The Healthcare Insurance Portability and Accountability Act (HIPAA) provides consumers with valuable protections to keep their personal health information secure.

Healthcare providers must meet certain requirements aimed at protecting this data. Failing to do so can result in heavy fines or even imprisonment. A major component of HIPAA compliance lies in the technology that health organizations use from electronic health records and data-collecting diagnostic devices to even the business phone service they use.

 

Jump to ↓

 

What is a HIPAA-Compliant VoIP Phone System?

Voice Over Internet Protocol (VoIP) services must follow HIPAA guidelines as the voice messages and recorded calls get stored as computer data. This type of data is known as ePHI (electronic personal health information) and it is incredibly important to keep it secure.

HIPAA impacts all businesses and organizations that come in contact with a patient’s personal health information. As such, these companies may not directly work with patients but simply be a part of the healthcare ecosystem. Regardless, any organization that handles patient data must meet these standards.

Some types of companies that traditionally must meet HIPAA guidelines include:

  • Billing companies
  • Practice management firms
  • Third-party consultants
  • Electronic health record platforms
  • Managed service providers
  • IT providers
  • Faxing companies
  • Shredding companies
  • Physical storage providers
  • Cloud storage providers
  • Email hosting services
  • Attorney
  • Accountants

 

 

HIPAA Compliance Requirements

To be compliant, a VoIP system must meet both physical and network security measures. While there are numerous rules and regulations to follow, any technology used to house or transmit patient data must:

  • Maintain and ensure confidentiality, integrity, and availability of PHI and ePHI
  • Identify and safeguard against threats to the security and integrity of patients’ information
  • Protect against reasonably impermissible uses or disclosures
  • Ensure workers, both under direct employees and contractors, comply with the HIPAA guidelines

 

To stay compliant with HIPAA laws, VoIP systems must meet these four main requirements:

 

Authentication

Only authorized users should have access to ePHI. Every phone line should have a unique user ID to help ensure that only the proper employees have access to patient data.

 

Encryption

Patient data must be encrypted during transmission or sharing. Most quality VoIP systems will use high-level encryption technologies such as virtual private networks (VPNs) or transport layer security (TLS) to meet this requirement.

 

Call Logs

To meet HIPAA requirements, VoIP phone systems must be able to record all call data. This includes metadata and administrative functions performed during the call.

 

Business Associate Agreement

All VoIP providers that work with companies who collect health information must enter into a HIPAA Business Associate Agreement (BAA). This acts as a contract that sets compliance obligations.

For further explanation or to find answers to specific questions, consult the US Department of Health & Human Services HIPAA compliance web portal.

 

 

Consequences of Using a Non-HIPAA Compliant VoIP

HIPAA imposes direct penalties on organizations who do not comply with the standards outlined. These penalties range from small fines to potential imprisonment, although business leaders should not worry they will go to jail for a violation if they’ve made a good-faith effort. The harshest penalties are reserved for organizations that willingly and knowingly broke the rules.

 

HIPAA Violation Tiers

The law breaks penalties into four tiers based on the egregiousness of the violation.

  • First Tier: The company did not know or could not have reasonably known about a data breach. Fines range from $1,000 to $50,000 per incident with a maximum fine of $1.5 million per year.
  • Second Tier: The company would have known about the breach by exercising reasonable diligence. They are not believed, though, to have acted with neglect. Fines range from $1,000 to $50,000 per incident with a maximum fine of $1.5 million per year.
  • Third Tier: The company acted with willful neglect but was able to correct issues within 30 days of the breach. Fines range from $10,000 to $50,000 per incident with a maximum fine of $1.5 million per year.
  • Fourth Tier: The company acted with willful negligence and failed to remedy the problem in a timely manner. Fines start at $50,000 per incident with a maximum fine of $1.5 million per year.

Potential criminal charges can come if HHS determines there was deliberate malicious intent. HHS would work with the Department of Justice to assign criminal penalties to egregious violators.

 

Tarnished Reputation

The penalties from the federal government can hurt an organization financially, but HIPAA violations have other consequences. Companies that find themselves not following HIPAA standards hurt their overall business reputation, leading to the potential loss of current clients or the inability to attract new customers.

 

 

What Are the Best HIPAA Compliant VoIP Phone Systems?

While many top VoIP providers have HIPAA-compliant systems, businesses looking to purchase a phone system should confirm that their solution meets federal regulations before purchasing. Let’s look at some of the most popular HIPAA-compliant VoIP phone systems.

 

Nextiva

 

Nextiva homepage

Nextiva is one of the top-rated VoIP providers on our site, and many of Nextiva’s platforms meet HIPAA compliance guidelines.

