HIPAA Compliant VoIP
A HIPAA compliant VoIP service is a service that facilitates voice communications via the Internet which has the necessary safeguards and audit controls to support HIPAA compliance so that covered entities and business associates can exchange protected health information securely. With the increasing use of remote communication technologies and the increasing digitization of healthcare data, it’s more important than ever for healthcare organizations to maintain HIPAA compliance in all operations, including voice communications. This article provides an overview of what HIPAA compliant VOIP is and what steps healthcare providers need to take to make VoIP HIPAA compliant.
- What is HIPAA Compliance?
- What is VoIP?
- The Benefits of VoIP in Healthcare
- HIPAA and VoIP: Where They Meet
- Making VoIP HIPAA Compliant
- Select an appropriate platform
- Configure the platform
- Train members of the workforce
- Conclusion and FAQs
What is HIPAA Compliance?
HIPAA compliance means complying with the applicable standards, implementation specifications, and requirements of the HIPAA Administrative Simplification Regulations. The HIPAA Regulations resulted from the passage of the Health Insurance Portability and Accountability Act (HIPAA) in 1996, and include well-known Rules such as the Privacy, Security, and Breach Notification Rules, as well as less well-known Rules such as the General Provisions and Administrative Requirements.
Organizations required to comply with the HIPAA Regulations (“covered entities”) include group health plans, health care clearinghouses, and most healthcare providers. Business associates that provide services for or on behalf of a covered entity are required to comply with the Security and Breach Notification Rules in their entirety; and “where provided” any other of the Administrative Simplification Regulations that applies to the service being provided.
Members of these organization´s workforces – whether the organization is a covered entity or a business associate – are also required to comply with HIPAA. In most cases, workforce compliance with HIPAA is the responsibility of the covered entity or business associate. However, individual members of the workforce who violate HIPAA can be held accountable for their actions by state and federal agencies and – in some cases – fined for non-compliance and/or receive a prison sentence.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
What is VoIP?
Voice over Internet Protocol (VoIP) is a technology that allows voice communications to be sent over Internet connections instead of traditional phone lines. VoIP is widely used by businesses of all sizes due to its cost efficiency, scalability, and advanced features. As technology has evolved, VoIP platforms now support secure messaging, video conferencing, and AI-powered customer contact centers as well as one-to-one communications – all services utilized in the healthcare industry.
In the context of utilizing VoIP services in healthcare, there are circumstances when VoIP communications do not have to be HIPAA compliant. These include when Protected Health Information (PHI) is not disclosed in a communication, when the VoIP service provider is covered by the HIPAA conduit exception rule, or when the Department of Health and Human Services (HHS) issues a Notice of Enforcement Discretion during a public health emergency or a natural disaster.
In all other circumstances in which PHI is disclosed, VoIP communications are governed by HIPAA. It is important to note that compliance does not start and stop with the Security Rule – which stipulates the safeguards required to ensure the confidentiality, integrity, and availability of electronic PHI. Covered entities and business associates (and their workforces) must also comply with the standards of the Privacy Rule relating to verification, consent, and disclosing the minimum necessary PHI.
The Benefits of VoIP in Healthcare
One of the most significant benefits of implementing VoIP in healthcare is the enhanced communication it provides between healthcare professionals and patients. VoIP technology facilitates streamlined, reliable, and efficient communication through multiple channels, such as voice calls, video calls, and instant messaging. This can be particularly beneficial for telemedicine services, where face-to-face appointments are not possible or convenient.
Another benefit is the potential for increasing operational efficiency while reducing costs. Traditional communication systems can be expensive to install, maintain, and upgrade. In contrast, VoIP systems operate over an existing internet connection, eliminating the need for substantial hardware investment and maintenance. The scalable nature of VoIP also allows healthcare providers to easily adjust communication capacities based on their needs – making it a cost-effective solution.
VoIP also plays a vital role in facilitating multidisciplinary collaboration between healthcare professionals and ensuring continuity of care. With features such voicemail-to-email transcription, virtual faxing, and integration with electronic health record (EHR) systems, healthcare professionals across different disciplines can collaborate effectively about patient care. This ensures continuity of care, a key aspect for positive patient outcomes and satisfaction scores, and reduced readmissions.
HIPAA and VoIP: Where They Meet
Most covered entities and business associates using VoIP communications subscribe to a service provided by a third party. Some of the biggest names in the provision of HIPAA compliant VoIP services include Microsoft (Teams and Skype), Google (Voice), Zoom, Verizon, Vonage, 8×8, and RingCentral. When these third parties provide a service that includes the creation, storage, and/or (non-conduit) transmission of PHI, they qualify as business associates in their own right.
Because they qualify as business associates, third party service providers assume certain responsibilities for providing a HIPAA compliant VoIP service. These include many of the administrative, physical, and technical safeguards of the Security Rule and, in some cases, the administrative requirements relating to Business Associate Agreements (most large service providers have a standard one-size-fits-all Business Associate Agreement that service users have to enter into).
