Is Vonage HIPAA compliant? (2025 update)

Vonage is a cloud communications provider that offers APIs for voice, video, messaging, and authentication to help businesses build secure and scalable communication solutions. Health organizations can use Vonage’s HIPAA-enabled SMS and Video APIs for telehealth, patient engagement, and compliant communications.

Is Vonage HIPAA compliant? Yes, Vonage can be HIPAA compliant, but only when using its designated HIPAA-enabled services under a signed business associate addendum (BAA).

Will Vonage sign a business associate agreement (BAA)?

Yes, Vonage will sign a business associate agreement, which can be reviewed here.

What does the Vonage BAA cover?

Vonage’s BAA “addresses the Parties’ obligations under HIPAA with respect to ‘business associates,’ as defined under the privacy, security, breach notification, and enforcement rules at 45 C.F.R. Part 160 and Part 164” (Vonage API Platform BAA, Section I.A).

It specifies that Vonage (“Business Associate”) will:

• “establish and implement appropriate privacy, security, and data breach related safeguards for the Protected Health Information (PHI)” (Section I.B)
• “receive, create, use, and disclose PHI only in a manner that… is consistent with this BAA and the HIPAA Rules” (Section II.A)
• “make only the minimum necessary uses, disclosures, and requests for PHI” (Section II.B)
• “use appropriate safeguards designed to comply with the Security Rule” (Section II.C)
• “report to Customer any Breach of Unsecured PHI… without unreasonable delay” (Section II.E)
• “require that any Subcontractors… agree to the same restrictions, conditions, and requirements” (Section II.F)

Their BAA also covers patient rights, including responding to access and amendment requests (Sections II.G–II.I), and maintaining records for audits.

What does the Vonage BAA exclude?

Vonage makes clear that HIPAA coverage is limited only to services listed in Annex A of the BAA, and only when specific conditions are met:

• For the Video API, the account must have the HIPAA and BAA feature activated, and encryption must be turned on.
• For the SMS API, coverage applies only when the sending and receiving numbers are U.S. numbers, the HIPAA & BAA feature is enabled, and designated “Covered Numbers” are confirmed in writing by Vonage. Customers must also retain copies of SMS messages and opt-in/opt-out consents for compliance.

Vonage further limits its obligations:

• “Customer acknowledges and agrees that Business Associate’s obligations… are limited to transmission, use, storage, and disclosure of PHI pursuant to Customer’s use of Covered Services… and that Business Associate shall bear no responsibility for use or storage of PHI on systems outside of Business Associate’s reasonable control.”
• Deprecated or unsupported services are not Covered Services (Section I.B).
• This means that any other Vonage product outside the explicitly listed HIPAA-enabled APIs cannot be used for PHI.

Conclusion

Vonage may be HIPAA compliant, but only when healthcare organizations sign a BAA and restrict their use to the designated HIPAA-enabled APIs (Video API and U.S.-based SMS API) under the conditions defined in their BAA. All other Vonage services remain outside HIPAA scope.

Learn more: HIPAA Compliant Email: The Definitive Guide

FAQs

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) sets national standards for protecting the privacy and security of certain health information, known as protected health information (PHI). HIPAA is designed to protect the privacy and security of individuals’ health information and to ensure that healthcare providers and insurers can securely exchange electronic health information. Violations of HIPAA can result in significant fines and penalties for covered entities.

Who does HIPAA apply to?

HIPAA applies to covered entities, which include healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates of these covered entities. These are entities that perform certain functions or activities on behalf of the covered entity.

What is a business associate agreement?

A business associate agreement (BAA) is a legally binding contract establishing a relationship between a covered entity under the Health Insurance Portability and Accountability Act (HIPAA) and its business associates. The purpose of this agreement is to ensure the proper protection of personal health information (PHI) as required by HIPAA regulations.