What is a HIPAA-Compliant Phone Service?
With the introduction of VOIP, more and more organizations have been moving away from traditional phones. This is largely because VOIP services cost much less than traditional phones, and require no hardware setup to function.
Traditional phones have taken a back seat due to their higher prices, lesser flexibility, mobility, and security. What more? 82% of businesses have reported cost savings when they moved to cloud services. 92% of businesses also reported an improvement in security when they switched to cloud services. This brings us to the question, what is a HIPAA-compliant phone service?
In the healthcare industry, you cannot do without HIPAA compliance! From texting to calling every medium needs to comply with HIPAA to ensure that patient data is safeguarded. Unlike traditional phones, VOIP platforms have the ability to be HIPAA compliant through their encryption and access control features.
In this article, we will understand the ins and outs of HIPAA-compliant Voip Services.
Why do you need a HIPAA-compliant VoIP Service?
The need for HIPAA compliance in VoIP calling rests in certain aspects of calling. These aspects may accidentally reveal personal patient information which needs to be safeguarded. Let’s have a look at them:
- Caller ID information: This seemingly harmless calling feature can be a source of access to e-PHI (electronic patient health information). Call logs can be used to link individuals to medical practices and the types of services they provide.
- Call Recording: Any information that is stored for a long period can be a risk to PHI as voicemail may contain sensitive information.
- Voicemail: Just like Call recording, stored voicemail can also be accessed and ePHI made accessible if mentioned in the voicemail.
- Voicemail Transcription: Just like voicemail, its transcriptions could contain e-PHI and storing this without security would put the PHI at risk.
- SMS: SMS is not HIPAA-compliant by nature. Anyone can access an SMS and therefore sending SMS securely is an important facet.
We just saw all the aspects of calling that would risk e-PHI, so how can VOIP platforms secure these?
| Channels | VOIP features |
| Caller ID | End to End Encryption of Calls, and storage and transmission of Call Logs. Implementing Access Controls and Audit Controls. |
| Call Recording | Encryption for storage. Access Controls and Audit Controls. |
| Voicemail | Encryption for storage. Access Controls and Audit Controls. |
| Voicemail Transcription | Encryption for storage. Access Controls and Audit Controls. |
| SMS | Secure Link for Texting which is End to End Encrypted. |
Let’s now have a look at these features of VOIP in detail.
What makes VOIP services HIPAA compliant?
As we just in the section above, VOIP platforms enlist various features to ensure HIPAA compliance. These features include:
Encryption
Encryption is the process of protecting data or information by making it unreadable to outside parties. Any person other than the sender and receiver would not be able to read transmitted information or intercept it.
The technical aspects of encryption include converting data into cipher text, making it unreadable. The only way to turn it into plain text is through a decryption key which is only available to the receiver.
Storage encryption works by only allowing authorized personnel access to the data through authentication methods.
Single Tenant Architecture
Single Tenant Architecture provides each customer with a single instance of the VOIP software application. This means each user gets their own server, effectively separating them from the rest of the users. The software instance ensures that users have their own database thus isolating one user’s data from another. Each Tenant or user’s database also has an isolated backup.
Even if there is a data breach to one tenant with the same service provider, another tenant would be safe from the breach since data is stored in a separate instance thus ensuring privacy and security of the data.
Access Controls
Access Control features ensure that personnel with legitimate PHI needs are provided access to it. You can define role-based access controls with a VOIP platform ensuring the protection of data.
Audit Trails
Access logs are another feature that helps maintain detailed logs of all communication activities involving PHI. These logs usually include the timestamps and the type of communication or data accessed by the user. This is an important feature to have in case in case of security breaches.
Disaster Recovery and Backup
Healthcare providers must implement contingency plans to guarantee the availability and integrity of electronic protected health information (ePHI) during emergencies, system failures, or natural disasters. These plans should include routine data backups and the capability to rapidly restore communication systems.
BAA
Any vendor or software handling patient data needs to sign and provide an agreement that the data will remain safe and secure. This ensures the privacy and security of PHI. The contract is between the healthcare provider and the VOIP provider (business associate), it outlines the responsibilities of each party regarding the security and privacy of PHI.
Features of HIPAA Compliant VOIP services
Now that we know that VOIP services can be HIPAA compliant, let’s have a look at the features these platforms offer that make communication with patients easier and more secure.
