Are VoIP Phones Compliant with HIPAA?
The HIPAA (Health Insurance Portability and Accountability Act of 1996) is perhaps the most important piece of data legislation for companies in the health insurance space. Businesses covered by HIPAA are required to take certain precautions when holding or transmitting a user's health-related data in physical or electronic form. The act's coverage is broad, so if you're handling such data, it's important to ensure you have HIPAA-compliant VoIP and CRM systems.
Who is covered under HIPAA?
One common misconception is that HIPAA covers only a very limited part of the healthcare industry. While the original scope of HIPAA was relatively limited, over time it has significantly broadened. It's not just health insurance providers that are required to be compliant, but also other healthcare-related businesses, and even the personnel departments of companies that provide health coverage.
The scope even includes subcontractors and other businesses that handle protected health information for their clients or partners. This means many companies and organizations, such as schools, that aren't directly involved with healthcare could find themselves bound by the data processing requirements of the act.
HIPAA-compliant VoIP systems
Data doesn't just mean names, addresses, and medical records in a database. It also means handwritten records and even recorded phone calls. So, if you're running any type of health-related service, such as a dentist's office, health insurance contact center, or campus health care facility, you'll need to make sure that all of your communications are HIPAA compliant.
This leads to an obvious question: is VoIP HIPAA compliant? You might assume that it is, if all you're doing is taking calls, but HIPAA's rules make it clear that if you're saving data, it needs to be handled in a specific way.
Since many VoIP systems are a part of a unified communications service, data processors must think carefully about how each of the elements in the system interact with each other. There are several factors that go into making something compliant:
- Protecting data during transmission using encryption in the form of a virtual private network (VPN) or transport layer security (TLS)
- Using multi-factor authentication where possible to prevent unauthorized access to privileged accounts
- Recording not just call data, but metadata and any administrative functions performed during calls
- Ensuring data is stored in a secure environment if backups are outsourced
Consider our HIPAA-compliance voicemail example. To truly be compliant, the voicemail service must be secure and protected to prevent unauthorized parties from accessing it, and the provider of the VoIP and voicemail service should issue a Business Associate Agreement (BAA) to its client. This document lays out the security and privacy measures the provider has in place and allows the client to document their HIPAA-compliant VoIP service.
Exceptions to HIPAA communications
There are some limited exceptions to the HIPAA rules. These are paper-to-paper faxes and pure voice-only communications. If a VoIP system were exclusively used for real-time voice communications, then it would be considered exempt from HIPAA. However, call recordings, voicemails, video, and text messages are often included in VoIP, meaning it cannot be classed as exempt.
If you're looking for a HIPAA-compliant communications provider that can supply a BAA to allow you to document your compliance, give us a call. We are a fully HIPAA-compliant VoIP provider, and we would be happy to work with you to set up a system for managing your client's data securely. Contact us today for a no-obligation consultation.