Is VoIP HIPAA Compliant?

Do you work in healthcare or looked into the best phone systems for healthcare? If so, you’ve probably asked the question by now: is VoIP HIPAA compliant? And how?

All healthcare practices must abide by HIPAA laws in order to protect their patients’ sensitive information, as well as their practice’s well-being. This is why choosing a phone system can cause many healthcare professionals anxiety. Of course, you want the latest, best technology in the industry to boost the quality of your communications. At the same time, you must make sure that all forms of communications closely follow HIPAA guidelines.

If you have questions about HIPAA compliance when it comes to phone systems, we are here to help! Take a look at these commonly asked questions about phone systems, such as VoIP, and how they follow HIPAA guidelines.

What is HIPAA?

As you may already know, HIPAA is the Health Insurance Portability and Accountability Act. It requires all healthcare providers to make sure all sensitive patient information is kept private, and not shared with anyone other than the healthcare practice. This law is also in place in order to:

• Allow American workers to transfer or continue their health insurance coverage if they change or lose their job
• Prevent fraud and abuse in healthcare practices
• Implement industry standards for handling healthcare information, electronic billing, and more.

In terms of phone systems and other forms of communication, the main HIPAA component to keep in mind is protecting the confidentiality of patient information. You must make sure that your phone system is installed and programmed to keep this information private.

Why do Phone Systems Need to be HIPAA Compliant?

If you are not mindful of HIPAA compliance when installing your phone system, it can potentially pose a risk to your healthcare practice. Why? Because it’s possible for forms of communication, such as voicemails and recorded phone calls, to violate HIPAA guidelines. For instance,when using a VoIP system, these audio recordings can be saved electronically, and therefore qualify as electronic personal health information (ePHI). Under HIPAA, this kind of information needs to be kept secure at all times.

However, VoIP is a very beneficial, versatile phone system that can absolutely be programmed as HIPAA compliant. You just have to understand how to meet compliance.

What are the HIPAA Guidelines for Phone Systems?

Luckily, it’s very easy for VoIP phones to be HIPAA compliant. Follow these easy steps to making sure your phone system follows all laws and guidelines:

1. Make sure every phone line is authenticated with its own “unique user ID.” This allows only authorized users to access ePHI of patients. That way, you can be sure sensitive information is protected.
2. Assure all data is encrypted. To do this, use encryption technology, such as Virtual Private Networks (VPN) or Transport Layer Security (TLS).
3. Keep call logs of all call data (including metadata), but make sure you are using a secure Internet network at all times.
4. If you are using a cloud-based VoIP system, make sure to establish a HIPAA Business Associate Agreement (BAA) with your VoIP provider. 

Most VoIP providers will have good knowledge of HIPAA compliance and know that they need to sign a BAA with you. But make sure to ask about this agreement, as well as other HIPAA guidelines, when signing up for your VoIP service.

How Can I Be Sure my Phone System is HIPAA Compliant?

Thankfully, VoIP providers carry the responsibility of being HIPAA compliant when they sign up to help a healthcare provider. If a VoIP provider does business with a healthcare center that is handling information protected under HIPAA, the provider must first have guidelines, procedures, and security measures in place. If they do not, they cannot legally sign a Business Associate Agreement with your healthcare practice.

When signing up for a VoIP service, simply ask the provider what safeguards they have in place to ensure HIPAA compliance. Then, ask them about the process for signing a BAA. Keep in mind that if you work in the healthcare industry, you can always partner with a HIPAA-compliant medical answering service to ensure you are following the law and help manage your call volume.

Is VoIP the Best Phone System for Healthcare Professionals?

Most practitioners today consider VoIP for healthcare to be the best phone system their business needs. There are a number of reasons for this.

High-grade Security

Although VoIP phone systems connect to the Internet, they provide reliable ways to ensure security and privacy of every phone call. No other phone system allows you to securely encrypt data to protect yourself from cyber-theft or HIPAA violations.

Unified Communications

Healthcare practitioners can use multiple communication channels to reach fellow practitioners and patients at all times using mobile VoIP. VoIP’s unified communication system lets doctors utilize voice calls, live instant messaging, text messaging, voicemail, fax, and other communication methods all in one place.

Mobility

Healthcare practitioners are busy! Oftentimes, they need to be able to communicate with patients and staff when they are away from the office. VoIP systems allow doctors to have access to their business line from any Internet-compatible device.

Quality Assurance

Since VoIP enables call recordings, healthcare professionals can make sure the quality of every patient call is up to par. Overall, this helps them follow HIPAA guidelines and provide great customer service to every patient.

Top HIPAA-Compliant Suppliers

It can be difficult and time-consuming to do the research on which VoIP suppliers are HIPAA-compliant. We are here to help! Take a look at our list of top VoIP suppliers that ensure HIPAA compliance.

1. Nextiva

Nextiva assures its users that they can provide healthcare professionals with HIPAA-compliant phone systems. They can establish a Business Associate Agreement with their healthcare users that addresses Privacy, Security, and Breach Notification Rules under Nextiva's service. Most NextOS services are HIPAA-compliant, including voice calls, call recording, call analytics, fax, and more. To adhere to HIPAA compliance, Nextiva says that these features will be disabled:

• Visual voicemail is disabled
• Emailing voicemails as attachment
• Voicemail transcription
• Emailing faxes
• Downloading faxes via email

Also note that HIPAA-compliant users cannot play voicemails through the Nextiva app.

2. Vonage

Vonage also has HIPAA-compliance options for healthcare professionals. According to their site, Vonage has a HITRUST CSF certification, which is the most widely adopted security framework in the U.S. for the healthcare industry. Vonage reports that they continuously work to improve privacy and security framework for their healthcare customers. Note that not all cloud-based phone systems are HIPAA-compliant. However, Vonage is one of the first cloud-based services to receive a PCI Service Provider certification, which ensures HIPAA-compliance even when using the cloud.

3. RingCentral

RingCentral announced their new HIPAA-compliant platform in 2015. They too have established a BAA with their users to ensure privacy and security under their service. RingCentral promises its healthcare users that patient calls and messages will be completely secure, due to encryption in transit and at-rest. They also offer other HIPAA-compliant features such as prohibited access to patient records by unauthorized persons. RingCentral reports the following:

• HITRUST CSF certification
• 7 layers of data security, including SRTP/TLS encryption between endpoints
• Third-party audits: SSAE 18 certified and SOC 2/SOC 3 compliant data centers
• HIPAA Business Associate Agreements available to healthcare providers

4. 8x8

8x8 is also a HIPAA-compliant provider with several 3rd party security and compliance certifications, such as:

• NIST 800-53 R4 compliance at the FISMA Moderate level to meet advanced NIST/FIPS encryption standards
• Compliant with FCC requirements for protecting Consumer Proprietary Network Information
• US/EU and Swiss Privacy Shield Compliance
• GDPR-ready to help ensure your business remains compliant with UK, EU and EEA privacy law

Note that 8x8 provides HIPAA-compliance and privacy protection not only to its U.S. customers, but to overseas customers as well! Learn more on 8x8's security and compliance page.

Learn More

Ready to find out more about whether or not VoIP is the best communication option for your office?

• Still using a landline phone system? Take a look at our landline vs. VoIP guide and find out whether you can switch your existing phone number to VoIP.
• Want to learn about the latest technology helping the healthcare industry? Learn about CPaaS and Unified Communication Systems.
• Curious about VoIP's common issues? Read more about latency and bandwidth.

Ready to compare prices? Fill out our simple question set about your communication needs. Then, we'll match you with our top VoIP providers. It's a win-win!