HIPAA Compliance for Voice Communications, Part 1: HIPAA Overview

Written By Dan Cady

Ever-evolving technology underscores the need to diligently maintain HIPAA compliance for voice communications. Compliance isn't just about avoiding fines and penalties; it's about trust, reputation, and ensuring your business is eligible for new, potentially lucrative opportunities. This four-part series offers an overview of HIPAA laws, how they apply to phone systems, often-overlooked violations and how to choose a provider to keep your voice communications HIPAA compliant. 

HIPAA overview for voice communications 

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted to prevent the disclosure of protected health information (PHI) without patient consent. The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 strengthened HIPAA laws with new provisions for electronic transmission of health information (ePHI).  

Four HIPAA rules pertain to voice communications: 

1. Privacy Rule 

The Privacy Rule mandates that companies must protect medical records and sets conditions for the use and disclosure of protected health information. For voice communications, this means creating policies that prevent unlawful sharing of PHI. 

2. Security Rule 

The Security Rule is designed to maintain the confidentiality of electronically transmitted PHI. It requires administrative, physical and technical safeguards for sending, receiving and storing protected data. 

3. Beach Notification Rule 

The Breach Notification Rule requires companies to notify the U.S. Department of Health & Human Services if there is a breach of unsecured PHI.  

4. Omnibus Rule 

The Omnibus Rule extends HIPAA regulations to business associates and subcontractors that work with covered entities.  

Who must have HIPAA-compliant voice communications? 

Both covered entities and business associates need to ensure their voice communications comply with HIPAA guidelines.  

Covered entities are healthcare providers, health plans and healthcare clearinghouses that electronically transmit protected health information. Examples include:  

  • Health insurance companies 

Business associates are companies that perform services on behalf of a covered entity and therefore have access to protected health information. Examples include:  

  • Billing and coding companies 

  • Attorneys 

  • Accountants 

  • Consultants 

  • Benefit management companies 

  • IT service providers, including Internet and phone system providers 

  • Medical transcription services 

What qualifies as PHI? 

Protected health information identifies an individual with their medical records, including lab results, medical histories and medical bills. There are 18 HIPAA identifiers

  1. Names 

  2. Geographic information 

  3. Dates 

  4. Phone numbers 

  5. Fax numbers 

  6. Email addresses 

  7. Social Security numbers 

  8. Medical record numbers 

  9. Health plan beneficiary numbers 

  10. Account numbers 

  11. Certificate or license numbers 

  12. License plate numbers and other vehicle identifiers 

  13. Device serial numbers and other identifiers 

  14. IP addresses 

  15. Web URLs 

  16. Biometric data such as fingerprints 

  17. Full face photos 

  18. Any other unique identifying number, characteristic or code 

Penalties for HIPAA violations 

The HHS Office for Civil Rights investigates HIPAA violations and has a tiered penalty system based on an organization's knowledge of each offense:  

  • Tier 1No knowledge of the violation. Penalties range from $120 to $60,226 per violation, with a maximum penalty of $1,806,757 per year 

  • Tier 2: Reasonable cause. The company should have foreseen the violation. Penalties range from $1,205 to $60,225 per violation, with a maximum penalty of $1,806,757 per year 

  • Tier 3: Willful neglect, corrected. The company was negligent but corrected the issue within 30 days. Penalties range from $12,045 to $60,225 per violation, with a maximum penalty of $1,806,757 per year 

  • Tier 4: Willful neglect, not corrected. The company was negligent and did not correct the issue within 30 days. Penalties range from $60,226 to $1,806,757 per violation and a maximum penalty of $1,806,757 per year 

Depending on the nature of the violation, the Department of Justice could pursue criminal charges. Criminal penalties for HIPAA violations include: 

  • Up to $50,000 in fines and one year in prison for knowingly obtaining or disclosing PHI 

  • Up to $100,000 in fines and five years in prison for offenses committed under false pretenses 

  • Up to $250,000 in fines and ten years in prison for offenses committed with commercial or malicious intent 

Offenders are also subject to civil lawsuits from patients and others affected by HIPAA violations. Of course, avoiding monetary fines and potential imprisonment isn't the only reason to comply with HIPAA laws. Covered entities and business associates need to uphold their reputations, maintain trust and prevent opportunity costs associated with HIPAA violations. 

Next steps 

Learn more about what HIPAA means for your phone system in Part 2 of this guide. 

Cady Business Technologies is proud to be a Mitel Gold Partner.

Our strong relationship with Mitel over many years allows us to offer the reliability and expertise your Mitel solution requires.

Dan Cady
Previous

HIPAA Compliance for Voice Communications, Part 2: What HIPAA Means for Your Phone System

Next

Cady Business Technologies: Our Complete Catalog