BMN Blog

VoIP is a game-changer for the healthcare industry’s communication landscape, allowing for quicker, more reliable communication. However, it also brings with it a multitude of HIPAA concerns that can be confusing to navigate.

“VoIP is a wonderful tool for communicating until it’s not set up correctly and costs a company thousands in HIPAA fines,” says Robbie Morris, who is a cybersecurity expert with the C Spire. Among VoIP’s rich features are voice messages transcribed into email, call recording, fax to email and more. However, these features also create electronic data of patient information. “When electronic data containing confidential patient information is created and stored on the VoIP system, it is subject to HIPAA compliance,” Morris says. “But there is no need to be alarmed if your VoIP provider is knowledgeable and capable of protecting this data. You just need to make sure that they have the expertise to keep you compliant.”

Protecting VoIP’s Electronic Data

The VoIP features that can create electronic patient data are:

• Voicemail transcription: Transcribes voice message to text and sends the info via email or text.
• Fax to email: Traditional faxing doesn’t create electronic data, but fax to email can create stored electronic patient data.
• Voicemail: These messages are electronic data that is stored in a VoIP phone system.
• Call recording: Talking on the phone doesn’t create electronic data but it can if VoIP is used to record the conversation.
• Unified communications: When VoIP is paired with unified communications, features such as instant messaging can be enabled. Stored chat histories are considered electronic data.

“Some VoIP providers simply turn off these features to ensure a healthcare organization is compliant. Not using features that you likely paid for is not a good solution and reduces the usefulness of VoIP as a communication tool. If you have partnered with a smart hosted voice provider, you can ensure it is HIPAA compliant,” Morris says.

Steps that all VoIP providers should take to keep patient data safe:

• Phones must be authenticated with a unique ID. That involves a specific username and password assigned to each phone.
• Stored data such as call recording and chat logs should be encrypted.
• Detailed call records should be maintained.
• The system should have role-based access controls for administration.

“The C Spire Business team takes additional steps to ensure HIPAA compliance with the organizations we are in partnership with,” Morris says.

Steps C Spire takes to ensure HIPAA compliance:

• Business Associate Agreement: This agreement says we agree to work with a company to help them be compliant. In other words, we are in it together to make a business compliant.
• Risk assessments: Our team of ethical hackers regularly analyze the VoIP network.
• Data Centers: The physical security in our data centers is tightly controlled.
• Security: We enforce and monitor network security via segmentation, password management, and access control monitoring.
• Implementation: Secure implementation of a VoIP solution is key. Our team of in-house experts ensures the system was setup correctly from the beginning.
• Training: We offer regular training to our healthcare customers on VoIP features, ensuring the full system is being used safely.
• Reporting: The VoIP system can pull customized activity reports, which are important for HIPAA documentation efforts.

Learn how C Spire can help your organization be successful by contacting us at ask@cspire.com.

CONSIDER IT MANAGED. C Spire Business is the nation’s first full-stack managed solutions provider, capable of offering advanced connectivity, cloud, software, hardware, communications, professional services, cybersecurity, business continuity, and technology support in a single, seamless IT solution portfolio. The result is smarter. Faster. More secure. From desktop to data center, we meet you wherever you are and take on your biggest technology challenges.