The Health Insurance Portability and Accountability Act (HIPAA) offers valuable protection to patients and consumers, keeping their personal health information secure.
Healthcare providers must follow certain guidelines to protect this data, as a failure to do so may result in heavy fines, loss of medical licensing, and even imprisonment.
A major component of HIPAA compliance is the technology health organizations use, including electronic health records, data-collecting diagnostic devices, and even business phone service.
This article outlines HIPAA Compliant VoIP, including patient privacy requirements, potential consequences for violations, and the top HIPAA-compliant phone system providers.
Jump to ↓
- What is a HIPAA-Compliant VoIP Phone System?
- HIPAA Compliance Requirements
- Consequences of Using a Non-HIPAA Compliant VoIP
- What are the Best HIPAA-Compliant VoIP Providers?
What is a HIPAA-Compliant VoIP Phone System?
A HIPAA-compliant VoIP phone system follows HIPAA guidelines to protect customer data, including voice messages, recorded calls, stored files, and chat or SMS records.
HIPAA impacts all businesses and organizations that come in contact with a patient’s personal health information (PHI) or electronic protected health information (ePHI). Any company that handles the sensitive healthcare information of a covered entity must use a HIPAA compliant VoIP provider.
Types of companies that typically must meet HIPAA-compliance standards include:
- Healthcare providers and vendors
- Billing companies
- Technology companies in the healthcare industry
- Law firms and attorneys
- Insurance companies
- Electronic health record platforms
- Managed service providers
- IT providers
HIPAA Compliant VoIP Requirements
To be HIPAA-compliant, a VoIP phone system must meet both physical and network security measures to keep protected health information private and secure.
While there are numerous rules and regulations to follow, any technology used to house or transmit patient data must:
- Maintain and ensure confidentiality, integrity, and availability of PHI and ePHI
- Identify and safeguard against threats to the security and integrity of patients’ information
- Protect against reasonably impermissible uses or disclosures
- Ensure workers (direct employees, contractors, and subcontractors) comply with the HIPAA guidelines
To stay compliant with HIPAA laws, VoIP systems must meet these four main requirements of the HITECH (Health Information Technology for Economic and Clinical Health) Act:
Only authorized users should have access to ePHI. Every phone line should have a unique user ID to ensure only the proper employees have access to patient data.
Patient data must be encrypted during transmission or sharing. Most quality VoIP systems will use high-level encryption technologies such as virtual private networks (VPNs) or transport layer security (TLS) to meet this requirement.
3. Call Logs
To meet HIPAA requirements, VoIP phone systems must be able to record all call data. This includes metadata and administrative functions performed during the call.
4. Business Associate Agreement (BAA)
All VoIP providers working with companies that collect health information must enter into a HIPAA Business Associate Agreement (BAA). This acts as a contract that sets compliance obligations.
To find answers to specific questions, get information on HIPAA audits, and see tips on how to prevent unauthorized access via access controls, consult the US Department of Health & Human Services HIPAA compliance web portal.
Consequences of Using a Non-HIPAA Compliant VoIP Service
HIPAA imposes direct penalties on organizations and healthcare professionals that do not comply with the outlined regulations. These penalties range from small fines to potential imprisonment, although business leaders should not worry they will go to jail for a violation if they’ve made a good-faith effort. The harshest penalties are reserved for organizations that willingly and knowingly broke the rules.
HIPAA Violation Tiers
The law breaks penalties into four tiers based on the egregiousness of the violation.
- First Tier: The company did not know or could not have reasonably known about a data breach. Fines range from $1,000 to $50,000 per incident with a maximum fine of $1.5 million per year.
- Second Tier: The company would have known about the breach by exercising reasonable diligence. They are not believed, though, to have acted with neglect. Fines range from $1,000 to $50,000 per incident with a maximum fine of $1.5 million per year.
- Third Tier: The company acted with willful neglect but was able to correct issues within 30 days of the breach. Fines range from $10,000 to $50,000 per incident with a maximum fine of $1.5 million per year.
- Fourth Tier: The company acted with willful negligence and failed to remedy the problem in a timely manner. Fines start at $50,000 per incident with a maximum fine of $1.5 million per year.
Potential criminal charges may be made if the Department of Health and Human Services (HHS) determines there was deliberate malicious intent. HHS would work with the Department of Justice to assign criminal penalties to egregious violators.
