Since 1996, HIPAA has served as a legal means of protecting sensitive patient details. With the rapid increase of tech-based recordkeeping and communication, HIPAA regulations continue to ensure easy access to patient information while maintaining personal privacy.
Many VoIP providers, including Nextiva and RingCentral, are themselves HIPAA compliant, but that’s not necessarily enough to guarantee your business has all the required elements in place.
There’s one additional critical step you must take in order to have fully HIPAA compliant VoIP — a business associate agreement that upholds the vendor to the highest level of privacy and security protocols.
DOWNLOAD: This HIPAA Policy from TechRepublic Premium
Sometimes also called a business associate contract, a BAA is required by the Department of Health and Human Services (DHHS) for all communication between medical professionals and their business associates — including VoIP vendors.
According to the DHHS, this contract must include terms that require the vendor to:
When HIPAA rights have been violated, the DHHS takes into account whether or not your business knew about any potential risks or non-compliance. So, having a BAA in place shows that you have taken all necessary steps to ensure vendor compliance.
If you experience a PHI breach due to a VoIP provider’s mistake and you haven’t signed a BAA, then you can be held legally responsible.
Depending on the specific violation and your degree of accountability, the DHHS Office for Civil Rights can impose fines as high as $1.9M with possible jail time. Additionally, you may face the possibility of lawsuits from any patients who were affected by the breach.
To help simplify the process of establishing a BAA with vendors and other entities, the DHHS provides a sample contract you can use as a guideline.
As technology continues to evolve, the DHHS has implemented further HIPAA protections to safeguard all types of PHI, including electronic documents and genetic information.
The department has issued stipulations requiring all entities — including business associates, vendors, and others — to notify affected parties about any security breaches, along with a tiered system for imposing penalties.
In light of these changes, every HIPAA compliant VoIP vendor should follow modern best-practice protocols in addition to signing a BAA.
When it comes to maintaining maximum security and privacy while preventing potential PHI breaches, aspects to look for include:
If your VoIP vendor has taken all of the above measures, no additional steps are required in order to ensure HIPAA compliance for video, call recording, or telehealth-related services.
However, as telehealth becomes a more frequent practice, you and your patients may want to consider additional security features such as automatic session termination or lock out after a period of inactivity.
HIPAA compliance is an asset to many of today’s VoIP customers, so most providers take the necessary steps to ensure they meet the requirements.
Nextiva and RingCentral are two of my favorites, but I encourage you to check out our full VoIP buyer’s guide for more information on all of the top vendors on the market — most of which offer HIPAA compliant VoIP solutions.