by Sara Nguyen
Article filed in
VoIP Providers and HIPAA Compliance: The Ultimate Guide
by Sara Nguyen
Healthcare providers may overlook that their phone systems need to be compliant with HIPAA. People use phones multiple times daily, so it is essential that any electronic protected health information (ePHI) is kept secure.
This ultimate guide will answer all of your questions about VoIP providers and HIPAA compliance and which popular phone systems healthcare providers can safely use.
VoIP providers and HIPAA compliance
VoIP providers need to be HIPAA compliant because they could potentially record and store ePHI. Features like call recording or voicemail can end up being a HIPAA violation if they are not adequately encrypted.
VoIP providers that store ePHI are considered business associates. All business associates need to sign a business associate agreement (BAA) with covered entities to ensure that business associates comply with the HIPAA Privacy Rule and will protect ePHI.
Not all VoIP providers are willing to sign a BAA or take the necessary steps to ensure PHI protection. It’s essential to do your research and configure phone systems to meet HIPAA requirements.
VoIP providers best practices
Here is what you need to consider when configuring a VoIP provider to meet HIPAA guidelines:
- Turn off any features that may send ePHI to an unauthorized user. For example, you may want to disable a feature that would email voicemail transcriptions.
- Understand what information constitutes PHI.
- Use phones that present a unique ID.
- Implement high-end encryption technologies to protect data like Virtual Private Networks (VPN) or Transport Layer Security (TLS).
- Sign a BAA with your VoIP provider.
- Keep a record of all call data, including metadata and administrative functions.
- Use a secure WiFi network.
Now let’s talk about popular VoIP providers and if they are compliant with HIPAA guidelines.
CallHippo is a cloud-based VoIP provider and has over 5,000 customers. You only need an Internet connection to set-up and use CallHippo. This virtual phone system may be easy to use, but is it HIPAA compliant?
The company doesn’t mention on its website if it is willing to sign a BAA or work with healthcare providers.
Therefore, we conclude that CallHippo is not HIPAA compliant.
Grasshopper offers VoIP and WiFi calling on smartphones and desktop computers, but by default it uses a cellular network. The phone provider gives you all the tools you need to have a virtual phone system, including call forwarding, voicemail, and custom greetings.
Grasshopper is unwilling to sign a BAA. In addition, the support team has access to personal data like text messages, voicemails, and faxes.
Therefore, Grasshopper is not HIPAA compliant.
Freedom Voice is a popular cloud-based phone system known for helping small businesses use effective communications tools. So can it help healthcare providers have a HIPAA compliant phone system?
Freedom Voice doesn’t say if it is willing to sign a BAA or if its phone system’s encryption and data storage follow HIPAA guidelines.
Freedom Voice is not HIPAA compliant.
Freshcaller is part of the Freshworks CRM software. The phone provider runs on a cloud-based private branch exchange (PBX) system and has many features for healthcare providers to have a smooth phone calling process. Does that mean Freshcaller is HIPAA compliant?
Freshcaller can be HIPAA compliant. The company is willing to sign a BAA and has created a secure operating environment (SOE) to keep healthcare data safe.
MyOperator is a cloud-based call management system that focuses on optimizing business calls. It has features like analytical reports, tracking, and call recording. The phone provider could potentially collect and store ePHI, so does MyOperator meet HIPAA guidelines?
MyOperator is not HIPAA compliant because it is unwilling to sign a BAA, a fundamental principle of compliance for business associates.
Ooma is a VoIP provider for small businesses, homes, and mobile users. The company also offers home security.
Ooma states in its terms and conditions that its services “are not designed, intended, or recommended for use” when it comes to protected health information. This seems to imply that Ooma isn’t willing to sign a BAA and it doesn’t have the features to safeguard ePHI.
Therefore, Ooma is not HIPAA compliant.
RingCentral offers a cloud-based phone system capable of video conferencing, team messaging, and phone calls. The provider also says it has robust security, including enterprise-grade encryption. So is RingCentral HIPAA compliant?
RingCentral says it is willing to sign a BAA. You should note that RingCentral will not accept a customer’s BAA and will only agree to the BAA it provides.
RingCentral can be HIPAA compliant.
TalkRoute lets you run a phone system from the office, home, or on the road. The TalkRoute apps work on various operating systems and can be customized to include greetings, extensions, and more.
Does TalkRoute meet HIPAA requirements? The company is willing to sign a BAA, but only if a healthcare provider uses the Enterprise plan. TalkRoute will also need configuration to match HIPAA guidelines like disabling sending voicemails to email and not sending text messages.
Overall, TalkRoute can be HIPAA compliant.
UniTel Voice is a popular phone system option for small businesses because it’s easy to use. It allows you to take calls on your existing cell or office phones without needing tech skills or an IT department to set it up. Due to its straightforward nature, it’s easy to wonder if UniTel Voice is HIPAA compliant.
UniTel has features that you can’t turn off. The biggest issue is the voicemail email notifications. It sends a user an unencrypted email about a new voicemail, and an audio file is attached. This is against HIPAA guidelines for email encryption surrounding potential PHI, so UniTel is not HIPAA compliant.
Vonage says it’s VoIP services are an excellent option for healthcare providers. The company claims that medical professionals can use its communications software for virtual office visits and medical consultations. Does this mean Vonage is HIPAA compliant?
Yes, Vonage can be compliant with HIPAA guidelines. The company is willing to sign a BAA upon request. The phone and video systems come with robust security features like dedicated secure servers with disk encryption, firewall protection, and procedures to eliminate security threats.
Zoom Phone is part of the overall Zoom product suite. It’s a cloud phone system with features like voicemail and call recording. Since both of those features could potentially contain ePHI, is Zoom Phone HIPAA compliant?
Zoom Phone can follow HIPAA guidelines. The communications company is willing to sign a BAA to cover the entire product suite. A healthcare provider will need to be a part of Zoom’s HIPAA-enabled plan, which includes select configuration settings to match security guidelines.
What are the best HIPAA compliant VoIP providers?
Based on the phone providers we reviewed, a healthcare provider might consider:
- Zoom Phone
These companies are willing to enter into a BAA and can have their phone systems configured to meet HIPAA guidelines concerning data security.
Other HIPAA compliant direct communication methods
It’s possible for VoIP providers to be HIPAA compliant if they are willing to enter into a BAA and configure their systems to meet HIPAA guidelines.
However, your phone system isn’t the only service that needs to stay in compliance with HIPAA. You should also consider if your email security is meeting HIPAA legal requirements.
Paubox Email Suite integrates seamlessly with popular email platforms such as Google Workspace and Microsoft 365. Every email your healthcare business sends will be encrypted using the latest TLS 1.3 encryption technology. Emails are transmitted directly to your patient’s inbox, no password or portal required.
Since Paubox has a BAA included, we take great care to ensure that our emails receive robust security. Our solution blocks email threats with spam filtering and email security against ransomware, malware, and phishing attacks. We also protect against domain name spoofing emails with our patent-pending ExecProtect feature.