The HIPAA (Health Insurance Portability and Accountability Act of 1996) is perhaps the most important piece of data legislation for companies in the health insurance space. Businesses covered by HIPAA are required to take certain precautions when holding or transmitting a user’s health-related data in physical or electronic form. You’ve probably heard about HIPAA before, whether it was at your job, at a hospital, or from your insurance provider.
Who has coverage?
One common misconception is that HIPAA covers only a very limited part of the healthcare industry. While the original scope of HIPAA was relatively limited, over time it has significantly broadened. It’s not just health insurance providers that must be compliant, but also other healthcare-related businesses, and even the personnel departments of companies that provide health coverage.
The scope even includes subcontractors and other businesses that handle protected health information for their clients or partners. This means many companies and organizations, such as schools, that don’t have direct involvement with healthcare could find themselves bound by the data processing requirements of the act.
HIPAA-compliant VoIP systems
Data doesn’t just mean names, addresses, and medical records in a database. It also means handwritten records and even recorded phone calls. So, if you’re running any type of health-related service, such as a dentist’s office, health insurance contact center, or campus health care facility, you’ll need to make sure that all of your communications are HIPAA compliant.
This leads to an obvious question: is VoIP HIPAA compliant? You might assume that it is, if all you’re doing is taking calls, but HIPAA’s rules make it clear that if you’re saving data, it needs to be handled in a specific way.
Since many VoIP systems are a part of a unified communications service, data processors must think carefully about how each of the elements in the system interact with each other. Here are a few tips for making your system compliant:
- Using multi-factor authentication where possible to prevent unauthorized access to privileged accounts
- Recording not just call data, but metadata and any administrative functions performed during calls
- Ensuring data storage is in a secure environment if backups are outsourced
Exceptions to HIPAA communications
There are some limited exceptions to the HIPAA rules. These are paper-to-paper faxes and pure voice-only communications. If a VoIP system is exclusively for real-time voice communications, then it could be considered exempt from HIPAA. However, call recordings, voicemails, video, and text messages are often included in VoIP, meaning it cannot be classed as exempt.