HIPAA compliant VoIP: what it is and how to choose it (2023)

A business phone service must meet many requirements (reliability, features, cost) and the healthcare industry has one at the top of the list: HIPAA compliance.

The Health Insurance Portability and Accountability Act (HIPAA) is the privacy law that has defined American healthcare providers since 1996 and is as relevant today as it was then. The purpose of HIPAA, along with the updated Health Information Technology for Clinical and Economic Health (HITECH) Act of 2009, is to protect patients' personal health information (PHI and ePHI) from privacy breaches and unauthorized access. . Providers who violate this law face heavy penalties and even imprisonment. So yes, it's a big problem.

A telephone system is an essential part of healthcare, but choosing the right provider is critical to HIPAA compliance. In this guide, we'll show you how to do it.

What is HIPAA compliant phone service?

Simply put, a “HIPAA compliant” phone system meets all of the requirements that HIPAA has for protecting patient information, specifically the aptly named privacy and security rules that together define the standards for protecting ePHI.

the privacy rule

The Privacy Rule or Standards for the Privacy of Individually Identifiable Health Information sets the national standard for protecting health information. At the same time, this regulation also ensures that health information is available to healthcare professionals when needed to provide the best possible care for patients. In other words, the privacy policy strikes a balance that allows the use of information and protects the privacy of people seeking help.

the safety rule

The Security Rule or Security Standards for Protecting Secure Electronic Health Information sets the national standard for protecting certain health information that is retained or transmittedelectronic formThis Rule puts in place the safeguards contained in the Privacy Rule, addressing the technical and non-technical measures that organizations (also known as “Covered Entities”) must take to protect individuals' ePHI. Therefore, a HIPAA compliant phone service must consider ePHI sources such as:

• caller idInformation.Even without recording is thecall listconnects a person to a medical practice and the types of services they provide.

• call recording.Conversations are of short duration and are not protected health information, but recordings may contain protected health information.

• voice mail.Wherever there is content, there is the possibility of receiving detailed personal data.

• Voice Message Transcription.Convert voice messages to text accessible via email or text and is another source of data.

• SMS.Convenient, useful and another channel to carefully check personal data.

• Send an email by fax.Traditional fax does not create stored recording data, but fax to email does.

• Unified Communication.A communication platform that offers more than just voice can have electronic data in the form of saved chats or even video conference histories.

“What if I just disable these features? Would this make my phone service HIPAA compliant?”

this is what we meanit could…but 1996 is calling and he wants his phone system back. Why limit the usefulness of yourVoIP service90's technology? Instead, stay with us and we'll help you leverage cloud-based and AI-powered technology.Business-VoIPso your patients are safe and your data is safe.

🧠 Keyboard Tips:

The Business Partner Agreement

First, a business telephone service provider must be willing and able to sign aBusiness Partner Agreementaccording to HIPAA regulations. This assures customers that the provider assumes and is responsible for the platform's HIPAA compliance.required by lawfor HIPAA compliance.

A Business Associate Agreement (BAA) is a written agreement between the supplier (a business partner) and another party, whether an affected entity (for example, a hospital or clinic) or another business partner (for example, a insurer, an IT service provider, etc. ). ) or a billing consultant). ).

A BAA has10 provisionsWhat to cover:

1. Determine which PHI can be used by the business partner and under what circumstances.

2. Make sure the business partner does not use or disclose PHI unless required by contract or law.

   (Video) Top 4 HIPAA compliant VOIP service providers 2020

3. Require the Business Partner to take appropriate security measures to prevent unauthorized access to PHI, including up-to-date encryption for electronic PHI (ePHI).

4. Requiring the Business Partner to report any data breach of protected and unsecured health information to the affected company.

5. Make sure the business partner discloses PHI when requested by a patient.

6. Define which components of the HIPAA privacy rule the business partner is responsible for and ensure compliance.

7. Require the business partner to make its internal practices, books and records available to the US Department of Health and Human Services.

8. When the agreement ends, ask the Business Partner to return or delete any PHI it received from the Covered Entity.

9. If a business partner uses subcontractors who have access to PHI, the business partner must ensure that these subcontractors also sign a BAA.