The penalties from the federal government can hurt an organization financially, but HIPAA violations have other consequences.
Companies that find themselves not following HIPAA privacy standards hurt their overall business reputation, leading to the potential loss of current clients or the inability to attract new customers.
What are the Best HIPAA-Compliant VoIP Providers?
Below, we’ve outlined today’s best HIPAA-compliant VoIP providers:
Nextiva’s unified communications platform includes VoIP calling, SMS text messaging, team chat, and video conferencing with up to 250 users. All Nextiva products are HIPAA-compliant and include a blend of collaboration tools, phone system features, and call routing customization options. It’s a basic and well-rounded multichannel phone system.
Nextiva offers three UCaaS pricing plans:
- Essentials ($18.95 monthly per user): Unlimited VoIP calling in the US and Canada, 45-minute video calls, team chat and group channels, file sharing, a free local and toll-free number with each sign-up, shared contacts, basic auto attendant
- Professional ($22.95 monthly per user): Adds SMS texting, 40-participant conference calls, CRM integrations, unlimited 45-minute video conferences with screen sharing, multi-level auto attendant, voicemail-to-SMS forwarding
- Enterprise ($32.95 monthly per user): Expands to unlimited video-meeting and conference-call participants, adds call and video conference recording, voicemail transcription
- Video conferencing: Scheduled/on-demand video meetings with collaboration features like screen sharing, team chat, and built-in calendaring and invite options
- Team chat rooms: (3 concurrent team rooms per account) Team-specific chat messaging with file sharing and storage, message threading, emojis, and one-click video or conference calls
- Call records and voicemail: Full call history with voicemail playback and transcription–plus forwarding to the user’s SMS or email inbox
- Easy-to-use app interface on desktop and mobile
- Each plan includes at least 1,500 monthly toll-free minutes
- All plans include team chat
- Each plan includes a monthly SMS limit
- Video meetings capped at 45 minutes–fairly short
- G.711 codec somewhat outdated, limits call quality
RingCentral MVP is a HIPAA-compliant unified communications platform with VoIP, SMS, video conferencing, and team chat. RingCentral mutually signs a BAA with all HIPAA-covered companies, and the platform also supports a variety of HIPAA-related integrations that modify how the app handles inbound calls, making the process more secure.
RingCentral MVP Pricing
RingCentral offers three UCaaS pricing plans:
- Core ($20 monthly per user): Includes unlimited VoIP in the US and Canada, 25 monthly SMS per user, 100-participant video conferencing, team chat, on-demand call recording, multi-level auto attendant, call queues, incoming caller ID
- Advanced ($25 monthly per user): Adds automatic call recording, call monitoring, over 300 integrated apps, business analytics, advanced queuing rules, 1000 toll-free minutes; expands to 100 monthly SMS per user
- Ultra ($35 monthly per user): Upgrade video meetings to HD video and whiteboards; unlimited file sharing, file storage, and recording storage, customizable business analytics; expands to 200 SMS per user, 10,000 monthly toll-free minutes per account, and 200 video participants
- Integrations: 300+ integrated apps (more than any provider in this post) including security apps that further protect HIPAA-compliant data
- Collaboration: Team chat messaging with task-assignment tools, file sharing, file storage, and recording storage
- Call Queueing: Unlimited hold queues for inbound callers, advanced ACD and call queueing rules, multi-level call routing system
- App plans include all core channels
- High-level collaboration tools
- $25 is a great value for the features on the Advanced plan
- Very restrictive monthly SMS limits
- Advanced features can have a steep learning curve for new users
Zoom Phone, the popular video conferencing platform’s VoIP phone system, includes SMS texting, team chat, and a well-rounded suite of virtual phone features like toll-free numbers, voicemail transcription, IVR and routing, call monitoring, and more. The phone system integrates with Zoom Meetings and Zoom One–including the free version. All Zoom products are HIPAA compliant, with features like password-protected app login and multi-layer user authentication.
Zoom Phone Pricing
Zoom Phone offers three pricing plans, which vary by unlimited calling area and how calling is priced.
Each plan includes the full set of Zoom Phone features: SMS and MMS, toll-free numbers, desktop and mobile apps, voicemail transcription, IVR and call queues, conference calls, call recording, call handoff between devices, and more.
