Everything a medical practice or healthcare provider needs to know about HIPAA-compliant VoIP Service
Businesses of all types have long known of the benefits of VoIP technology and have been switching from traditional analog phone systems for years. More recently, medical and healthcare providers have discovered the benefits and have jumped on the VoIP bandwagon, transitioning from traditional analog phone systems. While VoIP offers businesses a unique set of benefits, it offers HIPAA-covered entities those same benefits, plus another whole set of benefits. Learn about HIPAA-compliant VoIP service and the information you need to make an educated decision, specifically:
- What VoIP features may be subject to HIPAA?
- What makes a VoIP phone system HIPAA compliant?
- What is a Business Associate Agreement (BAA)?
To learn the benefits of VoIP and those that are unique to the healthcare industry, download our free white paper describing the benefits that our medical and healthcare client realized after switching to VoIP.
LEARN ABOUT THE UNIQUE BENEFITS OF VoIP TO YOUR MEDICAL PRACTICE AND HEALTHCARE PROVIDERS
Why the delay in migrating to VoIP?
The healthcare industry is one of the most regulated industries in the United States overseen by a multitude of federal and state-level agencies. The regulatory process applies pretty much to all healthcare providers whether they be small businesses, insurance companies, organizations, or healthcare professionals.
Do regulations also apply to technology?
The regulatory process applies to all aspects of the healthcare industry, including the electronic health record, patient privacy, and security. These regulations address the communication and security of sensitive patient information and extend to the tools used by the industry to deliver care. In this case, these regulations apply to the technologies used to create, edit, and store patient data, including phone systems and services.
How does VoIP improve over traditional phone systems?
VoIP replaces the hardware making up a traditional analog phone system with software. The software is continually improving as well, resulting in the current generation of software being better than previous generations. Since the software is maintained in the "cloud", a HIPAA-compliant cloud, of course, your HIPAA-compliant phone system is continuously updated with the latest features and fixes.
What is VOIP?
VoIP allows you to make voice phone calls using a broadband Internet connection instead of a regular or analog phone line. Because of the increased reliability, cost savings, and numerous benefits that VoIP offers, businesses have been switching for a number of years now. For medical practices and other companies in the healthcare industry, the switch to VoIP services is recent.
Is VoIP HIPAA-compliant?
A VoIP system by itself or a cloud-based phone system provider by itself is not HIPAA compliant. HIPAA compliance comes from technology, policies, actions, and contracts taken by vendors towards data security, data privacy, and patient confidentiality.
What healthcare regulations apply to VoIP?
There are many layers of regulations that apply to the healthcare system. The regulations that apply to patient communication and VoIP are the Health Insurance Portability and Accountability Act of 1996 or HIPAA. This legislation mandates the protection of a patient’s personal health information, with significant penalties for unauthorized access by unauthorized persons, including fines and imprisonment for the most egregious violators. HIPAA applies to not only “hard copy documents”, but also digital files, including written data, video, and voice data communications and the systems that create and store such electronic communications. This electronic personal health information is electronic protected health information, or ePHI.
What VoIP features may subject to HIPAA?
Basically, any feature that creates or comes into contact with electronic patient data is subject to the Health Insurance Portability and Accountability Act, including:
- FAX to email: FAX to email functionality that creates and stores PHI and personal medical information.
- Voicemail transcription: Functionality that record calls, transcribes voicemail to text, and sends voice data via text or email.
- Voicemails: Voicemail or a call recording stored in a VoIP phone system contain health information ePHI.
- Unified communications: When VoIP is integrated with other features including chat, email, and video, it is all protected health information, and subject to HIPAA.
- Call recording: HIPAA only applies to data recorded and stored by the system. A system facilitating phone calls may not apply.
What makes a VOIP phone system HIPAA compliant?
For VoIP phones to be HIPAA-compliant, they should have the following capabilities:
- Encryption: Virtual Private Networks (VPN), Transport Layer Security (TLS), and other high-level encryption technologies must be used to protect personal data.
- Authentication: Phones must be able to present a unique user ID.
- Call Logs: VoIP phones must have the ability to record call data, including metadata and administrative functions. This includes voicemail, appointment reminders, text messages, automated messages, video, email, or any other form of ePHI.
