Why Your VoIP Provider Really DOES Need to Support Your HIPAA Compliance

VoIP provider: HIPAA protective shield on cloud

We recently published a blog that explained the issues with the new HIPAA “conduit service” that some VoIP providers are offering without the necessary Business Associate Agreement. Since then, we’ve gotten even more questions about business communication providers’ HIPAA obligations to their customers. Full disclosure: 8x8 is a fully HIPAA-compliant unified communications (UC) VoIP provider that supplies its customers with documentation of HIPAA compliance called Business Associate Agreements.

You might think that HIPAA, a set of patient privacy regulations, doesn’t affect many companies, but the definition has been broadened—a lot. Examples of companies that must comply with HIPAA include health insurance providers, personnel departments of companies with health coverage, and healthcare-related businesses. In addition, any of the subcontractors or partners of businesses that significantly touch protected health information are also regulated under HIPAA, expanding the number of covered businesses to hundreds of thousands, if not millions.

Why VoIP Providers Need to Comply

So we thought we’d take this opportunity to address some important issues that our readers have raised. One of them writes that he thought that “VoIP is not subject to HIPAA compliance at this time.” The source of his confusion is this part of the HIPAA regulations: “Certain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media, because the information being exchanged did not exist in electronic form before the transmission.”

So, the writer asks, doesn’t that mean that providers of fax and phone communications are exempt from the need to be HIPAA-compliant business associates?

Exemptions Are Rare and Only Apply to Paper-to-Paper Faxes and Voice

Well, the statements about fax and phone are true, but they are referring to voice communications only, and faxes by which a paper is fed into a machine and is printed at the other end. If VoIP were only voice phone calls, then this statement would be correct.

However, we now have voicemails and call recordings in which protected health information is left as persistent—that is, stored—recorded computer files. These files make the VoIP provider subject to HIPAA. I am guessing that almost all, if not all, VoIP providers give customers voicemail.

Also, today’s faxes are often delivered in unified communications systems by email. So, email is persistent data storage over time, so faxes transmitted in this way trigger HIPAA compliance. (In our last blog on “conduit service,” a vendor offered a service that stored faxes for 30 DAYS, which would almost certainly trigger the need for the VoIP provider to be a HIPAA compliant business associate of any company that needs HIPAA compliance.)

In short, for regular paper-to-paper fax—an increasingly rare way of sending faxes—the statement is true. For modern unified communications, where faxes are delivered by email, the statement is not true because of the email aspect.

VoIP Providers are Subject to HIPAA

That’s why it’s a dangerous oversimplification to say that “telecommunications is not subject to HIPAA.” HIPAA isn’t just a compliance directive or a best practice; it’s a law, with real teeth and serious consequences for violations.

And make no mistake: Under the HITECH Act and following regulations, if you’re a company handling protected health information and therefore subject to HIPAA, your business associates are directly responsible for compliance, too.That’s why VoIP providers need to be the documented business associate of any HIPAA covered entity, such as a hospital, dentist office, elder care facility, insurance company or doctor’s office.

Consequences of Using a Non-compliant Unified Communications Provider

And if a business that handles protected health information uses a unified communications service such as a VoIP provider, that provider needs to have the processes, procedures and safeguards necessary to comply with the way HIPAA requires protected health information be handled. Otherwise, the VoIP provider can’t issue Business Associate Agreements to its customers, and its customers won’t be able to supply the required documentation of their compliance. The compliance of all of the VoIP provider’s HIPAA-covered customers could then be in jeopardy.

Be Wary of VoIP Providers Offering Conduit Service Without BAAs

The HIPAA Final Omnibus Rule has an extensive explanatory discussion by the Department of Health and Human Services (HHS). It talks about the “mere conduit” exception, where a service provider only passes through protected health information. A phone-only service would be a mere conduit.

But with voicemail and call recording—two facets of most VoIP-enabled unified communications services—it goes beyond that. HHS emphasized that persistent data storage means an entity is “maintaining” protected health information, and thus triggers Business Associate status.

Also, HHS says in that document that the mere conduit exception is a narrow one. So, there is no doubt that HHS is going to conclude that VoIP providers’ services are HIPAA-regulated, and “conduit service” is not going to get anyone off the hook. Companies doing business with non-compliant VoIP providers are probably not going to “get a break” on this one, either.

Just make sure yours is not one of them. Get it in writing. Get a Business Associate Agreement. 8x8 can show you how.

Mike McAlpen


Mike McAlpen is the Executive Director of Security and Compliance at 8x8, one of the largest US VoIP providers for business. Prior to this, Mike was a business leader with Visa, Inc. Global Information Security and Compliance. Before this Mike was a leader in HP Professional Services Information Security, CIO/CISO Advisory and other services for nearly 12 years. Mike is a frequent Information Security speaker, a three-term IT Services Management Foundation President, on the Board of Directors of the Silicon Valley ISSA, and active in ISACA, FBI/DHS InfraGard, U.S. Secret Service’s Cyber Crime Task Force and the American Bar Association Science and Technology Section’s Information Security Committee. [...] Read More >

  • icon-gray-linkedin.png