HIPAA Compliance for Voice Communications, Part 4: 10 Questions to Ask Your Phone System Provider

This is the final installment in a 4-part series on HIPAA compliance for voice communications. Part 1 offered an overview of HIPAA rules. Part 2 discussed what HIPAA means for phone systems. Part 3 covered commonly overlooked violations. In Part 4, we'll list critical questions to ask. 

Perhaps the easiest way to ensure your voice communications are HIPAA compliant is to partner with a phone system provider well-versed in the laws. Here are ten questions to ask any prospective provider. 

1. Do you have a documented HIPAA compliance policy? 

Your phone system provider is a business associate and should have its own policy. 

2. Do you provide a HIPAA compliance training program for employees? 

Phone system providers should train their employees annually.  

3. Do you have official certification from a third-party verifier? 

Anyone can claim to be HIPAA compliant. Third-party verifiers certify that your phone provider is genuinely compliant.  

4. Is HIPAA covered in your official onboarding plan? 

HIPAA compliance shouldn't be an afterthought or an add-on. Your phone system provider should already have a process to implement secure practices for covered entities and business associates.  

5. Are you willing to sign a BAA? 

A business associate agreement outlines shared PHI and how to safeguard that information between a covered entity and a business associate or between a business associate and a contractor. If your provider isn't willing to sign a BAA, find one that is. 

6. How do you protect PHI? 

Your provider should be able to tell you how they'll protect PHI via end-to-end encryption (for data in motion as well as at rest), Virtual Private Networks, secure WiFi or secure SIP trunking.  

7. Are VoIP phones automatically authenticated? 

Each VoIP handset should have username and password authentication so that each user has a unique ID. 

8. What access controls do you use to ensure only authorized users can access PHI? 

Only authorized users should have access to PHI, and a good phone system provider offers tiered access control.  

9. Do you automatically maintain call logs? 

Call logs track each user's activity on the phone network. This lends accountability to each employee and helps organizations address potential violations.  

10. What experience do you have with covered entities and business associates?  

It's a good idea to work with a phone system provider with experience implementing HIPAA-compliant voice communications for similar organizations. Ask about their experience and ask for references to ensure you're working with a provider that knows how to keep your organization compliant.  

Next steps 

Speak with a trusted business phone solutions advisor who can help you implement and maintain HIPAA-compliant voice communications.