VoIP service providers also have to design their services so they include the controls required by the technical safeguards of the Security Rule. The technical controls do not have to be configured to comply with HIPAA at the point of delivery. Usually, this is the responsibility of the service user (the covered entity or business associate). Nonetheless, the controls must be available to make VoIP HIPAA compliant, and should be easy to configure to avoid inadvertent violations and data breaches.
Making VoIP HIPAA Compliant
No software or service is HIPAA compliant by itself. It is how the software or service is configured and used that determines compliance. Therefore, it is important for covered entities and business associates to understand that there is no such thing as a HIPAA compliant VoIP service, there are only VoIP services that support HIPAA compliance. Additionally, VoIP HIPAA compliance consists of more than simply integrating federated access controls, as the following sections explain.
Select an appropriate platform
As mentioned previously, VoIP platforms have evolved considerably since the first VoIP services were released. Now, rather than just supporting voice communication, VoIP platforms support multiple channels of communication. However, whereas a platform may include a voice VoIP service that supports HIPAA compliance, it may also include a messaging VoIP service that does not support HIPAA compliance. For example, some platforms only support standard SMS messaging.
The problem this creates is that, unless a patient has requested SMS communications and has been warned SMS is not HIPAA compliant (and both the request and the warning are documented), communicating PHI via SMS is a HIPAA violation. Therefore, a platform that supports standard SMS messaging rather than (for example) secure chat messaging is not an appropriate platform or HIPAA compliant VoIP because there is an increased risk of a HIPAA violation if the SMS facility is used.
Configure the platform
It was also mentioned previously that platforms should be easy to configure in order to avoid HIPAA violations and data breaches. Most platforms do come with comprehensive instructions on how the platform should be configured to comply with HIPAA and/or the vendors provide support teams that can guide system administrators through the processes. Nonetheless, great care has to be taken over the configuration of certain features to make VoIP HIPAA compliant. Examples include:
- Configuring the platform for saving or forwarding voice calls.
- Determining when transcripts of voice calls should be produced.
- Putting safeguards in place to prevent the deletion of voice calls.
- Ensuring that archived files are saved in read-only format.
- Configuring call screening and call forwarding to other devices.
Train members of the workforce
Workforce training is a key component of HIPAA compliant VoIP because it is how the services are used that ultimately determines HIPAA compliance. Therefore, it may be necessary to recap on permissible uses and disclosures, verifying the identity of the individual answering a call, and obtaining patient consent to disclose PHI when others (i.e., caregivers or translators) are within earshot of a conversation. In some cases, the minimum necessary standard may apply.
In addition to Privacy Rule training on VoIP HIPAA compliance, it may be necessary to reinforce Security Rule best practices such as ensuring devices are PIN-locked and never left unattended when logged in, that passwords are never shared, and that any security incident or inadvertent disclosure of PHI is reported immediately to a compliance officer. It may also be advisable to instruct users not to circumnavigate the platform’s security controls or use alternative communication channels.
Conclusion and FAQs
HIPAA compliant VoIP is an essential part of ensuring privacy and security in healthcare communications. By understanding what this entails and what to look for in a service provider, healthcare organizations can maintain compliance while benefiting from VoIP technology. If you are in any doubt about how to make VoIP HIPAA compliant or how to train members of the workforce to use a VoIP platform in compliance with HIPAA, you should seek professional compliance advice.
What is HIPAA compliant VoIP?
HIPAA compliant VoIP is a type of voice-over-internet-protocol service that complies with the security standards of the Health Insurance Portability and Accountability Act (HIPAA). The security standards stipulate the measures required to ensure the confidentiality, integrity, and availability of PHI; and when a VoIP service receives, stores, or transmits PHI, compliance with these standards is necessary.
Why is it important for VoIP services to be HIPAA compliant?
It is important for VoIP services to be HIPAA compliant when they are used to collect, store, or transmit Protected Health Information because non-compliant systems could pose significant data privacy and security risks. Additionally, it is not only necessary for the system to be HIPAA compliant. As the vendor of the system has “persistent access” to PHI even if it is “no view access”, the vendor must also be HIPAA compliant.
How do VoIP services achieve HIPAA compliance?
VoIP services achieve HIPAA compliance by implementing various measures. Firstly, they encrypt all data, including voice messages, video calls, and transcripts. This ensures PHI cannot be deciphered if intercepted. Secondly, they support secure access controls to ensure only authorized personnel can access PHI. They also typically offer features such as call analytics and call logs to meet the requirements of the HIPAA Security Rule.
What steps should be taken to ensure the proper use of a HIPAA compliant VoIP system?
The steps that should be taken to ensure the proper use of a HIPAA compliant VoIP system are effective configuration and effective user training. Effective configuration will minimize the opportunities for members of the workforce to use the system improperly, while effective training will help users understand why they should not attempt to circumnavigate the system’s security controls “to get the job done”.
Are healthcare providers required to use HIPAA compliant VoIP services?
Healthcare providers are not required to use HIPAA compliant VoIP services. However, there are benefits of doing so. The benefits of using a HIPAA compliant VoIP system include secure communication, improved patient privacy, potential for telemedicine, cost savings, streamlined communication, and regulatory compliance.
