What is a HIPAA Compliant Phone Service?
A HIPAA compliant phone service is any voice communication technology that supports compliance with the Administrative Simplification Regulations of the Health Insurance Portability and Accountability Act (HIPAA) when compliance is necessary. Because there are different circumstances in which compliance with this section of HIPAA may or may not be necessary, this article explains:
- Who does HIPAA apply to, and when does it apply?
- What does HIPAA say about phone communications?
- What is a HIPAA compliant phone service?
- How to make a phone service HIPAA compliant.
- Conclusion: Be sure to use a HIPAA compliant phone service.
Who Does HIPAA Apply To, and When Does It Apply?
The Administrative Simplification Regulations of HIPAA apply to health plans, health care clearinghouses, and healthcare providers (“covered entities”) that conduct electronic transactions for which the Department of Health and Human Services (HHS) has published standards. The standards can be found in Part 162 of the Administrative Simplification Regulations.
Some Administrative Simplification Regulations of HIPAA also apply to organizations that provide a service for or on behalf of a covered entity when the service involves the creation, receipt, storage, or transmission of Protected Health Information (PHI). The applicable Regulations include the Security and Breach Notification Rules, and whichever other standards of HIPAA apply to the service being provided.
HIPAA applies to covered entities and business associates whenever PHI is used or disclosed. It does not matter whether a use or disclosure is electronic, verbal, or written – the covered entity or business associate must comply with the applicable regulations, standards, and implementation specifications to ensure the privacy of individually identifiable health information and the confidentiality, integrity, and availability of electronic PHI.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
With regards to uses and disclosures of PHI, these must be kept to the minimum necessary to achieve the purpose of the use or disclosure unless a disclosure is:
- being made to a patient or HHS’ Office for Civil Rights,
- made to a healthcare provider for treatment purposes,
- required by law (subject to the limitations of 164.512), or
- authorized by the patient or their personal representative.
With regards to circumstances in which HIPAA may not apply, these include if a healthcare provider does not conduct electronic transactions for which HHS has published standards or subcontract the transactions to a third party. In this case, the healthcare provider does not qualify as a covered entity and is not required to comply with HIPAA (although other privacy and security regulations may apply). However, if the same healthcare provider provides a service for or on behalf of a covered entity as a business associate, they will be required to comply with some HIPAA Rules.
What Does HIPAA Say about Phone Communications
The most significant thing HIPAA says about phone communications is that they are not considered electronic communications if they are conducted over a “traditional telephone” or if the information being exchanged did not exist in electronic form immediately before the transmission. HHS has defined a “traditional telephone” as one using circuit switched voice communication service technologies through the Public Switched Telephone Network (PSTN).
In such cases, it is still necessary to ensure any uses or disclosures of PHI are permitted by the Privacy Rule or authorized by the patient, and – except where indicated above – disclosures are limited to the minimum necessary to achieve the purpose of the disclosure. Naturally, these conditions do not apply if a communication between a covered entity or a business associate and any other party does not involve a use of disclosure of PHI.
However, in all cases in which PHI is being disclosed over a phone service that is not a PSTN-based service, it is necessary to ensure the phone service is HIPAA compliant. This means the service must comply with the administrative, physical, and technical safeguards of the Security Rule and – if a phone service is part of a VoIP service or a uCaaS service provided by a third party – that a Business Associate Agreement is in place with the third party.
What is a HIPAA Compliant Phone Service?
A HIPAA compliant phone service is a phone service that includes the capabilities to support HIPAA compliance. It is important to be aware it is not the technology that determines compliance, but rather how the technology is configured and used. For example, a phone service could have the capabilities to support HIPAA compliance, but if every member of the workforce is provided with the same login credentials, it is impossible to use the service in compliance with HIPAA.
Therefore, a HIPAA compliant phone service should include capabilities such as end-to-end encryption, secure user authentication, audit controls, and data integrity controls. Depending on how the phone service is integrated with other services and on which devices it is deployed, it will also be necessary to ensure an automatic log-off capability exists and that data is backed up in a secure location rather than stored on a local device.
