VoIP phone systems and apps are game-changers for the healthcare industry’s communication landscape, allowing for quicker, more reliable communication. Unfortunately, they also bring a multitude of HIPAA concerns that can be confusing for healthcare professionals to navigate.
“VoIP is a wonderful tool until it’s not set up correctly and costs a company thousands in HIPAA fines,” says Robbie Morris, a C Spire security and compliance manager.
Some of VoIP’s most commonly used features are call recording, voicemail transcription, fax to email - all of which create electronic data of patient information. “When electronic data containing confidential patient information is created and stored on the VoIP system, it is subject to HIPAA compliance,” says Robbie. “There’s no need to be alarmed, as long as your VoIP provider is experienced with HIPAA compliance for VoIP.”
Unfortunately, some VoIP providers simply don't know how to make VoIP HIPAA compliant. Their solution? Avoid the HIPAA concerns completely by simply turning off the features that could create electronic data. “Hiding from these features that you paid for is not a good solution and dramatically reduces the usefulness of VoIP as a communication tool. If you have partnered with a smart and experienced hosted voice provider, they can advise you on common HIPAA compliance issues,” says Robbie.
Here are the most common ways in which VoIP creates electronic patient data:
Voicemail transcription turns VoIP voice messages info texts and then sends the data via email or text.
Fax to email. Traditional faxing doesn’t create electronic data, but fax to email can create stored electronic patient data.
Voicemail. These electronic messages are stored in a VoIP phone system.
Call recording. Talking on the phone doesn’t create electronic data, but it can if VoIP is used to record the conversation.
Unified communication apps. When VoIP is paired with mobile VoIP technology called unified communication applications, features such as instant messaging can be enabled. Stored chat histories are considered electronic data.
Protecting electronic data
Experienced VoIP providers know how to effectively protect data and avoid HIPAA violations. Unfortunately, it's not always clear which providers you can trust. Here are the most important steps a VoIP provider should take to ensure compliance:
VoIP phones must be authenticated with a unique ID. This ensures only authorized users have access.
Pro tip: Ask a potential provider if each VoIP phone will be assigned a username and password. If not, it's likely not authenticated.
Stored data such as call recording and chat logs should be encrypted.
Business Associate Agreement. This agreement essentially says the VoIP provider agrees to work with you to help your VoIP system meets HIPAA compliance.
Implementation. Secure implementation of a VoIP solution is key. Your provider should ensure the system was setup correctly from the beginning.
Training. A provider should also offer customers regular training on VoIP features, ensuring the system is being used safely and fully.
Reporting: A VoIP system can pull customized activity reports, which are important for HIPAA documentation efforts.
Need help finding a new VoIP provider?
In this guide you’ll learn:
- Common VoIP provider pain points and how they can effect business.
- Key questions you should ask when selecting a provider.
- How training and adoption is a key to VoIP success.