What is HIPAA Compliant VoIP?

VoIP services have increased in popularity, being widely adopted by businesses across several sectors. As a VoIP provider, it is important to consider who your clients are, and what laws you need to comply with to service those clients. For instance, did you know that when you have healthcare clients, you need to be HIPAA compliant? But what does HIPAA compliant VoIP entail? 

VoIP and HIPAA Compliance: Why and How?

HIPAA Compliant VoIP

VoIP providers with healthcare clients are considered business associates under HIPAA, and therefore must be HIPAA compliant. By providing features such as call recording and voicemail, VoIP providers have the potential to access electronic protected health information (ePHI) by the nature of work that they provide for healthcare businesses. To be a HIPAA compliant VoIP provider, you must ensure the confidentiality, integrity, and availability of PHI transmitted, received, and stored through your platform.

User Authentication, Access Controls, and Audit Logs

User authentication, access controls, and audit logs are not only important parts of securing data, they are also required by the HIPAA minimum necessary standard. This standard requires ePHI access to be limited to only authorized parties, the designation of different data access levels based on employee job roles, and data access tracking and monitoring. To facilitate these, each employee must be designated unique login credentials to be permitted access to their phone line.


Encryption is vital for data security, and is particularly important when an organization suffers a breach affecting ePHI. When ePHI is not encrypted and the organization is breached, the Office for Civil Rights (OCR) deems this a HIPAA violation, and would likely consider the organization negligent, subjecting them to fines and corrective actions.

NIST 800 provides additional recommendations for VoIP security here.

Business Associate Agreements

The willingness to sign business associate agreements (BAAs) with your healthcare clients is a key component of HIPAA compliance. Even if your software is technically secure, your product cannot be considered HIPAA compliant if you don’t sign BAAs. A BAA is a legal contract that requires each signing party to be HIPAA compliant, and be responsible for maintaining their compliance. The presence of a signed BAA limits the liability for both parties in event of a breach or OCR investigation.

Let’s Simplify Compliance

Are you a VoIP provider with healthcare clients? Become HIPAA compliant today!

Learn More!
HIPAA Seal of Compliance

Business Associate HIPAA Requirements

There is more to HIPAA compliant VoIP than making sure your product offers your clients the proper security and privacy protections. Certain HIPAA requirements are ongoing, requiring upkeep to ensure compliance. 

  • Annual Self-Audits and Remediation Efforts: to ensure that client PHI is adequately safeguarded, business associates must conduct annual self-audits. By conducting self-audits, vulnerabilities in your administrative, technical, and physical safeguards are identified. To ensure HIPAA compliance, vulnerabilities must be addressed with remediation efforts.
  • HIPAA Policies and Procedures: implementing documented policies and procedures ensures that you and your staff have guidance on the proper use and disclosure of ePHI, how ePHI in your organization is secured, and measures to take if there is a suspected breach of ePHI. Policies and procedures must be reviewed annually to account for any changes in business practices.
  • Annual Employee HIPAA Training: each year, employees that have the potential to access ePHI must be trained on HIPAA, your organization’s HIPAA policies and procedures, and cybersecurity best practices.
  • Business Associate Agreements: just like you are required to sign business associate agreements with your healthcare clients, you must also have signed BAAs with your vendors that have the potential to access your clients’ ePHI. Examples of business associates include hosting services and cloud data backup providers, among many others.
  • Incident Response: part of ongoing compliance efforts require breaches affecting PHI to be reported to the OCR and patients affected by the breach. When a breach affects 500 or more patients, it must also be reported to local media outlets and will be publicly posted on the OCR online breach portal.