- HIPAA regulates the protection and storage of patients' private information.
- There are requirements associated with the types of phones that healthcare professionals can use.
- It is possible to turn a mobile device into a HIPAA-compliant phone source, but it has its limitations.
The Health Insurance Portability and Accountability Act (HIPAA) sets standards to protect confidential and sensitive patient data, like medical and billing records. HIPAA rules regulate the daily activities of many healthcare and related companies, including the tools they can use such as business phone systems.
HIPAA compliance is required for healthcare providers like hospitals, clinics and individual practitioners, but your small business may also fall under HIPAA. If your company is a private-sector vendor or third-party administrator that accesses, collects or transmits protected health information over the phone, you're required to adhere to HIPAA's guidelines.
Phone system requirements
Physical and network security measures, as described in HIPAA guidelines, require that business phone systems process patient health information safely over telephone lines.
Among other rules, HIPAA standards require:
- Access control
- Audit controls
- Person or office authentication
- Transmission security
- Workstation security
- Device and media controls
- Security management process
If you use VoIP, understand that anything transmitted across the web-based platforms is not guaranteed to be secure and carries a higher risk of violating the recommended guidelines. As such, tools like Skype are generally not recommended. Instead, opt for other secure landline telephone systems that offer audit trails and backup capabilities, breach notifications, and encrypted transmission of voice communications.
Using your phone system properly
First, it's important to note that your phone must be in a secure location that prevents unauthorized access. You must also assure that any voicemail where sensitive information could be stored has access restrictions, ensuring a secure password and a policy around retention of the voice message.
You should also have a plan or policy around recording voice conversations. Installing such a recording system ensures sufficient accountability in terms of tracking and accessing information. These systems can store audio files electronically to be accessed in the future by the proper personnel.
The consequences
So what happens if you find your phone system, or how you use it, is not compliant? An act supplemental to HIPAA was passed in 2009 to address this: the Health Information Technology for Economic and Clinical Health Act (HITECH). The HITECH Act was formed in response to health technology development, and the increase in the use, storage and transmittal of health information electronically.
There are four categories of violations that coincide with increasing levels of liability. Each level has a corresponding penalty that culminates in a maximum penalty of $1.5 million for all violations.
The Secretary of the Department of Health and Human Services (HHS) reviews all reported violations, and determines the amount of the penalty based on the nature and extent of the violation and the potential harm caused to patients by the violation.
There is no "one-size-fits-all" penalty for each violation. In most cases, you can right the wrong when notified of your noncompliance; your business won't incur a penalty immediately, but you have 30 days to fix the circumstances.
HIPAA phone service FAQs
Is Google Voice HIPAA compliant?
According to ComplianceHome, Google Voice is not HIPAA compliant. It should not be used by healthcare groups or workers.
How do I make my cell phone HIPAA compliant?
If you want to make your cell phone HIPAA compliant, there are some steps you have to take. You want to have a mobile encryption service on your phone. You should be aware that even with an encryption service, cell devices are not as secure as other equipment. You should make sure your passwords are long and difficult to break. A four-digit password is not strong enough to prevent a hacker from breaking into your phone. A better password has 10 characters with letters and numbers, as well as special characters. You should also set it up so that after 10 attempts to enter your password, your data is cleared. You also want to ensure your phone is up to date with all software updates, because older versions of software have older encryption technology.
What types of jobs need HIPAA-compliant phone systems?
HIPAA requires that the medical information for patients be kept private. As a result, those who work in the medical and healthcare profession must use a compliant phone system. If you share information that is personal to your patients or clients, use a compliant phone system to ensure the information is protected.