User Authentication, Access Controls, and Audit Logs
User authentication, access controls, and audit logs are not only important parts of securing data, they are also required by the HIPAA minimum necessary standard. This standard requires ePHI access to be limited to only authorized parties, the designation of different data access levels based on employee job roles, and data access tracking and monitoring. To facilitate these, each employee must be designated unique login credentials to be permitted access to their phone line.
Encryption is vital for data security, and is particularly important when an organization suffers a breach affecting ePHI. When ePHI is not encrypted and the organization is breached, the Office for Civil Rights (OCR) deems this a HIPAA violation, and would likely consider the organization negligent, subjecting them to fines and corrective actions.
NIST 800 provides additional recommendations for VoIP security here.
Business Associate Agreements
The willingness to sign business associate agreements (BAAs) with your healthcare clients is a key component of HIPAA compliance. Even if your software is technically secure, your product cannot be considered HIPAA compliant if you don’t sign BAAs. A BAA is a legal contract that requires each signing party to be HIPAA compliant, and be responsible for maintaining their compliance. The presence of a signed BAA limits the liability for both parties in event of a breach or OCR investigation.