HIPAA Compliance for Voice Communications, Part 2: What HIPAA Means for Your Phone System

This is Part 2 of a 4-part series on HIPAA compliance for voice communications. Part 1 offered an overview of HIPAA rules. In Part 2, we'll discuss what HIPAA means for your phone system. 

Understanding HIPAA rules and who must follow them is the first step toward compliance. The next is implementing policies that ensure your organization protects and secures PHI in your voice communications. Here's how HIPAA applies to your phone system. 

You have a responsibility to secure protected health information 

Whether a covered entity or a business associate, protecting PHI is paramount. That means keeping data secure. Business phone systems transfer and store data. Voice traffic is packetized and carried over the same infrastructure as other data, so the same mitigations and policies that protect other network data apply to phone systems.  

• With on-premise phone systems, you have physical devices on-site, and they must adhere to the same policies as other devices in the data network 

• With cloud-based phone services, your provider should have HIPAA certification. Ask if your provider's data storage practices comply with HIPAA guidelines and ensure they have policies for who can access data, how they can access it and why they can access it. Note that there might be additional considerations for remote workforces 

Ultimately, the onus is on you to ensure your organization and your business associates are HIPAA compliant. That means you should ask your business telecom solutions provider to: 

• Sign a business associate agreement (BAA) 

• Encrypt data using technology such as TLS, VPN, secure WiFi and secure SIP trunking 

• Set up authentication so that each phone has a unique user ID and only authorized employees can access PHI 

• Maintain call logs that include metadata and administrative functions 

• Ensure employees and any contractors comply with HIPAA guidelines 

Common sources of PHI in phone systems 

If you're a covered entity or business association, protected health information likely lives on your phone system.  

Call recording 

Call recording requires storage and falls under HIPAA compliance guidelines. If calls are recorded on an on-site server, that server must meet all the requirements of any other data server that stores customer information.  

Remember that saved phone conversations are no less PHI than prescription information, medical forms or health records. As far as HIPAA is concerned, they're the same.  

Voicemail and voicemail transcriptions 

The same data security standards apply to voicemail and voicemail transcriptions, which are stored electronically and subject to HIPAA laws.  

Caller ID 

Caller ID can link a patient to a hospital, clinic or doctor's office and the type of care they're receiving. If this information isn't securely stored, it could be a HIPAA violation.  

Unified communications 

PHI can be shared and stored over unified communications. Chat is often embedded within the phone system's functionality and falls under HIPAA guidelines, especially when saving and retrieving conversation histories. Wherever conversations are stored, that medium must adhere to HIPAA with proper access, password and storage controls. 

The same applies to video conferences such as telehealth appointments. Email is likewise covered, though that responsibility might land on a third-party email provider, not your phone system provider. 

Text/SMS 

Any protected health information sent via text message is subject to HIPAA laws and must be secured.  

Fax to email 

Though traditional faxing doesn't store PHI, fax to email services automatically convert faxes to stored data that needs to be secured.  

Next steps 

Learn how to avoid commonly overlooked HIPAA violations in Part 3 of this guide.