Since 1996, HIPAA has served as a legal means of protecting sensitive patient details. With the rapid increase of tech-based recordkeeping and communication, HIPAA regulations continue to ensure easy access to patient information while maintaining personal privacy.
Many VoIP providers, including Nextiva and RingCentral, are themselves HIPAA compliant, but that’s not necessarily enough to guarantee your business has all the required elements in place.
There’s one additional critical step you must take in order to have fully HIPAA compliant VoIP — a business associate agreement that upholds the vendor to the highest level of privacy and security protocols.
DOWNLOAD: This HIPAA Policy from TechRepublic Premium
What to include in a BAA for HIPAA compliant VoIP
Sometimes also called a business associate contract, a BAA is required by the Department of Health and Human Services (DHHS) for all communication between medical professionals and their business associates — including VoIP vendors.
According to the DHHS, this contract must include terms that require the vendor to:
- Establish how and when it may lawfully use or disclose protected information.
- Take necessary steps to prevent unlawful access to personal health information (PHI), whether electronic or otherwise.
- Report to you any potential or actual security breaches.
- Comply with your PHI requests on behalf of a patient or regulatory entity.
- Comply with all DHHS requests regarding its internal practices, accounting, and records relating to HIPAA regulations.
- Return or destroy all PHI related to your business, should you terminate the BAA.
- Hold all subcontractors to the terms of the BAA.
- Allow you to terminate your contract if any BAA terms are violated.
When HIPAA rights have been violated, the DHHS takes into account whether or not your business knew about any potential risks or non-compliance. So, having a BAA in place shows that you have taken all necessary steps to ensure vendor compliance.
If you experience a PHI breach due to a VoIP provider’s mistake and you haven’t signed a BAA, then you can be held legally responsible.
Depending on the specific violation and your degree of accountability, the DHHS Office for Civil Rights can impose fines as high as $1.9M with possible jail time. Additionally, you may face the possibility of lawsuits from any patients who were affected by the breach.
To help simplify the process of establishing a BAA with vendors and other entities, the DHHS provides a sample contract you can use as a guideline.
What else is required for HIPAA compliant VoIP?
As technology continues to evolve, the DHHS has implemented further HIPAA protections to safeguard all types of PHI, including electronic documents and genetic information.
The department has issued stipulations requiring all entities — including business associates, vendors, and others — to notify affected parties about any security breaches, along with a tiered system for imposing penalties.
In light of these changes, every HIPAA compliant VoIP vendor should follow modern best-practice protocols in addition to signing a BAA.
When it comes to maintaining maximum security and privacy while preventing potential PHI breaches, aspects to look for include:
- End-to-end data encryption that ensures any intercepted PHI cannot be readily deciphered.
- Restricted access and additional authentication measures ensure that only trained, designated personnel can view sensitive information.
- Call logs and/or call analytics that track user data in an effort to uphold the confidentiality, integrity, and security of electronic PHI.
If your VoIP vendor has taken all of the above measures, no additional steps are required in order to ensure HIPAA compliance for video, call recording, or telehealth-related services.
However, as telehealth becomes a more frequent practice, you and your patients may want to consider additional security features such as automatic session termination or lock out after a period of inactivity.
HIPAA-compliant VoIP providers
HIPAA compliance is an asset to many of today’s VoIP customers, so most providers take the necessary steps to ensure they meet the requirements.
Nextiva and RingCentral are two of my favorites, but I encourage you to check out our full VoIP buyer’s guide for more information on all of the top vendors on the market — most of which offer HIPAA compliant VoIP solutions.