HIPAA-compliant VoIP is not just a random word soup—it’s an internet-based phone system with a specific set of controls in place designed to keep patient health information private and secure.
First, VoIP stands for Voice over Internet Protocol, and it refers to any sort of phone technology that doesn’t use a landline.
HIPAA stands for the Health Insurance Portability and Accountability Act, and it serves to protect doctor-patient health information from being leaked without the patient’s permission.
There are four essential requirements for HIPAA-compliant VoIP:
- Encryption
- Role-Based Access Control
- Audit Logs
- Signed Business Associate Agreements
If you’re not sure what these terms actually mean in practice, you’ve come to the right place. Once you’ve gotten familiar with all of the requirements, you can get started on implementing your own HIPAA-compliant VoIP.
Who Needs HIPAA Compliant VoIP?
The private patient health information in question here is often called ePHI, which simply means electronic Protected Health Information.
A patient’s ePHI can contain deeply medical information, like blood test results and biometrics—or it can be much more basic, like home addresses, ages, or even just full names.
Regardless of the specific nature of ePHI, one common factor is that it’s private information that, by law, needs to be protected.
You typically won’t need to worry about HIPAA-compliant VoIP if you’re operating a hotdog stand or running a basic online store—but for any of the following businesses, it should be a top priority:
- Pharmacies
- Insurance providers
- IT companies
- Law firms
- Healthcare providers
This list is by no means exhaustive, but it should already be clear that you don’t need to be explicitly involved in the medical industry for HIPAA-compliant VoIP to be a requirement.
It should also be clear that violations of HIPAA rules are no joke, as they can result in a series of hefty fines ranging from $1,000 to $50,000 per incident, and up to $1.5 million per year.
All Four Requirements for HIPAA Compliant VoIPs
1. Encryption
Encryption is incredibly complicated in practice, but very easy to understand in principle. It’s a process by which regular text data is scrambled into an unrecognizable, unreadable format called ciphertext. This data is then transmitted while in its ciphertext form, which can only be translated upon receipt using a unique decryption key.
How Does Encryption Ensure HIPAA Compliance?
Encryption helps ensure HIPAA compliance for self-evident security reasons. Namely, if ePHI is being transmitted—whether in audio or text format—and a data breach occurs, the breachers will only have access to the encrypted data. Of course, without the decryption key, encrypted data is nothing but sheer gibberish.
What Should Buyers Look For?
The most important consideration to make for your encryption solution is to ensure that it provides full, end-to-end encryption. In other words, the data you’re transmitting must remain encrypted for the entire transmission process. This guarantees that there are no windows where data breaches could potentially leak intelligible, non-encrypted ePHI.
It’s also of utmost importance that you practice proper encryption key management. If the encryption key is not protected from hackers, then your encrypted data could be vulnerable. As a buyer, you should ensure that your VoIP service provider has strong encryption key management practices in place.
2. Role-Based Access Control
Role-based access control is exactly what it sounds like—it’s a system protocol which ensures that only authorized users can use VoIP phones capable of providing ePHI.
How Does Role-Based Access Control Ensure HIPAA Compliance?
ePHI can be leaked by accident or obtained on purpose. That’s why the HIPAA Privacy Rule specifies that individuals should only have access to patient information that is absolutely necessary for their specific roles. This minimizes both accidental and purposeful ePHI leaks, and also drives greater overall role-based organization.
What Should Buyers Look For?
Buyers should prioritize modern authentication solutions with advanced features. Most important are the abilities to change and update user access, as well as track and monitor usage history over the long-term. Every individual phone must also have its own particular user ID in order to allow for precise auditing down the line.
As far as authentication methods go, most current and legacy systems employ passwords and token-based authentication. As modern technology evolves, however, companies should begin to prioritize newer and more secure forms of authentication, like biometrics, multi-factor authentications, and time-based access restrictions.
3. Audit Logs
The HIPAA states that all activities and events related to the transfer of ePHI must be systematically recorded and stored—this is so that everything can be audited for compliance at a later date.
How Do Audit Logs Ensure HIPAA Compliance?
