Does my practice’s phone system need to be HIPAA compliant?
- J.D. Robinson
- Feb 21
- 2 min read
TLDR: Your VoIP provider may be considered a business associate and the security rule applies to ePHI over your VoIP system.
During a mock audit, it often comes as a surprise to practice managers when I bring up the compliance of their phone system. Their first question is always “Why would the phone system need to be compliant?” It needs to be compliant for two reasons: the first is that modern digital phone systems transmit PHI in electronic form, meaning they are in-scope for the security rule provisions. The second reason is that because there is a high likelihood that voicemails will contain PHI, the system is then storing PHI in digital form - thus the security rule applies again. Most voicemails are stored at the phone service provider’s datacenter, which then requires a business associate agreement to be in place with the service provider and for the practice to verify that the service provider is implementing appropriate controls.
Let’s remember what, exactly, we’re responsible for protecting. We’re responsible for protecting any identifiable health information (in any form - written, verbal, or electronic) pertaining to the diagnosis, treatment, or payment for a past, present, or future patient.
The privacy and breach notification rules apply to PHI in any form, while the security rule specifically applies to electronic PHI.
Back when we used analog phones and faxes, there was less worry about ePHI being secured while transmitted because interception would require a literal, physical, analog tap on the line. Broadly, service providers are considered to have relatively good physical security at locations housing branch exchanges for the public switched telephone network (PSTN). Furthermore, HIPAA specifically does not require a business associate agreement for services who act purely as a conduit for the transmission of PHI (such as the postal service, UPS, or analog phone service providers) because they don’t “store or maintain” the data, but merely move it from one location to another.
Modern voice-over-IP (VoIP) phone systems come in two main flavors: hosted PBX and on-prem PBX. Hosted PBX are the more common modern system where there is no “phone server” on premise at the practice and instead, the phones connect to the provider’s servers over the internet. With on-prem an PBX, an older technology, there is a phone server (a Mitel server, for example) on premise at the practice. That server handles call routing, voicemail, etc.
With VoIP phone systems, the verbal PHI is converted to a digital packet of data on the phone itself before being sent over the network, meaning the security rule begins to apply with that device (the phone). If there is an on-premise server, that server is also in scope for the security rule. With hosted PBX systems, voicemails are stored with the service provider (on a server in their datacenter). The security rule applies there also and they become a business associate. Which, in turn, requires a business associate agreement and the practice to gain “satisfactory assurances” from the business associate that they’re implementing appropriate controls and are in compliance.
If your practice needs help with HIPAA compliance, LaramieCompliance.com offers training, resources, and consulting to help small and medium practices like yours!