- US & Canada Metered ($10 monthly): Pay-per-minute calling within the US and Canada, plus metered international calling
- US & Canada Unlimited ($15 monthly): Unlimited calling in the US and Canada, plus optional add-on for voip unlimited calling in 19 countries
- Pro Global Select ($20 monthly): Unlimited domestic calling in one of 40+ countries, plus an optional add-on for unlimited calling in 19 countries
- Call monitoring: Supervisors can silently monitor agent phone calls and conversations, whisper private guidance, barge into live conversations, or take over the call entirely
- Auto attendants: All Zoom Phone plans include unlimited multi-layer auto attendants to create IVR menus that route inbound callers
- Call queuing and ACD: Create call groups and a queueing system to organize inbound callers when agents are busy
Zoom Phone Pros
- Unique pricing options, including a non-US-based domestic plan
- Highly affordable plans
- Integrates seamlessly with Zoom’s other products
Zoom Phone Cons
- Lacks a built-in analytics feature
- Does not include Zoom Meetings as a native offering
- US-based plans only offer DID numbers based in the US
Vonage offers a variety of HIPAA-compliant VoIP products–phone and SMS APIs, plus a unified communications platform with calling, SMS, team chat, and video conferencing with up to 100 participants. Vonage provides BAA provisioning for all of its products, and each product includes high-security encryption, ensuring HIPAA compliance. It’s also known for high-level integrations with third-party healthcare platforms like Visionflex and Redox.
Vonage offers three unified communications plans:
- Mobile ($19.99 monthly per user): Includes unlimited calling in the US, Canada and Mexico, SMS, team chat, mobile and desktop apps, basic IVR, toll-free numbers, call flipping between devices, call parking
- Premium ($29.99 monthly per user): Adds 100-participant video meetings, CRM integrations, the ability to connect to IP desk phones, and upgrades to a multi-level auto attendant
- Advanced ($39.99 monthly per user): 15 monthly hours of call recording, call groups, and voicemail transcription
- Video meetings: Host 100 meeting participants in HIPAA-compliant Vonage Meetings, access in-meeting collaboration features like speaker view, waiting rooms, meeting lock, participant chat, and whiteboarding
- International business numbers: Choose international phone numbers in dozens of countries
- Phone dashboard: Administrators and supervisors can monitor the real-time activity status of all account phone lines
- Easy-to-use desktop app
- Video meetings include a well-rounded variety of collaboration features
- App includes all the important call controls
- Some basic features, like call queues, are only available as an add-on
- Lacks analytics
- More expensive than most alternatives
Dialpad offers a small-business UCaaS platform with VoIP services, SMS, team chat, and 10-participant video meetings. The phone system includes several advanced features like real-time call transcription, AI-based live support, and analytics–plus regular features like IVR, call queues, and ring groups. Dialpad’s products are HIPAA compliant with SOC2 Type 2 security certification, automatic failover protection, and proactive call logs and monitoring.
Dialpad offers three unified communications plans:
- Standard ($15 monthly per user): VoIP calling, SMS, team chat, 10-participant video conferencing, integrations with Google Workspace and Microsoft 365, AI call transcriptions and agent support, real-time analytics, multi-level IVR, custom call routing
- Pro ($25 monthly per user): Adds local numbers in over 70 countries, 25 ring groups, CRM integrations, global texting, open APIs
- Enterprise (Custom pricing): 100% uptime, adds unlimited ring groups and support for unlimited office locations, single sign-on integrations for high-level security
- AI Tools: Dialpad utilized artificial intelligence for several dynamic real-time tools. Live call transcription provides running captions for agents, and AI suggestions offer canned responses and feedback to guide agent interactions. Video meetings have live transcription and automated post-call summaries.
- Video conferencing: While Dialpad AI video meetings only support 10 users, they include many collaboration tools–custom layouts and backgrounds, hold music, custom meeting room URLs, chat, recording, drawing, and timers
- Analytics: Real-time and historical metrics for all call center activity–including call center KPIs like agent performance, call volume, and customer satisfaction
- Affordable plans
- One-of-a-kind AI tools
- User-friendly interface
- 10-participant capacity on video meetings
- Advanced features can be overwhelming for new users
Make Sure Your Business VoIP System is HIPAA Compliant
HIPAA compliance is essential for any business that interacts with healthcare data.
The federal government has prioritized protecting patients at all costs, imposing stiff penalties for those that fail to follow the law. While the VoIP industry has largely adjusted to HIPAA needs, it’s important to make sure that your VoIP provider and business practices support HIPAA compliance regulations.