What is meant by conduit? Are VOIP solutions part of it?
As explained by the HIPAA Journal, a publication dedicated to advice and education around HIPAA compliance, the conduit exception rule establishes certain entities as “conduits.” This means that they do not store, analyze, or otherwise access PHI. They simply transmit it between two endpoints.
Though they are often misclassified as such, VOIP services are not conduits.
They facilitate the electronic transmission of healthcare data in audio form. Moreover, they store such data through voicemail services and call recording. Some VOIP services even include text chat and file sharing as value-added features.
In other words, if you are a care provider or covered entity, you need to seek a compliant VOIP solution. Otherwise, you are violating HIPAA and failing in your duty of care to your patients. Look for a VOIP provider that offers the following:
- Every physician and staffer who uses your VOIP software should have a unique user ID with multiple ways of authentication.
- As an addendum to the above, access to your VOIP software and any files within should be strictly-controlled, limited only to those who absolutely need it to do their job.
- Encryption of active phone calls, audio logs, and voicemail. AES 128, 192, or 256-bit encryption is recommended.
- The ability to search for and audit the activities of all users in the system.
- The VOIP provider must be willing to sign a HIPAA Business Associate Agreement.
It’s easy to miscategorize VOIP software as a conduit. However, it’s subject to all the same rules as email, SMS, or fax. You need to be aware of that, lest you find yourself suffering a hefty financial penalty.