VOIP Services and HIPAA: Here is what you need to know about compliance

man in office on a phone call
(Image credit: Shutterstock)

HIPAA is the landmark legislation that dates back to 1996. It provides for security and privacy safeguards for protected health information (PHI) which includes data such as a patient’s name, date of birth, address, medications, and medical diagnoses. It is designed to create efficiencies for medical care, with higher quality of care, and more efficient transfer of information. It protects patient’s information now that most medical records are online. 

Save up to 25% off plans

iPlum offers HIPAA compliant secure communications which includes HIPAA compliant calling, HIPAA compliant text messaging, and HIPAA secure voicemail. Save up to 25% off plans

In order to facilitate this, HIPAA provides for specific methods that are approved for communication, such as directly talking to a patient, mail, the telephone and fax machine. It also indicates that some other methods of communication are not secure for transmitting sensitive patient data, such as email, text messaging, and instant messaging

However, HIPAA became law in the last century, and as time has marched on, things have become less clear. For example, video conferencing, with some platforms considered secure, while others not secure, and therefore not to be used for communication between providers and patients.

Phone calls and healthcare 

While folks use their smartphones for many things these days such as texts, IM’s and internet surfing, phone calls have become less common. However, phone calls remain the most common method of communication for healthcare other than direct, face to face communication.

Further muddying the waters are that the method that phone calls send data has progressed over time as well. At the time that HIPAA became law, phone calls were sent over copper telephone wires, based on century old technology, which was considered secure. However, in 1995, the voice over internet protocol (VoIP) was invented. This remains a revolutionary method to transmit human voice data using digital voice packets through an internet connection. 

VoIP ushered in nothing short of an analog to digital transition in phone calls that was more of a revolution than a transition. With this shift in technology, it enabled multiple other moves forward, such as significantly more affordable long distance calling, free calls over WiFi, and improvements in voice quality for calls. Over time, digital communication has coalesced into multiplatform communication solutions that combine digital phone calls, instant messaging, video calls into a single interface.

With such progress and changes in digital communication, and with HIPAA dating back to the mid-90’s, additional clarification was needed. This came in 2009 with a companion piece of legislation, the Health Information Technology for Economic and Clinical Health Act (HITECH), which extends the protections for patient privacy to eliminate unauthorized access.

Given this legislation, and considering the hefty penalties for not being HIPAA compliant with phone communication, it is critically important to choose the right phone provider. After all, to this day, phone calls remain a predominant method of communication to your healthcare provider.

Respecting the law

Any VoIP service needs to bear in mind two important rules to respect this legislation. The first is the Privacy Rule, also called the Standards for Privacy of Individually Identifiable Health Information. This rule tries to set the balance between keeping PHI safeguarded, while allowing healthcare providers to have access to this information to facilitate care. 

The second rule is the Security Rule, which also is known as the Security Standards for the Protection of Electronic Protected Health Information. This rule endeavors to protect health information that is held in electronic form. This rule gets into the nuts and bolts of what types of electronic information is generated in the course of healthcare, and how to keep it safe. It starts when a patient gives the healthcare provider the phone number, this is considered consent to communicate via phone.

Some specifics 

So when considering if a VoIP is HIPAA compliant, there are some specifics to be aware of. This includes if the calls are recorded, who has access to the recording, and is it secure. The same also applies to voice mails, and also in situations where the voice mails get turned into text data via voicemail transcription. Finally, Caller ID gives a record that links the healthcare provider and the patient.

While not strictly VoIP, there are also issues with associated services from phone calls. This includes SMS, which is not HIPAA compliant, and also faxes. As traditional faxes don’t create a permanent electronic record they are HIPAA compliant, but faxing to email has an electronic footprint and is not HIPAA compliant.

Even if you wanted, there is really no way to go back to plain old telephone service (POTS) that is fully HIPAA compliant given that communication has gone digital. Rather, VoIP can be used, but a service that is compliant with HIPAA needs to be chosen, as not all are. How can you tell? You need to choose a VoIP that provides a Business Associate Agreement that details the compliance.

This compliance needs to be detailed to include a number of elements. It should include that all business elements are HIPAA compliant, but all the partners providing the service. It also covers authentication which means that each phone has a unique user ID. Finally, it needs to incorporate encryption, such as Transport Layer Security (TLS), and virtual private networking (VPN) among other security technologies to keep the communication, and the record of the communication secure.

These rules have now created a confusing landscape, with challenges to determine if the service is HIPAA compliant or not. For example the free plan for Google Voice is not a compliant plan, while the paid version of Google Voice is HIPAA compliant so details matter. Why the free tier of Google Voice is not compliant is because there is no way to sign a Business Associate Agreement. However, the paid tier can fulfill this requirement.


Phone communication remains a frequently used method to communicate with patients in healthcare. It is important to understand what makes a VoIP service HIPAA compliant so an appropriate solution can be chosen. 

We've featured the best VoIP providers.

Jonas P. DeMuro

Jonas P. DeMuro is a freelance reviewer covering wireless networking hardware.