Key Features

  • Unlimited calling
  • HD voice
  • Real-time presence
  • Online faxing
  • Conference lines
  • Team collaboration

 

Pros & Cons

Pros Cons
History of reliability May need additional tech support
Easy and intuitive to use Does not integrate with as many platforms as other VoIP providers
Wide-range of products based on customer needs

 

Pricing

 

Essential: Starts at $18.85 per month per user

  • Unlimited voice call
  • Unlimited internet fax
  • Free local and toll-free numbers
  • 24×7 customer support

 

Professional: Starts at $22.95 per month per user

  • All Essential features
  • Unlimited audio and video meetings
  • Business text messaging
  • Team collaboration tools
  • Voicemail to email & SMS

 

Enterprise: Starts at $32.95 per month per user

  • All professional features
  • Call recording and voice analytics
  • Audio and video conference recording
  • Microsoft and Salesforce integrations
  • Single sign-on management

 

 

RingCentral

 

RingCentral homepage

One of the most popular VoIP providers, RingCentral has a HIPAA setting designed to delete information in line with HIPAA compliance efforts.

 

Key Features

  • Voicemail and greeting
  • Video conferencing
  • Unlimited business SMS
  • Toll-free and local numbers
  • Online meetings

 

Pros & Cons

Pros Cons
High quality audio and video Limited number of users at lowest tier
Straightforward customer interface Lots of pop ups to navigate
Easy collaboration

 

Pricing

 

Essentials: $19.99 per month per user

  • Up to 20 users
  • Business phone or toll-free numbers
  • Unlimited calls within the US and Canada
  • Unlimited business SMS

 

Standard: $27.99 per month per user

  • All Essentials features
  • No limit on users
  • Business phone numbers in over 100 countries
  • Unlimited audio conferencing

 

Premium: $34.99 per month per user

  • Everything in Standard
  • Automatic call recording
  • Single sign-on
  • Multi-site admin and management

 

Ultimate: $49.99 per month per user

  • Everything in Premium
  • Device status reports
  • Device status alerts
  • Unlimited storage

 

 

Zoom

 

Another leading platform, Zoom offers HIPAA compliance along with the ability for settings to be changed at the network level depending on customer needs.

 

Key Features

  • HD video and audio
  • Participant camera feeds
  • Audio-only conferencing
  • Cross-platform messaging

 

Pros & Cons

Pros Cons
Simple to operate and use App download requirement
Wide range of features with intuitive design Time limit for lower tiers
Strong security

 

Pricing

 

Pay As You Go: $10 per month per user

  • US & Canada-based numbers
  • Domestic SMS & MMS
  • Extension to extension and outbound calling

 

Unlimited Regional Calling: $15 per month per user

  • Unlimited calling with US and Canada
  • Make and receive calls from multiple devices
  • Optional add on to make calls to 18 more countries

 

Pro Select Global: $20 per month per user

  • Direct dial number
  • Unlimited calling in more than 40 countries
  • Advanced phone features

 

 

Vonage

 

Vonage provides HIPAA-compliant solutions to healthcare companies across their preferred communication channels.

 

Key Features

  • Call hold
  • Caller ID
  • HD voice
  • Call Screening
  • Call Continuity
  • Multiple devices on one extension

 

Pros & Cons

Pros Cons
Lowest tier still includes unlimited calls Toll-free number cost
Strong CRM integrations Lowest tier does not work with desk phones
24/7 service and tech support for all plans

 

Pricing

 

Mobile: $14.99 per month per user

  • Unlimited calling and text messaging
  • Mobile and desktop applications

 

Premium: $24.99 per month per user

  • Video conferencing
  • CRM integrations
  • Multilevel auto attendant

 

Advanced: $34.99 per month per user

  • Call recording
  • Voicemail transcription
  • White glove setup

 

 

Dialpad

 

Dialpad homepage

Built off the Google platform, Dialpad has established itself as one of the most reliable VoIP providers available.

 

Key Features

  • Unlimited call
  • Mobile and softphone app support
  • Call recording
  • Custom routing
  • Toll-free number support
  • Automatic spam detection

 

Pros & Cons

Pros Cons
Google and Microsoft integrations available at base level 14-day free trial period is shorter than most other platforms
AI-powered call analysis Free video conferences limited to 45 minutes and 10 people
APIs provide cell data and additional management functionality

 

Pricing

 

Standard: $20 per month per user

  • Third-party software integrations
  • Voicemail transcription

 

Pro: $30 per month per user

  • Expanded integration with apps
  • More ring groups
  • 24/7 customer service

 

Enterprise: Call DialPad for customer quote

  • Phone extensions
  • Advanced analytics
  • Enhanced user integrations

 

 

Conclusion

HIPAA compliance is important for any business that interacts with healthcare data. The federal government has made it a priority to keep patient data protected at all costs, imposing stiff penalties for those that fail to follow the law. While the VoIP industry has largely adjusted to HIPAA needs, companies using new or smaller VoIP providers may find themselves with less protections than needed. Businesses should include HIPAA compliance and a VoIP’s providers history of providing HIPAA-secure solutions as one component of their overall purchase decision.

 

 

HIPAA Compliant VoIP FAQs

While there is no specific list, any organization that handles individual patient health data in any form should ensure they meet all HIPAA compliance requirements.

VoIP phones do not automatically meet HIPAA compliance requirements. Businesses that must ensure they use HIPAA-compliant technology should specifically ask a VoIP provider if their solution meets the HIPAA standard.

VoIP systems must meet four primary requirements to be in compliance: The ability to authenticate users, encrypt data, log calls, and enter into a business associate agreement (BAA) with customers.