The HIPAA (Health Insurance Portability and Accountability Act of 1996) mandates data privacy and security provisions for safeguarding patients’ medical information. It protects all health-related information that is held or transmitted by a covered entity or a business associate. Notably, this information can be held not just on paper, as Personal Health Information (PHI), but also as Electronic protected health information (ePHI) — information that is produced, saved, transferred or received in an electronic form.

You might think that HIPAA is merely a set of patient privacy regulations, that doesn’t affect many companies. This couldn’t be further from the truth. The definition and scope of HIPAA compliance has been broadened — a lot.

Examples of companies that must comply with HIPAA include health insurance providers, personnel departments of companies with health coverage, and healthcare-related businesses. In addition, any of the subcontractors or partners of businesses that significantly touch protected health information are also regulated under HIPAA, expanding the number of covered businesses to hundreds of thousands, if not millions!

Is VoIP HIPAA Compliant?

Make no mistake: Under the Health Information Technology for Economic and Clinical Health (HITECH Act) enacted in 2009, if you’re a company handling protected health information and therefore subject to HIPAA, your business associates are directly responsible for compliance too. That’s why VoIP providers need to be the documented business associates of any HIPAA covered entity, such as a hospital, dentist office, elder care facility, insurance company or doctor’s office.

It’s a dangerous oversimplification to assume that “telecommunications are not subject to HIPAA.” HIPAA isn’t just a compliance directive or a best practice; it’s a law, with real teeth and serious consequences for violations.

HIPAA VoIP Requirements

The journey towards compliance is a slippery slope! I can think of quite a few boxes for HIPAA compliant VoIP to check. To begin with, the VoIP should be able to enter into a HIPAA Business Associate Agreement (BAA), which sets compliance obligations with its customers so that the customers can turn around and support their own compliance requirements. That’s not all, in addition, VoIP needs to ensure that all unified communications services—phones, fax, collaboration software, and call center software—all comply. HIPAA VoIP compliance can be secured by:

  • Protecting sensitive data by using high-level encryption technologies such as Virtual Private Networks (VPN) and Transport Layer Security (TLS)
  • Preventing unauthorized access to data by authenticating phones with a unique user ID.
  • Recording all call data, including metadata and administrative functions performed during calls.

Consequences of Using a Non-HIPAA Compliant VoIP Provider

Keep in mind that if a business that handles protected health information uses a unified communications service such as a VoIP provider, that provider needs to have the processes, procedures, and safeguards necessary to comply with the way HIPAA requires protected health information to be handled. Otherwise, the VoIP provider can’t issue Business Associate Agreements to its customers, and its customers won’t be able to supply the required documentation of their compliance. The compliance of all of the VoIP provider’s HIPAA-covered customers could then be in jeopardy.

Exemptions Are Rare and Only Apply to Paper-to-Paper Faxes and Voice

Well, the statements about fax and phone are true, but they are referring to voice communications only, and faxes by which a paper is fed into a machine and is printed at the other end. If VoIP were only voice phone calls, then this statement would be correct.

However, we now have voicemails, video conferencing, text messaging and call recordings in which protected health information is left as persistent — that is — shared, stored and recorded computer files. These files make the VoIP provider subject to HIPAA.

Also, today’s faxes are usually delivered in unified communications systems by email. So, email is persistent data storage over time, and faxes transmitted in this way trigger HIPAA compliance. In short, for regular paper-to-paper fax—an increasingly rare way of sending faxes—the statement is true. For modern unified communications, where faxes are delivered by email, the statement is not true because of the email aspect.

Be Wary of VoIP Providers Offering Conduit Service Without BAAs

The HIPAA Final Omnibus Rule has an extensive explanatory discussion by the Department of Health and Human Services (HHS). It talks about the “mere conduit” exception, where a service provider only passes through protected health information. A phone-only service would be a mere conduit.

But with voicemail and call recording—two facets of most VoIP-enabled unified communications services—it goes beyond that. HHS emphasizes that persistent data storage means an entity is “maintaining” protected health information, which triggers Business Associate status.

Also, HHS says in that document that the mere conduit exception is a narrow one. So, there is no doubt that HHS is going to conclude that VoIP providers’ services are HIPAA-regulated, and “conduit service” is not going to get anyone off the hook. Companies doing business with non-HIPAA compliant VoIP providers are probably not going to “get a break” on this one, either.

We recently published a blog that explained the issues with the new HIPAA “conduit service” that some VoIP providers are offering without the necessary Business Associate Agreement. Since then, we’ve gotten even more questions about business communication providers’ HIPAA obligations to their customers. Full disclosure: 8x8 is a fully HIPAA-compliant unified communications VoIP provider that supplies its customers with documentation of HIPAA compliance called Business Associate Agreements.

Are you worried that your VoIP provider may not be HIPAA compliant? Get a Business Associate Agreement with us. Visit 8x8.com to learn more about how we can help you with VoIP HIPAA Compliance.