SUPPORT LOGIN
GET STARTED!

HIPAA Compliance

HIPAA Compliance

The landscape of VoIP adoption and its implications for HIPAA compliance has evolved significantly since the federal government’s initial guidance on traditional analog phone systems. VoIP phone systems are indeed subject to HIPAA Security Rule provisions, as they handle electronic Protected Health Information (ePHI).

Business VoIP use has grown exponentially, with the global VoIP market projected to reach $508.7 billion by 2030. As of 2024, 70% of businesses had already integrated VoIP into their communication strategies, with small and medium-sized businesses driving significant growth.

VoIP technology converts analog audio signals into digital data transmitted over the internet. In healthcare settings, this digital data often includes patient information, which constitutes ePHI and falls under HIPAA regulations. Healthcare providers using VoIP must ensure their systems are HIPAA-compliant to protect patient data during transmission, storage, and access.

  • Electronic storage material, which includes, for example, computer hard drives, or
  • Transmission media, which includes, for example, the internet.

Note that part of this definition changed with the 2013 Omnibus Rule changes, and states “Certain transmissions, including of paper, via facsimile, and of voice, via the telephone, are not considered to be transmissions via electronic media, if the information being exchanged did not exist in electronic form immediately before the transmission”.

What features does HIPAA look for with VoIP Based Telephone System

The implementation specifications in the HIPAA rule that apply to the software include:

  • Unique User ID & authentication. Phones identify themselves with the phone number or serial number on the phone.
  • Access Controls. Certain users may have additional privileges beyond making phone calls so the system should support different classes of users.
  • Audit logs. The system should record call metadata, as well as any details regarding any administrative activities performed by an authenticated user.
  • Encryption. TLS and or VPNs can be employed between IP Phones and the Communications Manager Software. For data at rest, for example, voicemails, other encryption technologies can be used.
  • Business Associate Agreement. When cloud-based VoIP solutions are used, an essential ingredient is the HIPAA Business Associate agreement. The cloud provider has an additional set of compliance obligations including their own physical, technical and administrative controls.

Please provide us with some basic information below, and a pre-sales voice engineer will contact you quickly. In a hurry? Our pre-sales engineering team will take your call from 8 AM until 5:00 PM EST by calling this fast-pass direct number: (336) 560-4400.

Let's Start a Conversation

Be wary of VoIP Providers offering conduit services without baas

The HIPAA Final Omnibus Rule has an extensive explanatory discussion by the Department of Health and Human Services (HHS). It talks about the “mere conduit” exception, where a service provider only passes through protected health information. A phone-only service would be a mere conduit. But with voicemail and call recording—two facets of most VoIP-enabled unified communications services—it goes beyond that. HHS emphasized that persistent data storage means an entity is “maintaining” protected health information, and thus triggers Business Associate status. Also, HHS says in that document that the mere conduit exception is a narrow one. So, there is no doubt that HHS is going to conclude that VoIP providers’ services are HIPAA-regulated, and “conduit service” is not going to get anyone off the hook. Companies doing business with non-compliant VoIP providers are probably not going to “get a break” on this one, either.

Carolina Digital Phone and Business Associate Agreement (BAA)

Your VoIP phone system with Carolina Digital is the hosted application, and you need to assess risks during your risk assessment, conduct the appropriate security evaluation, and document compliance. Carolina Digital makes sure the data you store on our servers in our secure data center is secure and is only accessible by you and your authorized agents. If necessary for your company to have Carolina Digital enter into a Business Associate Agreement in order to be compliant with your privacy policies and further in compliance with HIPAA we have drafted a Sample Business Associate Agreement for your review. After reviewing this sample agreement, the management team at Carolina Digital will tailor an agreement for your specific requirements. Any legal document you sign, we recommend you have reviewed by your legal counsel. Likewise, we have two attorneys that review all documents we enter into. The Sample Business Associate Agreement we have provided is a template only and is not for signatures.

Resources to determine how your business can be HIPAA compliant:

Please provide us with some basic information below, and a pre-sales voice engineer will contact you quickly. In a hurry? Our pre-sales engineering team will take your call from 8 AM until 5:00 PM EST by calling this fast-pass direct number: (336) 560-4400.

Let's Start a Conversation

Over 20 Years Of Service. See Why Our Customers Love Us!

© 2000-2025 Carolina Digital Phone, Inc. All Rights Reserved • Privacy PolicyTerms of ServiceHIPAA Compliance