The Health Insurance Portability and Accountability Act (HIPAA) offers valuable protection to patients and consumers, keeping their personal health information secure.
Healthcare providers must follow certain guidelines to protect this data, as a failure to do so may result in heavy fines, loss of medical licensing, and even imprisonment.
A major component of HIPAA compliance is the technology health organizations use, including electronic health records, data-collecting diagnostic devices, and even business phone service.
This article outlines HIPAA Compliant VoIP, including patient privacy requirements, potential consequences for violations, and the top HIPAA-compliant phone system providers.
What is a HIPAA-Compliant VoIP Phone System?
A HIPAA-compliant VoIP phone system follows HIPAA guidelines to protect customer data, including voice messages, recorded calls, stored files, and chat or SMS records.
HIPAA impacts all businesses and organizations that come in contact with a patient’s personal health information (PHI) or electronic protected health information (ePHI). Any company that handles the sensitive healthcare information of a covered entity must use a HIPAA compliant VoIP provider.
Types of companies that typically must meet HIPAA-compliance standards include:
- Healthcare providers and vendors
- Pharmacies
- Doctors
- Billing companies
- Technology companies in the healthcare industry
- Law firms and attorneys
- Insurance companies
- Electronic health record platforms
- Managed service providers
- IT providers
HIPAA Compliant VoIP Requirements
To be HIPAA-compliant, a VoIP phone system must meet both physical and network security measures to keep protected health information private and secure.
While there are numerous rules and regulations to follow, any technology used to house or transmit patient data must:
- Maintain and ensure confidentiality, integrity, and availability of PHI and ePHI
- Identify and safeguard against threats to the security and integrity of patients’ information
- Protect against reasonably impermissible uses or disclosures
- Ensure workers (direct employees, contractors, and subcontractors) comply with the HIPAA guidelines
To stay compliant with HIPAA laws, VoIP systems must meet these four main requirements of the HITECH (Health Information Technology for Economic and Clinical Health) Act:
1. Authentication
Only authorized users should have access to ePHI. Every phone line should have a unique user ID to ensure only the proper employees have access to patient data.
2. Encryption
Patient data must be encrypted during transmission or sharing. Most quality VoIP systems will use high-level encryption technologies such as virtual private networks (VPNs) or transport layer security (TLS) to meet this requirement.
3. Call Logs
To meet HIPAA requirements, VoIP phone systems must be able to record all call data. This includes metadata and administrative functions performed during the call.
4. Business Associate Agreement (BAA)
All VoIP providers working with companies that collect health information must enter into a HIPAA Business Associate Agreement (BAA). This acts as a contract that sets compliance obligations.
To find answers to specific questions, get information on HIPAA audits, and see tips on how to prevent unauthorized access via access controls, consult the US Department of Health & Human Services HIPAA compliance web portal.
Consequences of Using a Non-HIPAA Compliant VoIP Service
HIPAA imposes direct penalties on organizations and healthcare professionals that do not comply with the outlined regulations. These penalties range from small fines to potential imprisonment, although business leaders should not worry they will go to jail for a violation if they’ve made a good-faith effort. The harshest penalties are reserved for organizations that willingly and knowingly broke the rules.
HIPAA Violation Tiers
The law breaks penalties into four tiers based on the egregiousness of the violation.
- First Tier: The company did not know or could not have reasonably known about a data breach. Fines range from $1,000 to $50,000 per incident with a maximum fine of $1.5 million per year.
- Second Tier: The company would have known about the breach by exercising reasonable diligence. They are not believed, though, to have acted with neglect. Fines range from $1,000 to $50,000 per incident with a maximum fine of $1.5 million per year.
- Third Tier: The company acted with willful neglect but was able to correct issues within 30 days of the breach. Fines range from $10,000 to $50,000 per incident with a maximum fine of $1.5 million per year.
- Fourth Tier: The company acted with willful negligence and failed to remedy the problem in a timely manner. Fines start at $50,000 per incident with a maximum fine of $1.5 million per year.
Potential criminal charges may be made if the Department of Health and Human Services (HHS) determines there was deliberate malicious intent. HHS would work with the Department of Justice to assign criminal penalties to egregious violators.
Tarnished Reputation
The penalties from the federal government can hurt an organization financially, but HIPAA violations have other consequences.
Companies that find themselves not following HIPAA privacy standards hurt their overall business reputation, leading to the potential loss of current clients or the inability to attract new customers.
HIPAA and VoIP: Why It Matters for Healthcare Providers
Healthcare providers using VoIP can conveniently yield major savings while remaining compliant to regulatory standards. HIPAA is no exception to this rule, however any system transmitting PHI whether through voice calls and voicemails needs to adhere to strict privacy and security standards. Common use cases for VoIP in healthcare include:
- Appointment reminders and scheduling
- Billing inquiries and insurance verification
- Telehealth consultations
- Sharing lab results or patient instructions
- Nurse line or after-hours triage
PHI is involved in all of these conversations, HIPAA-compliant VoIP is a must-have.
