Need HIPAA Compliant VoIP? Make Sure You Have a Signed BAA


Since 1996, HIPAA has served as a legal means to protect confidential patient data. With the rapid increase in technology in record keeping and communication, HIPAA regulations continue to ensure easy access to patient information while maintaining personal privacy.

Many VoIP providers, including Nextiva and RingCentral, are HIPAA compliant, but that's not necessarily enough to ensure your business has everything it needs.

There is one additional critical step you must take to have fully HIPAA-compliant VoIP: a business associate agreement that guarantees the provider the highest level of privacy and security protocols.

DOWNLOAD: This HIPAA policy from TechRepublic Premium

What to Include in a HIPAA-Compliant VoIP BAA

Sometimes also called a business associate agreement, a BAA is required by the Department of Health and Human Services (DHHS) for all communications between medical professionals and their business associates, including VoIP providers.

According to DHHS, this contract must include terms requiring the provider to:

  • Establish how and when protected information may be legally used or disclosed.
  • Take steps to prevent unlawful access to personal health information (PHI), whether electronic or otherwise.
  • Inform you of any potential or actual security breaches.
  • Fulfill your requests for PHI on behalf of a patient or regulatory entity.
  • Comply with all requests from DHHS regarding its internal practices, accounting, and records related to HIPAA regulations.
  • Return or destroy all PHI related to your business if you terminate the BAA.
  • Require all subcontractors to comply with the terms of the BAA.
  • It allows you to terminate your contract if any of the BAA terms are violated.

When HIPAA rights are violated, DHHS takes into account whether or not your company was aware of the potential risks or breaches. Therefore, having a BAA in place demonstrates that you have taken all necessary steps to ensure vendor compliance.

If you suffer a PHI breach due to a VoIP provider's error and you have not signed a BAA, then you may be held legally liable.

Depending on the specific violation and your level of liability, the DHHS Office for Civil Rights can impose fines of up to $1.9 million and possible prison time. You may also face the possibility of lawsuits from patients affected by the violation.

To help simplify the process of establishing a BAA with vendors and other entities, DHHS provides a sample contract that you can use as a guide.

What else is required for a HIPAA compliant VoIP?

As technology continues to evolve, DHHS has implemented additional HIPAA protections to safeguard all types of PHI, including electronic documents and genetic information.

The department has issued provisions requiring all entities, including business partners, vendors and others, to notify affected parties of any security breaches, along with a tiered system for imposing penalties.

In light of these changes, all HIPAA-compliant VoIP providers must follow modern best practice protocols in addition to signing a BAA.

When it comes to maintaining maximum security and privacy while preventing potential PHI breaches, things to consider include:

  • End-to-end data encryption ensures that any intercepted PHI cannot be easily decrypted.
  • Restricted access and additional authentication measures ensure that only trained and designated personnel can view sensitive information.
  • Call logs and/or call analytics that track user data in an effort to maintain the confidentiality, integrity and security of electronic PHI.

If your VoIP provider has taken all of the above steps, no additional steps are required to ensure HIPAA compliance for services related to video, call recording, or telehealth.

However, as telehealth becomes a more common practice, you and your patients may want to consider additional security features, such as automatic session termination or locking after a period of inactivity.

HIPAA Compliant VoIP Providers

HIPAA compliance is an asset for many of today's VoIP customers, so most providers take the necessary steps to ensure they meet the requirements.

Nextiva and RingCentral are two of my favorites, but I recommend checking out our complete VoIP buying guide for more information on all of the major providers on the market, most of which offer HIPAA-compliant VoIP solutions.

scroll to top