Audit logs are an essential piece of HIPAA compliance because they provide accountability. Suspicious activities and data leaks will be subject to future examination—but there will also be less suspicious activities and data leaks in the first place. In theory, when users are explicitly aware that every action they take is being tracked and recorded by a VoIP call center software that generates audit logs, they are incentivized to behave ethically with ePHI.
Keep in mind that with Voice over Internet Protocol, audit logs will primarily be in the form of audio recordings, call transfers, and data transfers.
What Should Buyers Look For?
Ideally, your VoIP provider should include audit logs with modern features, including but not limited to:
- Comprehensive logging of all data types
- Time-stamped recordings
- User-specific identification
- Access controls and protection from tampering
- A defined retention period
Again, since we’re dealing with VoIP, the most vital feature of audit logging as far as we’re concerned is the ability to record audio calls—though additional features couldn’t hurt.
4. Business Associate Agreements
Companies that need HIPAA-compliant VoIP must enter into signed agreements both with the VoIP providers themselves, as well as associated parties involved in any transfers or access of ePHI. These agreements are legally binding contracts between business entities.
How Do Business Associate Agreements Ensure HIPAA Compliance?
The business associate agreement is the final piece of HIPAA-compliant VoIP that ties all of the previous pieces together.
It sets clear guidelines for compliance with the official HIPAA rules, ensuring that all parties agree to handle ePHI in the same way—namely, in accordance with the law. A good business associate agreement also governs actions in the event of a breach or violation. It spells out, in detail, the necessary steps that all parties must take in order to stay on the legal side of all things ePHI-related.
Requiring business associate agreements is arguably the most important mandate of the HIPAA, as it’s essentially a promise from all parties involved that they’ll all follow the same protocol for handling ePHI.
What Should Business Associate Agreements Include?
A proper business associate agreement should require the following from all parties:
- Yearly self-audits
- Overall compliance with HIPAA processes
- Yearly training of those processes for employees
- Procedures for responding to ePHI-related incidents
If a VoIP provider refuses to enter into a business associate agreement with you—or simply fails to bring it up as a matter of importance—you may want to find yourself a new provider.
Other requirements
One of the most important things to remember when choosing an HIPAA-compliant VoIP vendor is that, in 2023, you’re probably going to be dealing with more than just the voice part of communicating.
You’ll minimize headaches down the line if you choose a provider that remains HIPAA-complaint for all forms of communication, including:
- Call recording
- Caller ID information
- Voicemail
- Voicemail transcription
- Text messaging
- Faxing
- Video conferencing
Some of these methods, like text messaging and faxing, are not as inherently secure as encrypted audio calls. As such, they are only allowed to be used to transfer ePHI if patients are notified and have given their consent.
Additionally, video conferencing must utilize full end-to-end encryption, secure connection confirmation, password protection, and security controls for both host and provider.
In general, unless you’re dealing with barebones audio communication—which is becoming rarer by the day—you should choose a VoIP provider that includes HIPAA compliance controls for all potential ePHI communication types.
Which Vendors Actually Offer HIPAA Compliant VoIP?
It’s important to note that the four requirements we listed above are not just suggestions—they are must-haves. If a VoIP vendor does not provide encryption, role-based access control, audit logs, and business associate agreements, it is not HIPAA-compliant.
Most, if not all, of our favorite VoIP providers offer top-notch VoIP services, but some stand out from the crowd when it comes to HIPAA compliance. In particular, Nextiva offers HIPAA-compliant VoIP across its entire product line—which means that no matter which specific Nextiva package you end up with, you can rest assured it can be configured for perfect HIPAA compliance.
HIPAA Compliant VoIP in Summary
While there’s a seemingly never-ending list of considerations for ensuring HIPAA-compliant VoIP, it’s important to prioritize the essentials: proper encryption, role-based access control, audit logs, and signed business associate agreements.
Whichever provider you go with, just keep in mind that any company with a truly HIPAA-compliant VoIP solution should have no problem providing proof of all four requirements—and it bears repeating that these requirements are mandatory, not optional.