Smart Call Routing
Smart call routing is a feature that routes incoming patient calls to the most suitable person or department based on aspects such as patient history, geographic location, nature of query, etc. This feature helps create a smooth patient experience as the patient queries resolve quicker when communicated with the right person.
Multi-level IVR Menu
The Multi-level IVR menu is a feature that routes calls to many levels down the menu. The first Menu selection can lead one down to further menus narrowing the caller to the exact department or person.
It helps the caller reach the exact required target through its multi-level option.
Whether it be medication refills, doctor appointments for new or returning patients, or telehealth services each option can be defined in detail through the multi-level IVR menu.
Call Pop
This feature allows access to necessary information for every incoming call through a pop-up agent that summarises important details. Here is an example of a call pop:
Again this feature can be access controlled ensuring the security of patient details.
CRM and Business Tool Integrations
Integration with CRMs/EHRs is a super important part of HIPAA-compliant VOIP platforms. Only through the integrations with the EHRs can necessary details be reflected in the calling platform. Information stored in the CRMs will enable the VOIP platform to make and attend calls. The feature that we just discussed above, the call pop, will only be able to function if the integration with EHR is synchronized.
Bonus Feature: Bulk SMS
Some HIPAA-compliant VOIP platforms also offer the feature to Bulk SMS patients. Practices can utilize this feature to send appointment reminders, promotional offers or emergency alerts.
How to Choose a HIPAA-compliant VOIP service?
So if you are looking to choose a HIPAA-compliant VOIP service, what all offerings do you need to look out for? This checklist will make it easy for you!
Offers BAA
As we discussed above, the BAA is a very important contract that details how PHI will be safeguarded and protected. Any HIPAA-compliant VOIP platform that you choose must offer BAA. This would ideally be the first thing you ask of a platform!
Has Security Features
As discussed the HIPAA-compliant VOIP platform should offer essential features that help safeguard patient information. These features include end-to-end encryption, access controls, audit controls, secure texting, etc. Without these features, HIPAA compliance cannot be guaranteed.
Offers 24×7 customer support
The healthcare industry is vast, and robust and provides a very important service that is never-ending. Such a fast-paced and important industry requires software’s that have easily reachable customer support that functions 24×7. Thus it is a good idea to look for software’s that have stellar customer support across various channels such as chat, phone, email, forum, etc.
Is Reputable
When finalizing a HIPAA-compliant VOIP platform, you must look into its customer reviews. Customer reviews will give you a good idea about the user experience and if the product is worth your time and money.
Fits your price range
Depending upon the size of your healthcare organization you may choose an HIPAA-compliant VOIP platform. There are many HIPAA compliant VOIP services that offer a diverse range of pricing plans. HIPAA-compliant VOIP pricing can start from as low as $19 per user per month to $200. The pricing also reflects the features offered by these platforms.
Do not be caught using these services for VOIP!
If after all VOIP calling is just calling over the internet, you might think and may already be using these services that are popular and free. Let’s see some popular services that practices might be using for calling, but are not HIPAA compliant.
Skype
Skype has been around for a long time. It is probably the first platform that introduced people to VOIP calling. Skype was synonymous with video calling for a long time! Even when people didn’t know what VOIP was they knew Skype to be the facilitator for video calling. But is this popular service HIPAA compliant? NO, it is not!
Reason for non-HIPAA compliance: Skype in its standard form does not offer HIPAA compliance as Microsoft does not sign the Business Associate Agreement or BAA. No platform can be HIPAA compliant without the contractual BAA.
With over 2.5 billion active users globally, Whatsapp is one of the most popular messaging apps. In March of 2015, WhatsApp expanded its capabilities to include calling (VOIP) and in 2016 it introduced Video calling. WhatsApp is widely known to offer end-to-end encryption as well, one of the tenants of HIPAA compliance. However, even then it is not considered a HIPAA-compliant VOIP platform. Why?
Reason for non- HIPAA Compliance: Although WhatsApp uses end-to-end encryption, it does not provide the necessary administrative and physical safeguards, nor does it offer a BAA. It is designed primarily for personal use and lacks the controls needed for HIPAA compliance.
Google Voice
Google Voice is a popular and convenient telephony service that includes voicemail, voicemail transcription to text, the ability to send text messages free of charge, and many other useful features. Due to its capabilities, it is unsurprising that many healthcare professionals may consider it for their practices. However, one needs to remember that Google Voice’s free version is not HIPAA compliant.
