Healthcare providers must take many factors into consideration when choosing a phone service for their practice. The ability to effectively support patients, the provider’s business terms, and the reliability of the service are all essential factors. Another critical concern is HIPAA compliance.
Phone.com offers a HIPAA-compliant VoIP communications solution for our healthcare customers. Here are some of the questions we are most frequently asked.
What Information is Covered Under HIPAA?
Protected health information (PHI) includes any individually identifiable health information that is transmitted or stored in any form, including in-person conversations, electronic records, and physical documents by a Covered Entity (healthcare provider) or one of their Business Associates. Examples of PHI include:
- Patient demographic information like their name, address, birth date, and social security number.
- Information about the patient’s physical or mental health condition.
- Services provided to a patient.
- Billing and payment information.
The purpose of HIPAA is to ensure PHI is properly protected, while still allowing the information to be accessible when needed to ensure a high-quality healthcare experience.
What is HIPAA-compliant phone service?
Phone service that qualifies as HIPAA compliant must meet all of the tests that the regulation sets for safeguarding patients’ protected health information. The Privacy and Security Rules outline the requirements for protecting electronic protected health information.
The Privacy Rule
The Privacy Rule, also known as the Standards for Privacy of Individually Identifiable Health Information, forms the national standard for the protection of health information. The rule allows that health information is available to healthcare providers to provide optimal care to patients. In this way, the Privacy Rule seeks a balance that allows information to be used while also protecting the privacy of patients.
The Security Rule
The Security Rule, otherwise called the Security Standards for the Protection of Electronic Protected Health Information, sets the requirements for protecting certain health information that is stored or transferred in electronic form. This rule is the operational side of the protections contained in the Privacy Rule. It addresses the technical and non-technical measures that healthcare organizations designated as Covered Entities need to have in place to keep individuals’ health information protected.
A phone service that claims that it is HIPAA-compliant must consider all sources of electronic protected health information, including:
Call recording. Telephone conversations are not considered protected information, but recordings may contain protected health information.
Caller ID information. Even if a call is not recorded, the call log may link an individual to the healthcare practice and the types of services they provide.
Voicemail. Anywhere there are communications stored, there is potential for protected personal health information.
Voicemail transcription. Transcribing voice messages into text accessible via email or SMS is convenient, but it also creates another source of data.
Text Messaging. Texts are convenient, useful, yet offer another channel that may contain personal data.
Electronic fax. Old-fashioned paper faxing doesn’t create stored records data, but electronic faxing does.
Video conferencing: The video session itself may contain protected health information, as may any video recordings or transcripts.
Do I Need a Business Associate Agreement with My VoIP Provider?
A Business Associate Agreement (BAA) is a contract between a technology provider (considered a Business Associate) and another party that may be a Covered Entity like a hospital or doctor’s office, or it may be another Business Associate, like an insurance company, accounting firm, or IT contractor.
Any reputable VoIP provider that claims to be HIPAA compliant will enter into a Business Associate Agreement with you. This ensures that the vendor takes seriously their responsibility for the HIPAA compliance of the platform. It is required by law for HIPAA compliance.
A Business Associate Agreement has several essential requirements.
Annual Self-Audits and Remediation Efforts: To ensure that client PHI is adequately protected, business associates must conduct annual self-audits. By conducting self-audits, vulnerabilities in the provider’s administrative, technical, and physical protections are identified. To ensure HIPAA compliance, the vendor must address vulnerabilities with remediation efforts.
HIPAA Policies and Procedures: Implementing documented policies and procedures ensures that the vendor and their staff have guidance on the proper use and disclosure of protected health information, how ePHI in the organization is secured, and measures to take if there is a potential breach of information. These policies and procedures must be reviewed every year to account for any changes in business practices.
Annual Employee HIPAA Training: Every year, employees that have the potential to access ePHI must be trained on HIPAA, the organization’s HIPAA policies and procedures, and cybersecurity best practices.
Business Associate Agreements for Vendors: In the same way that phone systems providers are required to sign business associate agreements with their healthcare clients, they must also have signed BAAs with any other vendors that have the potential to access clients’ ePHI. Examples of business associates that a phone system provider might have include data centers, IT consultants, and many others.
Incident Response: Ongoing compliance efforts require that information breaches affecting PHI must be reported to the Office of Civil Rights (OCR) and all patients affected by the breach. If a breach affects 500 or more patients, it must also be reported to local media outlets and will be publicly posted on the OCR online breach portal.
Can VoIP phones be HIPAA-compliant?
Yes, VoIP phones can be HIPAA compliant, but they must meet the following requirements.
Business Associate Agreement: As we described above, there must be a contract governing HIPAA compliance between the healthcare provider and the VoIP phone provider.
Authentication: Every phone must be able to present a unique ID.
Encryption: Transport Layer Security (TLS), virtual private networks (VPN), and other encryption technologies should be in place to safeguard data.
Is HIPAA Compliant Video Conferencing (Telemedicine) Possible?
Video-based healthcare services are becoming an important aspect of the healthcare landscape. Almost all states reimburse Medicaid patients for telemedicine services and most states require insurance providers to cover telehealth for provider reimbursement.
Telehealth services involve the transmission of protected health information and electronic protected health information. Whenever this type of information is transmitted, there is a risk that the information will be compromised. HIPAA compliant video conferencing provides protection against this risk.
The basic components of HIPAA compliance for video are:
End-to-end encryption of electronic health information protects the security of ePHI that is transmitted during a telehealth session. Video conferencing platforms should offer SSL/TLS encryption that can provide proxy and firewall traversal for a secured platform.
Secure Connection Verification
A secure connection established during a video conference protects PHI and other private information. Verification technology ensures that a genuine connection has been made to the correct server, and not to an imposter server. HIPAA compliant video conferencing employs this technology to ensure that if a secure connection cannot be established, the unsecured video encounter will not occur.
HIPAA compliant video conferencing must contain password controls. These controls ensure that passwords be of a minimum length and contain certain alpha-numeric content (e.g., upper-case or lower-case letters, numbers, and/or symbols). Another type of password control is one that locks a user out after a number of unsuccessful logins.
Provider/Host Security Controls
Provider/host security controls allow a healthcare provider to lock out a videoconference or telehealth session until the host arrives. These virtual waiting rooms ensure that only the expected participants can join the session.
Is Text Messaging HIPAA Compliant?
Because most standard text messaging services are not encrypted, text messaging like email, is not ideal for sharing protected health information. However, according to the US Department of Health and Human Services Office for Civil Rights (OCR), the agency tasked with HIPAA enforcement, health care providers may share protected health information with patients through standard text messages if they first warn their patients that texting is not secure, gain the patients’ authorization, and document the patients’ consent.
What about Faxing?
Much like SMS, outbound faxing that includes protected health information is allowed only with documented consent from the patient. Electronic inbound faxing is compliant as long as fax-to-email is disabled and the user must authenticate by signing in with a password to view the fax.
How Does Phone.com Ensure That Its Platform is HIPAA Compliant?
Phone.com has partnered with the leading HIPAA compliance consultant formed by former auditors and privacy experts, to bring you a worry-free business communications system in the cloud.
Phone.com’s Pro and Plus video plans are secured using triple DES encryption, preventing unauthorized persons from breaking in or “ZOOM bombing” sessions. All data stored on Phone.com servers containing protected health information (PHI), such as voicemails with personal medical information, is safely encrypted while at rest.
Phone.com completes annual HIPAA audits and our employees must complete HIPAA training each year. Our physical locations and data centers are protected from unauthorized access.
We are happy to enter into Business Associate Agreements with Covered Entities or other Business Associates.