What HIPAA Requires from VoIP Systems
Healthcare VoIP systems have both administrative and technical safeguards to protect PHI:
- Access controls: Only authorized personnel should have access to recordings and call data
- Audit logs: Systems must show who accessed what data and when
- Data backup and recovery: VoIP Data needs to be stored securely and recoverable when outages or cyber attacks occur
- Encryption: All calls must be encrypted in transit (through TLS or SRTP)
- Business Associate Agreement (BAA): If your VoIP provider stores or transmits PHI, HIPAA demands a signed BAA demarcating responsibilities and expectations for PHI protection
Not meeting these standards can lead to six- and seven-figure fines from the US Department of Health and Human Services (HHS) for failing to secure digital communications. For each violation type, the annual maximum penalty is now $1,919,173 per calendar year.[*]
How to Evaluate HIPAA Compliance in VoIP Providers
Do not assume compliance when shopping for a VoIP solution for your healthcare organization or practice, verify the provider delivers. Below is a quick checklist of key questions you should ask providers:
Do you sign a Business Associate Agreement (BAA)?
HIPAA requires this if your provider is touching anything PHI. No BAA = no compliance = no deal.
Are calls encrypted in transit and at rest?
Be sure to see if they use TLS (Transport Layer Security) and SRTP (Secure Real-Time Transport Protocol). Ask what encryption standards are used for call recordings and voicemail. Not all standards are built equally.
Where is call data stored, and is it secure?
Data must be stored in HIPAA-compliant, geographically appropriate data centers (with preference towards the US, especially for domestic users). Be sure to inquire about physical safeguards and access controls at the facilities.
What access controls are in place for system users?
Consider role-based permissions, single sign-on (SSO), and multi-factor authentication (MFA).
Can we audit and monitor user access and system activity?
What visibility is there when it comes to who accesses PHI? Will you know when and what actions are taken by users? Real-time audit logs and reporting tools are non-negotiable.
What is your response plan when data breaches occur?
The vendor must inform you formally when a breach occurs, this notification process must be aligned with HIPAA’s own timelines. How often do they test or update these response protocols?
Are staff trained on HIPAA and data handling?
Employees at your vendor need to have regular compliance training, their policies need to be documented, accessible, and updated at a regular rate.
Are third-parties involved and ready to comply?
If any third-parties are used, ask that they also sign BAAs and comply with HIPAA standards.
Red Flags That Signal Non-Compliant Vendors
Here are few red flags that signal a non-compliant and risky vendor:
- The vendor avoids or refuses to sign a BAA
- No mention of encryption protocols or outdated security documentation
- Data stored in offshore data centers without any known regulatory protections
- No access to detailed usage reports or audit logs
- Sales rep make claims of “HIPAA-ready” without any proof or documentation
- Provider does not know if they handle PHI or assumes a BAA is not necessary
What are the Best HIPAA-Compliant VoIP Providers?
Below, we’ve outlined today’s best HIPAA-compliant VoIP providers:
Nextiva
Nextiva’s unified communications platform includes VoIP calling, SMS text messaging, team chat, and video conferencing with up to 250 users. All Nextiva products are HIPAA-compliant and include a blend of collaboration tools, phone system features, and call routing customization options. It’s a basic and well-rounded multichannel phone system.
Nextiva Pricing
Nextiva pricing offers three UCaaS plans that range from $15 to $75 when charged annually. The Core plan includes VoIP calling, SMS, team chat, and video meetings. Higher-tier plans add call center features like queuing, toll-free numbers, and advanced reporting.
Check out our Nextiva pricing review to learn more.
Key Features
- Video conferencing: Scheduled/on-demand video meetings with collaboration features like screen sharing, team chat, and built-in calendaring and invite options
- Team chat rooms: (3 concurrent team rooms per account) Team-specific chat messaging with file sharing and storage, message threading, emojis, and one-click video or conference calls
- Call records and voicemail: Full call history with voicemail playback and transcription–plus forwarding to the user’s SMS or email inbox
Nextiva Pros
- Easy-to-use app interface on desktop and mobile
- Each plan includes at least 1,500 monthly toll-free minutes
- All plans include team chat
Nextiva Cons
- Each plan includes a monthly SMS limit
- Video meetings capped at 45 minutes–fairly short
- G.711 codec somewhat outdated, limits call quality
RingCentral
RingEX is a HIPAA-compliant unified communications platform with VoIP, SMS, video conferencing, and team chat. RingCentral mutually signs a BAA with all HIPAA-covered companies, and the platform also supports a variety of HIPAA-related integrations that modify how the app handles inbound calls, making the process more secure.
RingEX Pricing
RingCentral offers three RingEX plans that range from $20 to $35 monthly per user. The $20 plan starts with unlimited calling in the US, team chat, video conferencing, and IVR. The higher-tier plans add call monitoring, call recording, CRM integrations, and real-time business analytics.
Read our RingCentral pricing review for more information.
