HIPAA Compliance in Cloud Phone Systems

Why does HIPAA compliance matter?

HIPAA is the abbreviation of Health Insurance Portability and Accountability Act, a law that requires businesses in the healthcare industry to ensure the privacy and security of any personal medical record transmitted from one place to another. Translated to the world of VoIP, this means that any phone call or text message exchanged between patients and doctors that involves confidential medical information must be protected from being disclosed – inadvertently or otherwise – at all costs. As such for VoIP systems to be considered fully HIPAA-compliant must meet the following requirements:

• Voice/video calls and text messages receive end-to-end encryption to prevent third-party interception.
• The forwarding of call recordings, voicemails, and SMS/chat messages to email addresses is disabled.
• Calls and messages are automatically deleted from the phone system manager after 30 calendar days or less.
• A business associate agreement is offered on request.

Failure to comply with any of these requirements automatically disqualifies the VoIP provider from being HIPAA-compliant and, therefore, it cannot legally be used for transmitting and storing medical data. In fact, users who intend to handle such highly sensitive information via a VoIP system that isn’t HIPAA compliant are risking tens of thousands if not millions of dollars in fines.

False friends

Admittedly, the vast majority of VoIP providers already meet the requirements of HIPAA. Not only do all calls and messages receive end-to-end encryption, but they are also stored on secure servers where not even the VoIP service provider can decode them. Then there is the fact that the entire system is password protected, whether that’s the admin console that handles everything to do with the service or just a virtual extension. Voicemail forwarding also has to be activated manually by users, making it HIPAA-compliant by default.

So, if all these settings make VoIP solutions natively HIPAA compliant, what is the problem? Why isn’t it enough for these security features to be available by default or that special settings to disable anything that may prevent the system from complying with HIPAA regulations are available? The answer seemingly lies in the least significant detail: the business associate agreement. That agreement, or BAA for short, is a must to confirm that the chosen VoIP service provider meets the required HIPAA standards and to clearly outline each contracting party’s rights and obligations. If the provider doesn’t provide a BAA, it shouldn’t be used for handling confidential medical information at all.

VoIP services that are fully HIPAA-compliant

Not providing a BAA already narrows down the list of VoIP solution providers that meet HIPAA’s standards, but that doesn’t mean there aren’t any. RingCentral, for instance, has a specific HIPAA setting in its admin console that disables the email forwarding feature as well as altering the settings to delete all recorded calls, voicemails, chats, SMSs, and faxes after 30 days. In addition to that, the company also implements extra security features like a session timer to log you out of accounts after a certain period of inactivity and it also equips calls with TLS/SRTP encryption. It’s worth adding that although RingCentral does offer BAAs to its subscribers, the only businesses that are entitled to receive them are those that have at least 20 users and are on either the Premium or Ultimate plan.

Another provider, Phone.com, has a different approach. Firstly, no settings that could potentially violate HIPAA-compliance – such as call recording, voicemail to email, voicemail transcription etc – are enabled by default or are only available as extra, pay-only features. And secondly, it offers the necessary BAA documents for users on request regardless of the subscription plan that they are on.