VoIP and HIPAA  Applicability, Compliance, and Best Practices

Luke Martin, MBA, JD
Staff Attorney
The Therapist
July/August 2021

---

With the recent uptick in practices using electronic resources, therapists are switching to alternative phone lines and Voice Over Internet Protocol (VoIP) services such as Sideline and Google Voice to communicate with their clients. Because of privacy concerns and boundary issues pertaining to disclosing personal contact information, it is understandable that therapists are looking for alternative ways to communicate with their clients while maintaining a healthy work-life separation. The addition of this tool to the therapist’s proverbial toolbox may invoke HIPAA privacy and security regulations that must be addressed before implementation.

What Is VoIP and How Is It Different Than Cellular?
According to the Federal Communications Commission, “Voice over Internet Protocol (VoIP) is a technology that allows you to make voice calls using a broadband Internet connection instead of a regular (or analog) phone line.”1 Some VoIP services only enable you to communicate with someone using the same service, while others allow you to call anyone with a telephone number, whether local, long-distance, mobile, or international.2

The best way to look at this is through the evolution of cellular technology. When cell phones first came out, their single function was making phone calls. Then they could send text messages and download applications such as Candy Crush.

So if you are making a regular phone call in the way of a standard non-smart device, you’re likely using cellular only and not VoIP. Classic cellular phone service uses your minutes and generally does not take advantage of Wi-Fi.

Voice over Internet Protocol bypasses the telephone company entirely. If you are using a non-native application that has been downloaded to the device (i.e., the application was not preloaded on the phone), it is likely that this app uses VoIP. VoIP on a cell phone uses your cellular data plan or Wi-Fi (when connected).

Why Does VoIP Need to Be HIPAA Compliant?
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that sets the standard for privacy and confidentiality of sensitive patient data. VoIP must follow HIPAA rules because several features of VoIP transmit, store, or record electronic personal health information about a specific client. This data is commonly known as e-PHI.

VoIP offers unique features that are not traditionally associated with standard phone lines. These include:

1. Voicemail. Patients’ voicemail messages are protected electronic health information that is stored in a VoIP phone system.
2. Voicemail transcription. When voicemails are recorded some VoIP services automatically convert them to text format, capturing clients’ information in a text version.
3. Fax to email. Traditional faxing does not create electronic data because it uses traditional phone lines. However, any e-PHI sent via fax to email is considered stored e-PHI.
4. Call recording. Traditional phones do not have the capability of recording the conversation unless an additional resource is used. Some VoIP services do have the capability of recording phone conversations with patients, and these recordings are considered e-PHI.
5. Chat features. Text communications exchanged between parties that contain information regarding a patient need to be protected.

This list is not exhaustive, as new features come out with new technology. Additionally, a VoIP service may not use any of these features that transmit, store, or record e-PHI, so the clinician will have to review the individual product to see if HIPAA is triggered.

Does This Apply to Me as a Therapist?
HIPAA, by definition, applies to “covered entities.” A covered entity is a “health plan, a health care clearinghouse, [or] a health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter.”³

HIPAA defines a transaction as a “transmission of information between two parties to carry out financial or administrative activities related to health care. It includes the following types of information transmissions:

1. health care claims or equivalent encounter information;
2. health care payment and remittance advice;
3. coordination of benefits;
4. health care claim status;
5. enrollment and disenrollment in a health plan;
6. eligibility for a health plan;
7. health plan premium payments;
8. referral certification and authorization;
9. first report of injury;
10. health claims attachments; [or]
11. other transactions that the Secretary may prescribe by regulation.”⁴

A simplified way of determining whether you are a covered entity and must comply with HIPAA laws is to ask yourself three questions:

1. Am I a health care provider?
2. Do I transmit health information electronically?
3. Is the information related to one or more of the administrative and financial transactions listed above?

If the answer to all three questions is “yes,” you must comply with HIPAA. For further clarification on this issue, please be sure to review the CAMFT article “Are You a Covered Entity?”

Therapists should keep in mind that even if they are not a covered entity the Board of Behavioral Sciences (BBS) requires them to use industry best practices for record-keeping of e-PHI. Every provider of health care who creates, maintains, preserves, or stores medical information shall do so in a manner that preserves the confidentiality of the information contained therein.⁵ Therefore, it is recommended that a California therapist who uses a VoIP application consider selecting a HIPAA-compliant one.

