No Business Associate Agreement
Under HIPAA regulations, any vendor or service provider that deals with PHI must sign a Business Associate Agreement (BAA) with their covered entity (CE) clients. A BAA establishes terms and conditions of how PHI will be handled and protected. Grasshopper does not offer a BAA to its customers, which means they are not legally bound to comply with HIPAA regulations. This leaves your healthcare business vulnerable to potential breaches and violations.
Risk of Unauthorized Access
Grasshopper relies on third-party vendors to provide its services, which means that any data you pass through their system could be accessed by those vendors. Without a BAA in place, there is no guarantee that these third-party vendors are HIPAA compliant or even have the necessary safeguards in place to protect PHI from unauthorized access. This puts your patient’s privacy at risk and could result in significant penalties for your business if a breach were to occur.
Lack of Encryption
Encryption is an essential element in the protection of PHI. It is the process of converting data into a code that can only be read with a key or password. Unfortunately, Grasshopper does not offer encryption for its phone calls or messages, which means that a hackers can easily intercept those communications.
Limited Control Over Data Storage
When you use Grasshopper, you have very little control over where your data is stored. It may be stored on servers located outside of the United States, which could potentially violate HIPAA regulations. Moreover, it can be difficult to know exactly where your data is at any given time, which means that it could be vulnerable to unauthorized access or theft.
Limited Access Controls
One of the key tenets of HIPAA compliance is limiting access to PHI to only those individuals who need it in order to perform their job duties. However, with Grasshopper, it can be difficult to enforce access controls. While you can set up different user accounts and control what each user has access to, there are limitations to what you can do. For example, you may not be able to restrict individual users from accessing certain types of PHI or from sharing PHI with others.
Ultimately, Grasshopper is not a HIPAA compliant platform, therefore healthcare providers should choose a different, HIPAA compliant VoIP provider.