VoIP Phones and HIPAA Compliance
Many years ago, the federal government issued guidance that clarified that traditional analog phone systems are NOT subject to the HIPAA Security rule provisions.
So, what about your VoIP phone system? Many companies, schools and government agencies have moved to VoIP service. It is estimated that by 2017 that more than 50% of the calls that will be make in the United States will be over a VoIP based system. VoIP is a method for taking analog audio signals and turning them into digital data that can be transmitted over the internet instead of traditional analog phone lines. Does patient information stored and processed by these phone systems constitute electronic Protected Health Information?
By definition, electronic Patient Health Information (ePHI) is data which is transmitted or maintained on electronic media. Electronic media is defined as either:
- Electronic storage material, which includes, for example, computer hard drives, or
- Transmission media, which includes, for example, the internet.
Note that part of this definition changed with the 2013 Omnibus Rule changes, and states “Certain transmissions, including of paper, via facsimile, and of voice, via the telephone, are not considered to be transmissions via electronic media, if the information being exchanged did not exist in electronic form immediately before the transmission”.
Note the words in red which were represent changes made to the Omnibus Rule in January 2013. For VoiP systems that do not include voice mail (this eliminates just about all VoiP service providers) there might be opportunity for debate whether the information in VoiP systems met the definition of electronic Patient Health Information. However, voice mails are clearly stored on computer hard drives or other electronic storage material. So some might argue that if you don’t have voice mail on your VoIP system you might be more in compliant with the HIPAA guidelines.
What features does HIPAA look for with VoIP based telephone system
The implementation specifications in the HIPAA rule that apply to software include:
- Unique User ID & authentication. Phones identify themselves with the phone number or serial number on the phone.
- Access Controls. Certain users may have additional privileges beyond making phone calls so the system should support different classes of users.
- Audit logs. The system should record call meta data, as well as any details regarding any administrative activities performed by an authenticated user.
- Encryption. TLS and or VPNs can be employed between IP Phones and the Communications Manager Software. For data at rest, for example, voicemails, other encryption technologies can be used.
- Business Associate Agreement. When cloud-based VoIP solutions are used, an essential ingredient is the HIPAA Business Associate agreement. The cloud provider has an additional set of compliance obligations including their own physical, technical and administrative controls.
Be Wary of VoIP Providers Offering Conduit Service Without BAAs
The HIPAA Final Omnibus Rule has an extensive explanatory discussion by the Department of Health and Human Services (HHS). It talks about the “mere conduit” exception, where a service provider only passes through protected health information. A phone-only service would be a mere conduit. But with voicemail and call recording—two facets of most VoIP-enabled unified communications services—it goes beyond that. HHS emphasized that persistent data storage means an entity is “maintaining” protected health information, and thus triggers Business Associate status. Also, HHS says in that document that the mere conduit exception is a narrow one. So, there is no doubt that HHS is going to conclude that VoIP providers’ services are HIPAA-regulated, and “conduit service” is not going to get anyone off the hook. Companies doing business with non-compliant VoIP providers are probably not going to “get a break” on this one, either.
Carolina Digital and Business Associate Agreement (BAA)
Your VoIP phone system with Carolina Digital in hosted application, and you need to assess risks during your risk assessment, conduct the appropriate security evaluation and document compliance. Carolina Digital makes sure the data you store on our servers in our secure data center are secure and is only accessible by you and your authorized agents. If necessary for your company to have Carolina Digital enter into a Business Associate Agreement in order to be compliant with your privacy policies and further in compliant with HIPAA we have drafted a Sample Business Associate Agreement for your review. After reviewing this sample agreement, the management team at Carolina Digital will tailor an agreement for your specific requirements. Any legal document you sign, we recommend you have reviewed by your legal counsel. Likewise, we have two attorneys that review all documents we enter into. The Sample Business Associate Agreement we have provided is a template only and is not for signatures.
Resources to determine how your business can be HIPAA Complaint:
- Sample Business Associate Agreements – U.S. Department of Health & Human Services
- National Institute of Standards and Technology – a Federal Government web site HIPAA Security Rule Toolkit
- How do I become HIPAA Complaint Checklist from TruVault
- HIPAANews.org – a Checklist to protecting the privacy of personal health information
- Compliance Helper – Assure compliance with HIPAAssure