- Role-based access controls: The system should use them for administration.
While these factors apply to the technology, there are factors that apply to the VoIP provider.
What should I look for in HIPAA-compliant VoIP providers?
Some of the factors that a HIPAA-compliant VoIP provider should offer include:
- A Business Associate Agreement: A cloud-based VoIP provider that deals with protected health information must enter into a HIPAA Business Associate Agreement, a contract that defines the compliance obligations under HIPAA.
- Secure data centers: Data centers need to be in very secure and controlled environments with limited access.
- Training: Regular and ongoing training for staff and customers on HIPAA and related HIPAA features
- Security: Monitor and enforce network security
- Reporting: The system should be able to create customized activity reports that are essential for the HIPAA documentation process
Compliant VoIP systems and the cost savings that come with them open doors to new possibilities such as HIPAA-compliant call centers.
Does HIPAA compliance extend to call centers and vendors?
Much larger healthcare providers seek to consolidate their call centers into a single operation managed by the organization itself or by an outside vendor. Regardless of whether the call center is internal or outsourced to a vendor, they are still subject to HIPAA. This applies regardless of whether or not the vendor is an answering or call-forwarding service serving the healthcare industry, VoIP HIPAA compliance still applies.
What responsibilities do VoIP service providers have when it comes to HIPAA?
Service providers must have protocols in place for processing, storing, or transmitting protected health information directly or on behalf of the healthcare organizations they are servicing. They are subject to the same Privacy and Security Rules as the healthcare organization itself. Who is ultimately responsible for ensuring compliance with HIPAA? It is the healthcare provider themselves, not the outside vendor.
Are there additional benefits to a HIPAA-compliant call center?
HIPAA compliance for healthcare providers starting with a compliant phone system opens the door to additional benefits beyond the standard cost savings. With VoIP as the base layer, additional functionality can be layered onto the VoIP layer, adding not only new capabilities but additional benefits as well. Some of these benefits include consolidation of resources, economies of scale, and better communication cycles, possibly resulting in better patient care.
Examples of functionality that can be integrated with VoIP include:
- HIPAA compliant texting in call centers enables on-call physicians to receive patients PHI on the go.
- Delivery notifications and read receipts eliminating the need for follow-up messages.
- Imaging electronic media and patient histories integrated with secure text messages
What risks do VoIP providers pose to healthcare providers?
In the years since HIPAA has gone into effect, the Office of Civil Rights, the Department of Health and Human Services agency responsible for HIPAA enforcement, has handed down significant penalties for violations.
Why the penalties?
Covered entities did not have business associate agreements in place with vendors, or business associates who handle protected information.
What is a business associate agreement (BAA)?
A business associate agreement or BAA is a written agreement that specifies each party’s responsibilities when it comes to PHI.
HIPAA requires covered entities to work only with business associates that protect PHI. These assurances have to be in writing in the form of a contract between the HIPAA covered entity and vendor, including your VoIP provider.
According to HHS, the BAA must include the following information:
What must a BAA include?
According to HHS, the BAA must include the following information:
- Describe the permitted and required PHI uses;
- Provide that the vendor will use or further disclose PHI other than as permitted as required by the contract or by law;
- Require the vendor to use appropriate safeguards to prevent inappropriate PHI use or disclosure
Who are some HIPAA-compliant VoIP providers?
While there are several VoIP providers serving HIPAA-covered entities, they make up a fraction of total service providers. As a result, a healthcare provider should have a due diligence process to assess compliance.
We can't speak to other providers but we have been providing HIPAA compliant phone solutions and services to healthcare customers throughout Southern California for over 30 years. As a result, we know HIPAA, VoIP security, and have training programs in place for staff.
We understand business phone systems, including VoIP business phones. We have implemented several HIPAA-enabled phone and VoIP systems for healthcare clients throughout Orange County and Southern California. Telesupply can help you determine the best course of action to implement a HIPAA-compliant VoIP-based call center solution and services for your healthcare organization.
Contact us today or call (562) 333-3100 for your free consultation.
Telesupply has been doing business phone system installations throughout Southern California, including Los Angeles and Orange Counties for almost 30 years and VOIP business phone system installations for nearly 20 years. Many of our clients include leading medical and healthcare providers.