As mentioned previously, it is also necessary to enter into a Business Associate Agreement if the phone service is provided by a third party. This requirement applies even when voice messages are encrypted and the service provider cannot decipher messages because it does not have access to the decryption key. This type of service is referred to as a “no view service” by HHS, and the agency has issued guidance about why Business Associate Agreements are still necessary:
While encryption protects ePHI by significantly reducing the risk of the information being viewed by unauthorized persons, such protections alone cannot adequately safeguard the confidentiality, integrity, and availability of ePHI as required by the Security Rule. Encryption does not maintain the integrity and availability of the ePHI, such as ensuring that the information is not corrupted by malware, or ensuring through contingency planning that the data remains available to authorized persons even during emergency or disaster situations.
How to Make a Phone Service HIPAA Compliant
The keys to making a phone service HIPAA compliance are selecting an appropriate service, configuring it to work in compliance with HIPAA, and training members of the workforce on using the service in compliance with HIPAA. With regards to the first point, it is important covered entities conduct due diligence and ensure a phone service is HIPAA compliant rather than accepting a vendor’s word that it is.
It is often the case that a HIPAA compliant phone service (or any service) only has the capabilities to support HIPAA compliance if a covered entity subscribes to a certain plan or purchases security or compliance add-ons. Microsoft is one example of a vendor that operates in this manner; and while Microsoft is clear about the compliance capabilities of all its services, there are a number of vendors who are not equally as transparent.
Thereafter, it is important the service is configured to comply with HIPAA. This will mean applying rules, policies, and permissions for all users (or groups of users) and disabling services that could be misused to disclose unsecured PHI without authorization. For example, some VoIP and uCaaS services include SMS text messaging in multi-channel platforms. Sending PHI in an SMS is a violation of HIPAA unless a patient has specifically requested (and been warned about) SMS communications.
The final key to making a phone service HIPAA compliant is workforce training. While training members of the workforce on how to use a phone service in compliance with HIPAA might normally be included in security and awareness training, it is important not to ignore elements of the Privacy Rule – such as being conscious of the environment from which calls are made, verifying the identity of call recipients, and complying with the minimum necessary rule when required.
Conclusion: Be Sure to Use a HIPAA Compliant Phone Service
If your organization qualifies as a covered entity or business associate, and if it uses a non-PSTN system to communicate PHI by phone, it is important to use a HIPAA compliant phone service. Non-compliant services can result in unsecured PHI being accessed via man-in-the-middle attacks and supposedly secured PHI being accessed without authorization – both of which are notifiable data breaches that could result in financial penalties for violations of HIPAA.
FAQs
What is the importance of using a HIPAA compliant phone service in the healthcare industry?
Using a HIPAA compliant phone service in the healthcare industry helps protect patient privacy and maintain the security of electronic PHI. HIPAA sets specific standards for the transmission of electronic PHI; and, when these standards apply to phone calls, it is important any service used to transmit electronic PHI has the necessary safeguards to support HIPAA compliance.
How do HIPAA-compliant phone services ensure the security of electronic PHI?
HIPAA-compliant phone services ensure the security of electronic PHI by employing various measures to protect patient information before, during, and after phone calls in which PHI is disclosed. These measures include user authentication, encryption, and secure storage. Audit logs also allow compliance officers to review phone activity to monitor user compliance with HIPAA.
Can healthcare providers use regular phone services without violating HIPAA?
Healthcare providers can use regular phone services without violating HIPAA provided the services connect with a Public Switched Telephone Network (PSTN) rather than with the Internet. When using a regular phone service, it is equally as important that users verifying the identities of those they are calling, that PHI is only disclosed for permissible or authorized purposes, and that – where required – the amount of PHI disclosed in limited to the minimum necessary.
What features should one look for in a HIPAA compliant phone service?
The features one should look for in a HIPAA compliant phone service include end-to-end encryption, secure user authentication, automatic call logging, secure storage of call records, and secure transmission of voice data. The service should also provide detailed audit logs and access controls to monitor and control user access to patient information. It is advisable to select a provider that undergoes regular third-party audits and has a proven record of complying with HIPAA regulations.
How do HIPAA compliant phone services support secure messaging?
HIPAA compliant phone services support secure messaging by utilizing encrypted channels for messaging and ensuring that sensitive patient information remains protected during transmission. Services that use SMS or MMS for messaging should have these features disabled, as they are unsecure communication channels that can expose unsecured PHI to unauthorized access.
