Without a Signed BAA, You Don’t Have HIPAA Compliant VoIP


Disclosure: Our content is reader-supported, which means we earn commissions from links on Digital. Commissions do not affect our editorial evaluations or opinions.

If your business or job involves managing patient information, you are likely subject to Health Insurance Portability and Accountability Act (HIPAA) regulations. Since 1996, HIPAA has served as a legal means to protect sensitive personal details, such as medical history, that might otherwise be useful to identify a specific individual. With the rapid increase of technology-based recordkeeping and communication platforms, HIPAA regulations continue to ensure an efficient flow of patient information while maintaining the highest possible standards of personal privacy. 

In recent years, Voice over Internet Protocol (VoIP) systems have offered professionals in medical and health-related fields a simple, streamlined solution to a variety of complex communication challenges. VoIP providers such as Nextiva and RingCentral enable cost-effective phone-like calling features for medical staff and vendors around the globe, in addition to supporting remote telehealth services. 

Most VoIP systems today offer helpful features such as call recording, messaging, and video calling that make it easier than ever to stay connected. However, any VoIP feature that is used to collect, store, or transmit Personal Health Information (PHI) can put you and your business at risk of potential security violations. In order to protect you from costly legal repercussions and your patients from data breaches, all related vendors are urged to sign a Business Associate Agreement (BAA) that requires HIPAA compliance through the implementation of strict privacy and security protocols. 

Business Associate Agreements for HIPAA-Compliant VoIP

The Department of Health and Human Services (DHHS) requires a BAA for all communication between medical professionals and their business associates—including VoIP vendors. According to the DHHS, this contract must include specific terms that require a vendor to: 

  • Establish how and when it may lawfully use or disclose protected information
  • Take necessary steps to prevent unlawful access to PHI, whether electronic or otherwise
  • Report any potential or actual security breaches to you
  • Comply with your PHI requests on behalf of a patient or a regulatory entity
  • Comply with all DHHS requests regarding its internal practices, accounting, and records relating to HIPAA regulations 
  • Return or destroy all PHI related to your business, should you terminate the BAA 
  • Hold all subcontractors to the terms of the BAA 
  • Allow you to terminate your contract if any BAA terms are violated 

When HIPAA rights have been violated, the DHHS takes into account whether or not your business had prior or existing knowledge about any potential risks or non-compliance. A BAA shows that you have taken all necessary steps to ensure vendor compliance. If you experience a PHI breach due to a VoIP provider’s mistake and you haven’t signed a BAA, then you may be held legally responsible. 

Depending on the specific violation and your degree of accountability, the DHHS Office for Civil Rights can impose fines as high as $1.9 million with possible jail time. Additionally, you may face potential lawsuits from any patients who were affected by the breach. 

To help simplify the process of establishing a BAA with vendors and other entities, the DHHS provides a sample contract you can use as a guideline. 

What Else is Required for HIPAA Compliant VoIP?

As technology continues to evolve, the DHHS has implemented further HIPAA protections to safeguard all mediums and forms of PHI, including electronic documents and genetic information. The department has also issued stipulations requiring all entities—including business associates, vendors, and others—to notify affected parties about any security breaches, along with a tiered system for imposing penalties.

In light of these changes, every HIPAA-compliant VoIP vendor should follow modern best-practice protocols, in addition to signing a BAA. When it comes to maintaining maximum security and privacy with regard to preventing potential PHI breaches, aspects to look for include:

  • End-to-end data encryption, so any intercepted PHI cannot be readily deciphered 
  • Restricted access and additional authentication measures, ensuring that only trained and authorized personnel can view sensitive information
  • Call logs and/or call analytics, which track user data in an effort to uphold the confidentiality, integrity, and security of electronic PHI

If your VoIP vendor has taken all of the above measures, no additional steps are required in order to ensure HIPAA compliance for video, call recording, or telehealth-related services. However, as telehealth becomes a more frequent practice, you and your patients may want to consider features such as automatic logouts and session terminations after a given period of inactivity.

HIPAA Compliant VoIP Providers

HIPAA compliance is an asset to a great deal of today’s VoIP customers, so several providers take the necessary steps to ensure they meet all of the requirements. Check out our list of the top VoIP service providers, as many of them offer a full suite of compliant business communication services for you.

Scroll to Top