Many years ago, the federal government issued guidance that clarified that traditional analog phone systems are NOT subject to the HIPAA Security rule provisions.
So, what about your VoIP phone system? Many companies, schools and government agencies have moved to VoIP service. It is estimated that by 2017 that more than 50% of the calls that will be make in the United States will be over a VoIP based system. VoIP is a method for taking analog audio signals and turning them into digital data that can be transmitted over the internet instead of traditional analog phone lines. Does patient information stored and processed by these phone systems constitute electronic Protected Health Information?
By definition, electronic Patient Health Information (ePHI) is data which is transmitted or maintained on electronic media. Electronic media is defined as either:
Note that part of this definition changed with the 2013 Omnibus Rule changes, and states “Certain transmissions, including of paper, via facsimile, and of voice, via the telephone, are not considered to be transmissions via electronic media, if the information being exchanged did not exist in electronic form immediately before the transmission”.
Note the words in red which were represent changes made to the Omnibus Rule in January 2013. For VoiP systems that do not include voice mail (this eliminates just about all VoiP service providers) there might be opportunity for debate whether the information in VoiP systems met the definition of electronic Patient Health Information. However, voice mails are clearly stored on computer hard drives or other electronic storage material. So some might argue that if you don’t have voice mail on your VoIP system you might be more in compliant with the HIPAA guidelines.
The implementation specifications in the HIPAA rule that apply to software include:
The HIPAA Final Omnibus Rule has an extensive explanatory discussion by the Department of Health and Human Services (HHS). It talks about the “mere conduit” exception, where a service provider only passes through protected health information. A phone-only service would be a mere conduit. But with voicemail and call recording—two facets of most VoIP-enabled unified communications services—it goes beyond that. HHS emphasized that persistent data storage means an entity is “maintaining” protected health information, and thus triggers Business Associate status. Also, HHS says in that document that the mere conduit exception is a narrow one. So, there is no doubt that HHS is going to conclude that VoIP providers’ services are HIPAA-regulated, and “conduit service” is not going to get anyone off the hook. Companies doing business with non-compliant VoIP providers are probably not going to “get a break” on this one, either.
Your VoIP phone system with Carolina Digital in hosted application, and you need to assess risks during your risk assessment, conduct the appropriate security evaluation and document compliance. Carolina Digital makes sure the data you store on our servers in our secure data center are secure and is only accessible by you and your authorized agents. If necessary for your company to have Carolina Digital enter into a Business Associate Agreement in order to be compliant with your privacy policies and further in compliant with HIPAA we have drafted a Sample Business Associate Agreement for your review. After reviewing this sample agreement, the management team at Carolina Digital will tailor an agreement for your specific requirements. Any legal document you sign, we recommend you have reviewed by your legal counsel. Likewise, we have two attorneys that review all documents we enter into. The Sample Business Associate Agreement we have provided is a template only and is not for signatures.