Applying the HIPAA Security Rule to VoIP
The federal government issued guidance clarifying that traditional analog phone calls are not subject to HIPAA security rules because there is no transmission of electronic media or e-PHI.⁶ However, VoIP services do more than just phone calls, and these additional features may contain e-PHI. If e-PHI is created, the data and device are subject to HIPAA security rules and must be secured.

The Security Rule “requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI. Specifically, covered entities must:

1. Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain, or transmit;
2. Identify and protect against reasonably anticipated threats to the security or integrity of the information;
3. Protect against reasonably anticipated, impermissible uses or disclosures; and
4. Ensure compliance by their workforce”⁷

When a “covered entity is deciding which security measures to use, the rule does not dictate those measures but requires the covered entity to consider:

1. Its size, complexity, and capabilities;
2. Technical, hardware, and software infrastructure;
3. The costs of security measures; and  
4. The likelihood and the possible impact of potential risks to e-PHI.”⁸

Covered entities must review and modify their security measures to continue protecting e-PHI in a changing environment.⁹ The addition of a VoIP service would require the therapist and the therapist’s organization to modify and adapt their security measures to include devices (such as cell phones) that potentially have e-PHI data secured on them. This would require the organization to modify its administrative, technical, and physical safeguards to protect electronically created, accessed, processed, or stored e-PHI when at rest and in transit.

For further information on what should be considered when modifying administrative, technical, and physical safeguards, please be sure to review the CAMFT article “Administrative Compliance Worksheet.”

Another consideration for the covered-entity therapist or organization is that the data stored on the device is most likely accessible not only to the device holder but to the third-party company (such as Google and Sideline), as well. Because the third-party company may have access to the e-PHI, the therapist must secure a Business Associate Agreement (BAA) with their VoIP provider.

For further information on what should be included in a Business Associate Agreement, please be sure to review the CAMFT article “Neither You Nor Your Business Associates Can Afford to Be Lax About Complying with HIPAA Requirements.”

A business associate is a person or organization, other than a member of a covered entity’s workforce, that performs certain activities on behalf of a covered entity involving the use or disclosure of individually identifiable health information. When a covered entity uses a non-workforce member to perform “business associate” services, HIPAA requires that the covered entity include certain protections for the information in a BAA. The covered entity must impose written safeguards on the individually identifiable health information that is used or disclosed by its business associates.¹⁰

For further information on what should be included and how to comply with the security standards, please be sure to review the CAMFT article “How to Comply with Security Standards.”

Applying the HIPAA Privacy Rule to VoIP
The HIPAA Privacy Rule governs how e-PHI can be used and disclosed. For instance, your client may leave a voicemail that includes details about a condition or personally identifying data, and because this was through a VoIP service this information may be stored as e-PHI. The problem is that these conversations invariably cover information that is protected under the HIPAA Privacy Rule.

A covered entity may not use or disclose protected health information except: “(1) as the Privacy Rule permits or requires; or (2) as the individual who is the subject of the information (or the individual’s personal representative) authorizes in writing.”¹¹ A covered entity “must obtain the individual’s written authorization for any use or disclosure of protected health information that is not for treatment, payment or health care operations or otherwise permitted or required by the Privacy Rule.”¹² In simpler terms, the e-PHI generated by the VoIP service must be kept private and confidential unless the data is appropriate to share per the Privacy Rule or an individual authorizes the disclosure of that information in writing. For therapists who are not covered entities, there is still a requirement to ensure the confidentiality of the information transmitted and stored by a VoIP service.

For further information on what should be included and how to comply with the Privacy Rule, please be sure to review the CAMFT article “How to Comply with the Privacy Rule.”

Why Is This Important?
Failure to comply with HIPAA’s Security and Privacy Rules may result in a fine for the covered entity practitioner. The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for administering and enforcing these standards and may conduct complaint investigations and compliance reviews. The OCR may impose a penalty on a covered entity for a failure to comply with the rules. Penalties will vary significantly depending on factors such as the date of the violation, whether the covered entity knew or should have known of the failure to comply, and whether the covered entity’s failure to comply was because of willful neglect.

What Are the Best Practices When Using a VoIP Service?
Each therapist and organization will have to review their situation to come up with their own best practices. The National Institute of Standards and Technology has argued that the best way to mitigate the risks, threats, and vulnerabilities related to a VoIP service is to come up with a game plan that addresses the three types of information security risk: confidentiality, integrity, and availability.¹³ The following suggestions may help you craft best practices for your organization.