10. Allow the affected company to terminate the contract if the business partner violates the terms.

🚨 Keyboard suggestion:

If you are dealing with a VoIP provider that stores ePHI information for you and do not apply for a Business Associate Agreement, please do! You may face severe penalties.

Can VoIP phones be HIPAA compliant?

Yes! Healthcare providers and their providers require HIPAA-compliant VoIP because calls may contain sensitive data that is stored electronically as an ePHI. Many VoIP systems are fully HIPAA compliant; you just need to meet the following requirements.

• Business Partner Agreement:We covered this in the previous section, but this is the contract that requires HIPAA compliance by all business partners involved.

• Authentication:Each phone can have a unique user ID.

• Cryptography:Transport Layer Security (TLS), Virtual Private Networks (VPNs) and other encryption technologies are in place to protect data.

What are the best HIPAA compliant VoIP providers?

There are many VoIP providers, but only a few are HIPAA compliant. Unfortunately, it's not always obvious which ones are and which aren't when browsing your homepage. To make your job easier and save you time, we've done the research for you.

Here's a quick overview of HIPAA compliant and non-compliant VoIP providers:

🩺 Get the health communication guide

Does your clinic or health facility have a distributed team? Download this guide to learn best practices for healthcare teams that aren't all in the office!

Dialpad offers more than just VoIP. Get HIPAA compliant unified communications with calling, messaging, video conferencing and more.

You now have a few options for VoIP providers who are willing and able to complete a BAAtelephone systemsconfigured to comply with HIPAA guidelines; In our opinion, Dialpad is undoubtedly the best option.

Are we biased? Safe. But does that make it any less true? You can judge that, which is why we offer a14 days free trial.

There are also many healthcare practices and organizations that use Dialpad; You can check out their stories here:

• Fenway Health
• firefly health
• Metropolitan Pediatrics
• your greeting
• IPM Medical Group

See how Dialpad keeps communications HIPAA compliant and leverages the power of the cloud to keep your data managed, secure and private:

• Rigorous security risk assessment:Dialpad is SOC2 Type 2 certified and has completed the Cloud Security Alliance Consensus Assessment Initiative Questionnaire (CAIQ), which addresses the controls listed in the HIPAA Security and Privacy Rule andmeets the needsthe HIPAA security risk assessment.

• VALIDITY:Dialpad provides a contractual commitment to implement HIPAA safeguards to protect ePHI. This also ensures that all subcontractors associated with Dialpad also follow these security measures.

• Identity and access management.Single sign-on (SSO) and automated user provisioning by providers such as Azure,Google Workspace, OneLogin eoktameans the right people on your team always have access to the right data. No less, no more. And if you use passwords, authorization is communicated over HTTPS and secured by the administrator's choice of OAuth2.0, SAML 2.0, or an email and password combination (which is stored and encrypted with a one-way hash function, which is a highly salted cryptographic password).

• Google Cloud-Plattform:Dial-in websites, web applications, smartphone backends and sensitive customer data are processed and stored using the trusted Google Cloud Platform services.

• Failover e backups:Automatic backups are built into our system. Every aspect of our system is designed for redundancy, so in the event of a failure there is always an alternative to immediately replace it.

• 24/7 emergency response:The Dialpad team is available 24 hours a day, 365 days a year and uses a "sun tracking" support model, so no matter where you are located, Dialpad is there when we need it.

  (Video) nVoq.Voice - A simple to use, HIPAA compliant, accurate medical speech-to-text solution for Windows.

• Proactive recording and monitoring:We monitor access to sensitive information records and systems and have an incident monitoring system in place, complete with trained personnel to proactively identify unusual activity.

• Customizable retention policies: Voncall recordingfor next-generation speech recognition and real-time analytics, use Dialpad's full suite of tools with confidence that you can keep the data you need for as long as you need it (and no longer). Dialpad's BAA includes a 30-day recommended retention policy for BAA customers to reduce their exposure. This period can be extended if necessary.

Looking for a HIPAA compliant VoIP communications provider?

Learn why healthcare organizations love using Dialpad to work from anywhere. Schedule a product tour!

HIPAA Compliant VoIP FAQ