Making Sure Your VoIP Service is HIPAA Compliant

The Healthcare Insurance Portability and Accountability Act (HIPAA) provides patients with vital protections that keep their personal health information secure and confidential.

Healthcare providers are required to meet specific requirements that are in place to protect this data. Should a provider or institution fail to comply with these requirements, they are subject to hefty fines or even imprisonment. The technology utilized by healthcare providers and organizations must follow the regulations outlined in HIPAA. It includes all technology used by a healthcare institution, from electronic health record storage to data collecting diagnostic devices and the business phone services used by the organization.

Simplicity HIPAA Pic Dec Newsletter

What is a HIPAA-Compliant VoIP Phone System?

HIPAA-compliant VoIP services must follow HIPAA guidelines as the voice messages and recorded calls get collected and stored as electronic information. This type of data is known as ePHI (short for "electronic personal health information”), which is incredibly important to its security and confidentiality.

HIPAA impacts all industries, businesses, and organizations that come in contact with anything relating to a patient's personal health information. Thus, these organizations may not directly work with patients but simply be a part of the healthcare industry. Regardless, any company that handles patient data must comply with HIPAA.

Below are some types of organizations that are required to meet HIPAA guidelines, including: 

  • Billing companies
  • Practice management firms
  • Third-party consultants
  • Electronic health record servicers
  • Managed service providers
  • IT companies
  • Faxing companies
  • Shredding companies
  • Physical storage providers
  • Cloud storage providers
  • Email hosting services
  • Attorneys
  • Accountants

HIPAA Requirements for VoIP Providers

For a VoIP phone system to be HIPAA compliant, it must meet both physical and network security requirements. While there are various rules and regulations to follow, any technology utilized to store or transmit patient data must:

  • Ensure and maintain confidentiality, integrity, and availability of PHI and ePHI
  • Identify and protect against security breaches and integrity of patient information
  • Protect against reasonably impermissible uses or disclosures
  • Guarantee that employees, under both direct employers and contractors, comply with all HIPAA regulations. 

To comply with HIPAA laws, VoIP systems must meet the following requirements:


Authorized users should be the only ones who can access ePHI. Every phone line should have a personalized user ID to ensure that only authorized team members can access patient information. 


Patient information must be encrypted during transmission or when sharing. HIPAA-complying VoIP providers will use high-level encryption technologies such as VPNs or another security layer to ensure all encryption regulations are met. 

Call Logs

To comply with the regulations set forth by HIPAA, VoIP phones must be able to record all call data. This includes metadata and administrative functions performed automatically or by an agent during the call.

Business Associate Agreement

All VoIP providers collaborating with organizations that collect or store patient health data must enter into a HIPAA Business Associate Agreement (BAA). This agreement represents a law-binding contract between organizations that mandates compliance obligations.

For additional information or to find answers to specific questions, you can check out the US Department of Health and Human Services HIPAA compliance website here.

The bottom line, your VoIP provider must be able to sign a  HIPAA Business Associate Agreement (BAA) with you. If they can’t, you can not be ensured they are applying with HIPAA compliance obligations. Simplicity VoIP can enter into a BAA as discussed here.

VoIP and HIPAA: Best Practices

When assessing your current or potential VoIP provider, consider the following and determine if they comply with HIPAA regulations:

  • Turn off any functions or features that may send ePHI to an unauthorized user. For instance, you may want to disable a feature that would email voicemail transcriptions to multiple users.
  • Control data access.
  • Understand what data constitutes PHI.
  • Use VoIP phones that present a unique ID for the caller.
  • Implement high-end encryption technologies to protect information like Virtual Private Networks (VPN) or Transport Layer Security (TLS).
  • Always sign a BAA with your VoIP provider.
  • Ensure your call logging is up to standard and recording all call data, including metadata and administrative functions.
  • Ensure that your WiFi network is secure.

Consequences of Non-Complying with HIPAA

As mentioned previously, various penalties exist for not complying with HIPAA regulations. They range from small fines to lengthy imprisonment sentences depending on the severity of the breach and intentions behind them. The harshest penalties are reserved for intentionally and willingly violating the rules. When discussing the consequences for companies who violate HIPAA, it is best to do so in tiers.

HIPAA Violation Tiers

Penalties can be broken down into four tiers based on the severity of the violation.

First Tier: The organization did not knowingly violate or could not have reasonably known about a security breach. Fines can range from $1,000 to $50,000 per incident, with a maximum fine of $1.5 million per year.

Second Tier: The company would have known about the breach had they regularly exercised 

reasonable diligence and take appropriate precautions. They are not believed, though, to have knowingly acted negligently. Fines can range from $1,000 to $50,000 per incident, with a maximum fine of $1.5 million per year.

Third Tier: The institution knowingly acted negligently but was able to correct issues within 30 days of the data breach. Fines can range from $10,000 to $50,000 per incident, with a maximum fine of $1.5 million per year.

Fourth Tier: The company acted with knowingly demonstrated negligence and failed to remedy the problem within the 30 days (as mentioned in the third tier). Fines begin at $50,000 per incident with a maximum fine of $1.5 million per year.

Criminal charges can be brought against individuals or companies if HHS determines that negligence was intentional and malicious. HHS would work with the Department of Justice to assign specific criminal penalties to violators. 

Essential  VoIP Phone Features to benefit Healthcare Clients

Sales and customer support teams require a competent tool for effectively and efficiently handling consumer communications. Simplicity offers advanced phone features enabling teams to power up their efforts and build a well-integrated communication system.

Below are a few critical features and functionalities Simplicity VoIP phone systems offer that support healthcare clients:

#1. Smarter Call Routing

You can rely on our call routing feature to meet inbound calling needs. This feature helps to automatically re-route high volumes of calls into specific queues based on customer requirements and relays them to the correct department or agent. At the same time, it can lead incoming callers to the voicemail box when none of the agents are available to answer. 

#2. Multi-Layer IVR Menus

An Interactive Voice Response (IVR) menu is a non-stop, automatic attendant for your medical contact center. Callers can easily navigate your organization's IVR menu to reach the best or most relevant agent. Every inquiry gets resolved quickly, and customers can receive the best service possible. Check out our blog post, VoIP for Contact Centers: Do's & Don'ts of IVR Menus, for more information on setting up the best IVR menu for your business.

#3. SMS Campaigns

A VoIP phone system is not reserved for phone calls. It covers SMS and texting functionalities too. In addition, Simplicity offers SMSPlus, enabling you to send out bulk SMS and manage campaigns effortlessly.

For additional information on texting for business and the regulations, check out our blog post here

#4. CRM and Business Tool Integrations

SimplicityLink is a Computer Telephony Integration (CTI) product that allows a standard level of integration with a wide range of popular CRM systems designed to help you get the most out of your Simplicity hosted business VoIP system.

SimplicityLink allows end-users to work more collaboratively and collectively, getting information about callers quickly and efficiently. SimplicityLink is not only cost-effective but also very easy to install and maintain. 

Our customer success team is here to help! If you have any questions relating to HIPAA compliance, sales, products, or more, connect with us below, and a member of our team will be in touch with you as soon as possible. (link to sales)

Request a Consult!