Grasshopper is a virtual phone system that allows businesses to manage calls and messages from multiple devices. As a cloud-based service, it stores and transmits data, which makes it subject to HIPAA regulations when used by a healthcare organization.
For software to be HIPAA compliant, appropriate administrative, physical, and technical safeguards must be in place to protect electronic protected health information (ePHI). HIPAA safeguards prevent unauthorized access or disclosure of ePHI. The software provider must also sign a Business Associate Agreement (BAA) before ePHI is transmitted through, or stored on the platform.
Examining Grasshopper’s Privacy Policy
Grasshopper’s privacy policy states that it collects personal information from its users, including name, contact information, and payment details. However, there is no mention of how the service handles health information, which is essential in determining HIPAA compliance.
If Grasshopper does handle health information, it is important for the service to be HIPAA compliant to ensure that sensitive data is adequately protected. Additionally, HIPAA compliance is essential for businesses that work with healthcare providers or other entities that handle sensitive health information. In such cases, HIPAA compliance is necessary to maintain legal and ethical standards.
Why Grasshopper is Not HIPAA Compliant
Grasshopper’s website notes that it is not HIPAA compliant and that employees of the support team have access to account data and settings to assist with technical problems. All communications that go through Grasshopper’s calling, texting, and faxing functions are included in this access.
Based on this, it appears conceivable that unauthorized parties could access protected health information (PHI) if Grasshopper was used by a healthcare organization. There are also several other reasons why Grasshopper is not HIPAA compliant.
No Business Associate Agreement
Under HIPAA regulations, any vendor or service provider that deals with PHI must sign a Business Associate Agreement (BAA) with their covered entity (CE) clients. A BAA establishes terms and conditions of how PHI will be handled and protected. Grasshopper does not offer a BAA to its customers, which means they are not legally bound to comply with HIPAA regulations. This leaves your healthcare business vulnerable to potential breaches and violations.
Risk of Unauthorized Access
Grasshopper relies on third-party vendors to provide its services, which means that any data you pass through their system could be accessed by those vendors. Without a BAA in place, there is no guarantee that these third-party vendors are HIPAA compliant or even have the necessary safeguards in place to protect PHI from unauthorized access. This puts your patient’s privacy at risk and could result in significant penalties for your business if a breach were to occur.
Lack of Encryption
Encryption is an essential element in the protection of PHI. It is the process of converting data into a code that can only be read with a key or password. Unfortunately, Grasshopper does not offer encryption for its phone calls or messages, which means that a hackers can easily intercept those communications.
Limited Control Over Data Storage
When you use Grasshopper, you have very little control over where your data is stored. It may be stored on servers located outside of the United States, which could potentially violate HIPAA regulations. Moreover, it can be difficult to know exactly where your data is at any given time, which means that it could be vulnerable to unauthorized access or theft.
Limited Access Controls
One of the key tenets of HIPAA compliance is limiting access to PHI to only those individuals who need it in order to perform their job duties. However, with Grasshopper, it can be difficult to enforce access controls. While you can set up different user accounts and control what each user has access to, there are limitations to what you can do. For example, you may not be able to restrict individual users from accessing certain types of PHI or from sharing PHI with others.
Ultimately, Grasshopper is not a HIPAA compliant platform, therefore healthcare providers should choose a different, HIPAA compliant VoIP provider.