Many years ago, the federal government issued guidance that clarified that traditional analog phone systems are NOT subject to the HIPAA Security rule provisions. So, what about your VoIP phone system? Many companies, schools, and government agencies have moved to VoIP service. It is estimated that by 2017 that more than 50% of the calls that will be made in the United States will be over a VoIP-based system. VoIP is a method for taking analog audio signals and turning them into digital data that can be transmitted over the internet instead of traditional analog phone lines. Does patient information stored and processed by these phone systems constitute electronic Protected Health Information?
Note that part of this definition changed with the 2013 Omnibus Rule changes, and states “Certain transmissions, including of paper, via facsimile, and of voice, via the telephone, are not considered to be transmissions via electronic media, if the information being exchanged did not exist in electronic form immediately before the transmission”.
The implementation specifications in the HIPAA rule that apply to the software include:
The HIPAA Final Omnibus Rule has an extensive explanatory discussion by the Department of Health and Human Services (HHS). It talks about the “mere conduit” exception, where a service provider only passes through protected health information. A phone-only service would be a mere conduit. But with voicemail and call recording—two facets of most VoIP-enabled unified communications services—it goes beyond that. HHS emphasized that persistent data storage means an entity is “maintaining” protected health information, and thus triggers Business Associate status. Also, HHS says in that document that the mere conduit exception is a narrow one. So, there is no doubt that HHS is going to conclude that VoIP providers’ services are HIPAA-regulated, and “conduit service” is not going to get anyone off the hook. Companies doing business with non-compliant VoIP providers are probably not going to “get a break” on this one, either.
Your VoIP phone system with Carolina Digital is the hosted application, and you need to assess risks during your risk assessment, conduct the appropriate security evaluation, and document compliance. Carolina Digital makes sure the data you store on our servers in our secure data center is secure and is only accessible by you and your authorized agents. If necessary for your company to have Carolina Digital enter into a Business Associate Agreement in order to be compliant with your privacy policies and further in compliance with HIPAA we have drafted a Sample Business Associate Agreement for your review. After reviewing this sample agreement, the management team at Carolina Digital will tailor an agreement for your specific requirements. Any legal document you sign, we recommend you have reviewed by your legal counsel. Likewise, we have two attorneys that review all documents we enter into. The Sample Business Associate Agreement we have provided is a template only and is not for signatures.