Reason for non-HIPAA Compliance: Google Voice offers a standard Business Associate Addendum to its service agreement for all healthcare organizations subscribing to a business Workspace account. Thus making anyone using the free version of Google Voice, non HIPAA compliant.
Popular HIPAA Compliant VOIP platforms that offer HIPAA compliance across all pricing plans include Emitrr, Nextiva, Vonage etc to name a few.
What happens if a healthcare business uses a Non- HIPAA Compliant VOIP?
What happens in case someone is using a VOIP platform that is not HIPAA compliant? This is an important question because the consequences of not adhering to HIPAA compliance can do quite a damage!
Hefty Fines
The maximum financial penalty, for willful neglect of the HIPAA Rules, is $2,067,813 per violation category, per year. Following is the breakdown of the fine you may end up paying based on the level of culpability.
| Level of Culpability | Minimum Penalty per Violation | Maximum Penalty per Violation | Annual Penalty Limit | |
| 1. | Reasonable Efforts | $137 | $68,928 | $2,067,813 |
| 2. | Lack of Oversight | $1,379 | $68,928 | $2,067,813 |
| 3. | Neglect – Rectified within 30 days | $13,785 | $68,928 | $2,067,813 |
| 4. | Neglect – Not Rectified within 30 days | $68,928 | $68,928 | $2,067,813 |
Reputation Damage
HIPAA violations break the patient’s trust in your healthcare organization and its reputation takes a hit. News goes out about violations in case of court cases and more patients would become weary of approaching your organization in such cases.
Operational Blocks
An inquiry in response to a HIPAA violation can block operational processes at your organization. Increased scrutiny and and audits can disrupt daily operations, delaying processes for doctors and patients alike. Organizations may be required to implement corrective actions, including changes to policies, procedures, and practices. The organization might be subject to ongoing monitoring by regulatory bodies..
Types of HIPAA Violations
Now that we know the implications of HIPAA violations, let’s see the type of HIPAA violations. These are:
- Impermissible uses and disclosures of PHI.
- Failure to comply with individuals´ rights.
- Lack of Notice of Privacy Practices.
- Workforce training and sanctions failures.
- Failure to conduct a risk analysis.
- Non-compliance with audit control standards.
- Failure to develop a contingency plan.
- Lack of physical or technical safeguards.
- Business Associate Agreement failures.
- Failure to comply with the General Provisions for Transactions.
Emitrr: A HIPAA Compliant VOIP Service
Now that you know what could happen if you are using a non-HIPAA compliant service and the common VOIP services that one might mistake for HIPAA-compliant VOIP, let’s see what a HIPAA-compliant VOIP service like Emitrr offers:
- Call Queue
- IVR
- Secure Messaging
- End-to-end encryption
- Access controls
- Audit Controls
- Smart call routing
- 24×7 customer support
- Single Tenant Architecture
FAQs
VOIP platforms like Emitrr, Nextiva, and Vonage are HIPAA compliant.
Google Voice by itself is not HIPAA compliant, however, it can be HIPAA compliant if it is used along with Google Business workspace plan.
Phone calls need to be HIPAA compliant if they involve the exchange of patient health information (PHI).
PHI disclosed via landline is not considered to be electronic transmission of PHI. It does not need to be HIPAA compliant if it uses circuit-switched voice communication service technologies through the Public Switched Telephone Network (PSTN).
Personal phones do not meet the requirements of HIPAA Compliance and can pose a great threat to PHI if transmitted through the medium. Personal phones lack encryption, BAAs, security controls, and monitoring.
Conclusion
HIPAA Compliance is one of the most essential pillars of a healthcare organization. It is their duty to ensure that every aspect of their functioning is aligned as such that patients’ health information is safeguarded always.
When it comes to patient communication through calling, HIPAA-compliant VOIP platforms are a great way to go because not only do they offer easy means of communication but they also ensure the protection of patient data. A signed BAA between the healthcare organization and the VoIP platform further solidifies the safe record-keeping of PHI.
If you are looking to finalize a HIPAA-compliant VOIP platform, make sure to consider its features, reviews, support, and pricing. Emitrr is one of the HIPAA-compliant VOIP platforms that offers advanced calling features, stellar support, and offers pay as you pricing plan. Sign up for a demo with Emitrr today!
Leave a Reply