Is business VoIP system HIPAA compliant?

All healthcare providers in the United States know the importance of HIPAA and how crucial it is to both the provider’s and patient’s welfare that the healthcare provider is HIPAA compliant. This includes IT / Telecommunications companies, health insurance companies, and all businesses associates.

What is HIPAA?

HIPAA stands for Health Insurance Portability and Accountability Act. It ensures the privacy and confidentiality of all patient records. It also helps to control administrative costs and makes health insurance easier to afford and maintain.

What is VoIP?

VoIP stands for Voice over Internet Protocol and is the method of using the Internet to make calls, over a Wi-Fi, 3G or cellular connection. Data is transmitted over the Internet, not a conventional phone line. Analog audio signals are converted into digital data.

Why is it important for VoIP services to be HIPAA compliant?

An increasing number of clinics and hospitals are turning over to VoIP telephony to handle their patient issues. While HIPAA regulations are regularly updated, an important section states that, “Certain transmissions, including paper, via facsimile, and voice, via telephone, are not considered to be transmissions via electronic media, because the information being exchanged did not exist in electronic form before the transmission.” So why, you might rightfully ask, does VoIP services need to be HIPAA compliant?

The reason is that VoIP is now not only about voice calls anymore. With VoIP and the latest in telecommunications technology, people leave voice messages, call recordings, etc., which may contain health information that needs to be protected. This data is stored and recorded in computers, which means that the voice messages are converted into electronic data. So VoIP automatically becomes subject to HIPAA compliance.

With faxes being transmitted to emails nowadays, VoIP providers also have to take into account that facsimile data is being converted into electronic data that is being stored over longer periods of time. So while the good old fashioned faxes and telephone calls would not need to be HIPAA compliant, in today’s world of VoIP technology, they would come under HIPAA scrutiny because faxes and voices are being converted into data and stored for long periods of time, giving rise to concerns about security and confidentiality of sensitive patient healthcare records and data. This is ePHI, or electronic Protected Health Information.

What are the features that HIPAA compliant VoIP services need to have?

• The phones have to be authenticated with a certificate which gives the phone a “unique user ID”.
• Data must be encrypted.
• Access controls must be in place so that different categories of users can use the system.
• Logs should be maintained of all call data.
• A HIPAA Business Associate Agreement must be offered by a cloud-based VoIP service provider.

It is a requirement to obtain services from VoIP providers that are HIPAA compliant for the privacy and confidentiality of your patients and customers.