VoIP and HIPAA

Introduction:

Carrie Foote is the Associate Director, Administration for the Arizona Telemedicine Program (ATP) and the Program Administrator for the Southwest Telehealth Resource Center (SWTRC). Ms. Foote’s extensive background in healthcare operations, exemplified by her tenure as a Chief Operating Officer and a Chief Compliance Officer, gives her a comprehensive understanding of regulatory compliance, the intricacies involved in managing day-to-day healthcare functions, and the importance of seamless patient experiences. 

Issue:

Healthcare provider organizations are increasingly replacing their legacy analog telephony systems with Voice over Internet Protocol (VoIP) systems. In addition to VoIP implementation considerations, there are also privacy, security, and Health Insurance Potability and Accountability Act (HIPAA) compliance requirements when a covered entity, such as a healthcare provider or a covered entity’s business associate, utilizes a VoIP system for voice communications that include protected health information (PHI).

Narrative:

During the COVID-19 public health emergency (PHE) the United States Department of Health and Human Services Office of Civil Rights (OCR) relaxed its enforcement of HIPAA security requirements for healthcare providers’ use of telehealth to reduce barriers to healthcare. While recommending that healthcare providers utilize telehealth platforms that support HIPAA-compliant telehealth operations and that they enter into Business Associate Agreements (BAA) when contracting with third-party operators of such telehealth platforms, OCR confirmed it would not impose penaltiesfor failure to have a BAA in place or other noncompliance with HIPAA requirements as long as the healthcare provider was acting in good faith in their provision of telehealth services and not utilizing public facing video communications services such as Facebook Live, Twitch, or Tiktok.¹ 

On May 11, 2023, the PHE ended, ushering in a flood of changes that have left some feeling dizzy. On April 11, 2023, OCR announced that its enforcement discretion regarding violations of HIPAA applicable during the PHE would also be ending soon. Covered entities and business associates have until August 9, 2023, to bring their telehealth practices into compliance with the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules. Thereafter, covered entities and their business associates are subject to enforcement actions by OCR if their telehealth practices do not comply with HIPAA requirements. 

With OCR enforcement set to resume in the near future, healthcare provider organizations are reviewing their telehealth implementations and operations, and many are asking if HIPAA applies when using VoIP systems for voice communications. Yes! VoIP systems digitize analog voice communications. VoIP systems also transmit, receive, and store digitized voice communications. Digitized voice communications that include PHI are electronic PHI (ePHI) and must be secured with the safeguards prescribed by HIPAA. 

Some key steps to consider when selecting and implementing a VoIP system that will be used for PHI voice communications²:

1. Market Research: Survey the VoIP system and VoIP service provider market and select a VoIP solution that has the necessary capabilities that enable your organization to implement a HIPAA compliant deployment of the solution.  
2. Business Associate Agreement: It is imperative to establish a BAA when using a third-party VoIP service provider, emphasizing their responsibility to collaborate with you in ensuring HIPAA compliance. This agreement outlines the mutual commitment to safeguarding PHI and serves as a legal framework for maintaining a secure and compliant VoIP environment.  
3. Risk Assessment: It is essential to conduct an initial and recurring information security risk assessment for any technology implementation. This assessment identifies and documents the risks associated with the technology’s specific implementation and how these risks will be managed. HealthIT.gov offers a Security Risk Assessment Tool, available at https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool, which is one of several toolkits that can aid in this process. Ideally, the risk assessment should be carried out by a knowledgeable information security professional, such as an Information Security Officer or their designee.
4. Implementation: From the outset, it is crucial that a VoIP system administrator validates that security configurations are correct and activated to ensure compliance with HIPAA requirements. This involves implementing robust security measures and safeguards to protect sensitive ePHI. Some of these security capabilities may be native to the VoIP solution and others may be implemented within IT infrastructure that integrates with or supports the VoIP system.
5. Authentication: Robust encrypted network communications and authentication methods, including multi-factor where needed, should be used to assure that only authorized VoIP hardware, software, and people can connect to and utilize the VoIP systems and services, thus minimizing the risk of unauthorized PHI exposure.
6. Encryption of data: To enhance privacy protection, all data stored within the VoIP system, such as call recordings and chat logs, should be encrypted at rest and in transit. Encryption transforms the data using a cipher to encode it. This significantly reduces the likelihood of unauthorized access to or successful deciphering of sensitive information.
7. Staff training: Equipping your staff with the necessary knowledge and skills to utilize the VoIP system safely and compliantly is paramount. Comprehensive training ensures that employees understand the proper handling of PHI, including the appropriate use of encryption techniques and adherence to privacy best practices.
8. Documentation: In addition to creating organizational policies and procedures that govern the administration, configuration, and use of the VoIP system, VoIP systems typically offer activity reporting features (i.e., call logs) that aid in maintaining HIPAA compliance. Generating regular activity reports allows for monitoring and verification of adherence to HIPAA guidelines, providing a transparent overview of system usage and potential risks.

By diligently following these steps, you can help ensure that your organization’s use of a VoIP system aligns with HIPAA regulations, protecting the privacy and security of patients’ ePHI.

References:

1. https://www.natlawreview.com/article/end-public-health-emergency-marks-end-hipaa-enforcement-discretion-telehealth
2. https://blog.cspire.com/what-makes-a-voip-phone-system-hipaa-compliant   

Resources:

1. Guidance on BAAs, including sample BAA provisions: https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html.
2. Additional information about HIPAA Security Rule safeguards: https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html.
3. https://getvoip.com/blog/hipaa-compliant-voip/

Acknowledgements:

I would like to thank Michael Holcomb, Dr. Elizabeth Krupinski, and Kris Erps Stewart for their valuable editorial suggestions and improvements on this blog.