
  • Voicemail: These messages are electronic data that is stored in a VoIP phone system.
  • Call recording: Talking on the phone doesn’t create electronic data but it can if VoIP is used to record the conversation.
  • Unified communications: When VoIP is paired with unified communications, features such as instant messaging can be enabled. Stored chat histories are considered electronic data.

Some VoIP providers simply turn off these features to ensure a healthcare organization is compliant. “Hiding from these features that you likely paid for is not a good solution and dramatically reduces the usefulness of VoIP as a communication tool. If you have partnered with a smart and experienced hosted voice provider, they can advise you on common HIPAA compliance issues,” says Robbie.

Steps VoIP providers should take to keep patient data safe include:  

  • Phones must be authenticated with a unique ID. That involves a specific username and password assigned to each phone.
  • Stored data such as call recording and chat logs should be encrypted.
  • Detailed call records should be maintained.
  • The system should have role-based access controls for administration.

“The C Spire Business team takes additional HIPAA-compliance steps with the organizations we are in partnership with,” says Robbie. “It’s part of our customer-inspired approach to business IT.”

C Spire Business' additional steps include:

  • Business Associate Agreement: This agreement essentially says we agree to work with a company to help them be compliant. In other words, we are in it together to make a business compliant.
  • Risk assessments: Our team of ethical hackers regularly analyze the VoIP network.
  • Data Centers: The physical security in our data centers is tightly controlled.
  • Security: We enforce and monitor network security via segmentation, password management, and access control monitoring
  • Implementation: Secure implementation of a VoIP solution is key. Our team of in-house experts ensures the system was setup correctly from the beginning.
  • Training: We offer regular training to our healthcare customers on VoIP features, ensuring the system is being used safely and fully.
  • Reporting: The VoIP system can pull customized activity reports, which are important for HIPAA documentation efforts.

Find the Right Provider
If you aren’t sure your hosted voice provider is meeting your expectations and helping you meet your compliance needs, it’s time to look for another partner. The following two resources will help you do that:

  1. 4 Criteria for Choosing a VoIP Provider. This guide explains what you can expect from the right VoIP provider – from a customized VoIP solution, personal training of your employees, to personalized communication strategies in case of emergencies.
    Get the Guide >>
  2. Comparison ChecklistThere are 10 key components needed for VoIP success. Use this thorough checklist to help you compare how multiple VoIP companies stack up.
    Get the Checklist >>[Ready for VoIP? Click here.]

Topics: voip, hosted voice, business phones

Insight. Experience. Your IT partner. C Spire Business is a managed solutions provider that brings together a team of specialized IT experts to deliver a wide range of technology services for your business. We collaborate with your team to provide new ideas and technologies that keep you prepared for the future. From cloud services to VoIP, our engineers work with you to offer customer inspired IT solutions focused on your needs.

The information contained in this site is provided for informational purposes only, and should not be construed as legal advice on any subject matter.

Sign up for our monthly newsletter.

For the latest in technology trends, industry news, and C Spire updates.