Confidentiality
The first security risk that a HIPAA-covered entity should attempt to mitigate is taking steps to keep the e-PHI stored in the VoIP application confidential. The simplest recommendation is to limit who has access to the VoIP device. Other recommendations include requiring a specific “company device” to be used, changing default passwords, limiting the hardware on which the VoIP may be used (such as an iPad); and disabling remote access that may make it more susceptible to third parties. These safeguardswill help maintain the confidentiality of the stored e-PHI.

Integrity
The second security risk that a HIPAA-covered entity should attempt to mitigate is taking steps to maintain the integrity of the e-PHI stored in the VoIP application. A good way to make sure e-PHI remains unchanged is to verify that each VoIP phone line is authenticated with a unique user ID. This allows only authorized users to access patients’ e-PHI. For example, a therapist does not need to provide administrative staff with access to the protected health information of a patient via the VoIP line if it is not necessary for their level of work.

Availability
The final vulnerability that a HIPAA-covered entity should attempt to mitigate is taking steps to maintain the availability of the stored e-PHI for the legally required timeframe. It is important when using a third-party system that you maintain constant access to the stored e-PHI information. Unless the data is transferred to a different storage device, such as a flash drive or an external hard drive, access to the third-party system needs to be constant.

The law states that adult patient records must be kept for seven years after the date of separation. For minors or individuals under the age of 18, the obligation is that you keep the records for seven years after the minor’s 18th birthday or until the child has reached the age of 25.¹⁴ Discontinuation of an application or a forgotten password take on a whole new context when dealing with e-PHI and VoIP systems.

What HIPAA-Compliant VoIP Services Are There to Use?
With the growing demand for electronic phone systems, there are more providers than ever that claim to offer HIPAA-compliant VoIP platforms. CAMFT does not endorse one product over another. The following is a partial list of Internet technology providers that claim to offer HIPAA-compliant platforms with Business Associate Agreements for secondary line services:

1. Velantro, with prices ranging from $19.99/ month per userhttps://www.velantro.com

2. RingRx, with prices ranging from $15.00/ month per userhttps://ringrx.com

3. Phone.com, with prices ranging from $12.99/monthhttps://www.phone.com/ pricing/

4. Mitel, quote needed https://www.mitel.com/voip/micloud-connect

5. Nextiva, quote needed https://www.nextiva.com

6. Google Voice, quote needed https://voice.google.com/

7. Sideline’s services are not designed to be HIPAA compliant.¹⁵

Conclusion
Before selecting alternative phone lines or Voice Over Internet Protocol (VoIP) services, therapists should keep in mind the potential pitfalls. Understanding the specific VoIP platform’s features and using best practices will ensure that you are complying with HIPAA’s security and privacy rules.

---

Luke Martin, MBA, JD, is a staff attorney at CAMFT. Luke is available to answer member calls regarding legal, ethical, and licensure issues.

---

Endnotes

¹ https://www.fcc.gov/general/voice-over-internet-protocol-voip
² Id.
³ 45 CFR §160.103
⁴ Id.
⁵ California Civil Code 56.101(a)
⁶ “The Security Rule does not apply to PHI transmitted orally.” Summary of the HIPAA Security Rule. Retrieved from: https:// www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html; see also 45 C.F.R. § 1640.103
⁷ 45 C.F.R. § 164.306(a)
⁸ 45 C.F.R. § 164.306(b)(2)
⁹ 45 C.F.R. § 164.306(e)
¹⁰ 45 C.F.R. §§ 164.502(e), 164.504(e)
¹¹ 45 C.F.R. § 164.502(a)
¹² 45 C.F.R. § 164.508
¹³ Kuhn, D.R., Walsh, T.J., and Fries, S. (2005). Security considerations for voice over IP systems: Recommendations of the National Institute of Standards and Technology. NIST Special Publication, 800–58. [Google Scholar]
¹⁴ CA Health and Safety Code § 123145, CA Business and Professional § 4980.49
¹⁵ https://support.sideline.com/hc/en-us/articles/360004687791-Is- Sideline-HIPAA-Compliant-

---

This article is not intended to serve as legal advice and is offered for educational purposes only. The information provided should not be used as a substitute for independent legal advice and it is not intended to address every situation that could potentially arise. Please be aware that laws, regulations and technical standards change over time. As a result, it is important to verify and update any reference or information that is provided in this article.