Marco Cerri Marco Cerri - 9 July, 2019 - 4 ’ read

How to ensure your VOIP solutions don’t violate healthcare regulations.

In this guest post by Max Emelianov of HostForWeb, we go into the details of the implications of the HIPAA (Health Insurance Portability and Accountability Act), understanding how to make sure that your Voice over Internet protocol solution does not violate the rules on the management and exchange of sensitive data.

HIPAA: what you need to know to stay out of trouble.

HIPAA has evolved a great deal since 1996. Today, it includes far-reaching requirements related to the storage and transmission of all electronic health information, including audio recordings. That means that if you are a care provider, your phone lines need to be compliant, same as any other system. Here’s how. 
Duty of care is about more than patient outcomes. It’s about more than ensuring the health and safety of the people your organization treats. It’s also about protecting their personal information from those who would use it for ill.
And they are many. Per cybersecurity and managed services provider Trustwave, a single healthcare record may be worth as much as $250 on the black market. Comparatively, the maximum value for a credit card sits somewhere around $5.40. 
The numbers alone would speak for themselves without accounting for the fact that the past several years have seen some of the largest healthcare data breaches in history. Together, they account for tens of millions of patient records. Tens of millions of people who are now potential victims of identity theft and fraud.
It is clear that healthcare organizations need to do better. Stricter compliance with the Health Insurance Portability and Accountability Act (HIPAA) and good security hygiene are non-negotiable in today’s health landscape. When it comes to the storage of electronically protected health information, there can be no compromises.
We will assume you have already taken the necessary steps to protect your ePHI. That you already have strong encryption, comprehensive access controls and policies, activity logs, and other administrative safeguards in place.
This should be the starting point for healthcare organizations, whether covered entities or primary care providers. Patient data must be treated with the utmost care and strictly controlled. Even in light of this, there’s one area care providers frequently seem to overlook. 
Their phones.
According to a study published by Market Research Future, healthcare represents a major player in the Voice over Internet Protocol (VOIP) market. Hospitals are increasingly turning to VOIP phone systems in lieu of traditional landlines. They are more efficient, easier to install and maintain, and can be integrated with software platforms such as patient management systems. 
Perhaps more importantly, most VOIP solutions can be readily used via smartphone, a technology which has become as ubiquitous in the healthcare industry as it has elsewhere. 

Here’s where things get problematic. As you may know, HIPAA doesn’t really touch on phone calls. Instead, if includes something known as the Conduit Exception Rule

What is meant by conduit? Are VOIP solutions part of it?

As explained by the HIPAA Journal, a publication dedicated to advice and education around HIPAA compliance, the conduit exception rule establishes certain entities as “conduits.” This means that they do not store, analyze, or otherwise access PHI. They simply transmit it between two endpoints.
It is important to note that there are still rules and regulations around the transmission and discussion of PHI via phone. These are, however, courtesy of the Federal Communications Commission. They are not directly covered in HIPAA. 
Though they are often misclassified as such, VOIP services are not conduits. 
They facilitate the electronic transmission of healthcare data in audio form. Moreover, they store such data through voicemail services and call recording. Some VOIP services even include text chat and file sharing as value-added features. 
In other words, if you are a care provider or covered entity, you need to seek a compliant VOIP solution. Otherwise, you are violating HIPAA and failing in your duty of care to your patients. Look for a VOIP provider that offers the following: 
  • Every physician and staffer who uses your VOIP software should have a unique user ID with multiple ways of authentication.
  • As an addendum to the above, access to your VOIP software and any files within should be strictly-controlled, limited only to those who absolutely need it to do their job. 
  • Encryption of active phone calls, audio logs, and voicemail. AES 128, 192, or 256-bit encryption is recommended
  • The ability to search for and audit the activities of all users in the system.
  • The VOIP provider must be willing to sign a HIPAA Business Associate Agreement. 
It’s easy to miscategorize VOIP software as a conduit. However, it’s subject to all the same rules as email, SMS, or fax. You need to be aware of that, lest you find yourself suffering a hefty financial penalty. 

Imagicle Call Recording solution, with three recording modes (Always on, On Demand and Live Keep), advanced user profiling, data encryption, audit trail and customizable retention period, allows you to decide exactly what to record, have full control over the data and work safely without worrying about breaking the rules.
If you don’t know it yet and you deal with sensitive data, this is a good time to start. Enjoy it!

About the Author.
Max Emelianov started HostForWeb in 2001. In his role as HostForWeb’s CEO, he focuses on teamwork and providing the best support for his customers while delivering cutting-edge web hosting services. 


Keep an eye on the Imagicle world.
Get some free, happy content and stay up to date.