Key Features
- Integrations: 300+ integrated apps (more than any provider in this post) including security apps that further protect HIPAA-compliant data
- Collaboration: Team chat messaging with task-assignment tools, file sharing, file storage, and recording storage
- Call Queueing: Unlimited hold queues for inbound callers, advanced ACD and call queueing rules, multi-level call routing system
RingCentral Pros
- App plans include all core channels
- High-level collaboration tools
- $25 is a great value for the features on the Advanced plan
RingCentral Cons
- Very restrictive monthly SMS limits
- Advanced features can have a steep learning curve for new users
Zoom
Zoom Phone, the popular video conferencing platform’s VoIP phone system, includes SMS texting, team chat, and a well-rounded suite of virtual phone features like toll-free numbers, voicemail transcription, IVR and routing, call monitoring, and more. The phone system integrates with Zoom Meetings and Zoom One–including the free version. All Zoom products are HIPAA compliant, with features like password-protected app login and multi-layer user authentication.
Zoom Phone Pricing
Zoom Workspace offers one free plan and three paid tiers, ranging from $13.32 to $22.49+ per user per month. The free Basic plan includes 40-minute meetings for up to 100 participants, along with local recording, screen sharing, breakout rooms, collaborative notes, and team chat. Paid plans expand functionality with features like longer meetings, AI Companion, cloud storage, transcription, Scheduler, and live support.
Custom pricing is available for large teams (250 or more users). Read our full Zoom pricing breakdown to explore which plan best fits your needs.
Key Features
- Call monitoring: Supervisors can silently monitor agent phone calls and conversations, whisper private guidance, barge into live conversations, or take over the call entirely
- Auto attendants: All Zoom Phone plans include unlimited multi-layer auto attendants to create IVR menus that route inbound callers
- Call queuing and ACD: Create call groups and a queueing system to organize inbound callers when agents are busy
Zoom Phone Pros
- Unique pricing options, including a non-US-based domestic plan
- Highly affordable plans
- Integrates seamlessly with Zoom’s other products
Zoom Phone Cons
- Lacks a built-in analytics feature
- Does not include Zoom Meetings as a native offering
- US-based plans only offer DID numbers based in the US
Vonage
Vonage offers a variety of HIPAA-compliant VoIP products–phone and SMS APIs, plus a unified communications platform with calling, SMS, team chat, and video conferencing with up to 100 participants. Vonage provides BAA provisioning for all of its products, and each product includes high-security encryption, ensuring HIPAA compliance. It's also known for high-level integrations with third-party healthcare platforms like Visionflex and Redox.
Vonage Pricing
Vonage Business Communication pricing offers three plans from $14 to $28 monthly per user. The basic Mobile plan includes desktop and mobile apps with VoIP calling, SMS, basic IVR, and voicemail. Higher-tier plans add team messaging, video, and ring groups.
To learn more, see our Vonage pricing review.
Key Features
- Video meetings: Host 100 meeting participants in HIPAA-compliant Vonage Meetings, access in-meeting collaboration features like speaker view, waiting rooms, meeting lock, participant chat, and whiteboarding
- International business numbers: Choose international phone numbers in dozens of countries
- Phone dashboard: Administrators and supervisors can monitor the real-time activity status of all account phone lines
Vonage Pros
- Easy-to-use desktop app
- Video meetings include a well-rounded variety of collaboration features
- App includes all the important call controls
Vonage Cons
- Some basic features, like call queues, are only available as an add-on
- Lacks analytics
- More expensive than most alternatives
Dialpad
Dialpad offers a small-business UCaaS platform with VoIP services, SMS, team chat, and 10-participant video meetings. The phone system includes several advanced features like real-time call transcription, AI-based live support, and analytics–plus regular features like IVR, call queues, and ring groups. Dialpad’s products are HIPAA compliant with SOC2 Type 2 security certification, automatic failover protection, and proactive call logs and monitoring.
Dialpad Pricing
Dialpad has three paid plans starting at $15 per user, per month. All plans include unlimited calling and texting in the U.S. and Canada, voicemail transcription, real-time AI call transcriptions, and productivity integrations. Higher tiers add CRM integrations, global number support, advanced analytics, and enterprise-grade admin tools.
Custom pricing is available for large teams with advanced needs. Explore our full Dialpad pricing breakdown to compare features across plans.
Key Features
- AI Tools: Dialpad utilized artificial intelligence for several dynamic real-time tools. Live call transcription provides running captions for agents, and AI suggestions offer canned responses and feedback to guide agent interactions. Video meetings have live transcription and automated post-call summaries.
- Video conferencing: While Dialpad AI video meetings only support 10 users, they include many collaboration tools–custom layouts and backgrounds, hold music, custom meeting room URLs, chat, recording, drawing, and timers
- Analytics: Real-time and historical metrics for all call center activity–including call center KPIs like agent performance, call volume, and customer satisfaction
Dialpad Pros
- Affordable plans
- One-of-a-kind AI tools
- User-friendly interface
Dialpad Cons
- 10-participant capacity on video meetings
- Advanced features can be overwhelming for new users
Make Sure Your Business VoIP System is HIPAA Compliant
HIPAA compliance is essential for any business that interacts with healthcare data.
The federal government has prioritized protecting patients at all costs, imposing stiff penalties for those that fail to follow the law. While the VoIP industry has largely adjusted to HIPAA needs, it’s important to make sure that your VoIP provider and business practices support HIPAA compliance regulations.
