Knowledge Base

VOIP, PBX, Telcom HIPAA Compliance Guide

Article ID: 127
Last updated: 14 Sep, 2019

Next Generation Voice and HIPAA compliance

What is HIPAA?

HIPAA is the acronym for the Health Insurance Portability and Accountability Act, a U.S. law passed in 1996 to create national standards for electronic health care transactions, among other purposes. The provisions of HIPAA apply to all “individually identifiable health information,” also known as protected health information (PHI). HIPAA Privacy and Security Rules set the U.S. national standard for protecting PHI, including patients’ medical records and other health information provided to health care providers in electronic health care transactions.

To whom does HIPAA apply?

  • Covered Entities
    • HIPAA applies to three groups: health plans, health care clearinghouses and certain health care providers (collectively referred to as the “covered entities”). Another group referred to as “business associates” falls within the scope of HIPAA.
  • Business Associates
    • HIPAA defines a “business associate” as a person or entity that provides services to or performs certain functions or activities that involve the use or disclosure of protected health information on behalf of a covered entity. In the omnibus final rule written by the U.S. Department of Health and Human Services (HHS) that modified the HIPAA Privacy, Security, Breach Notification and Enforcement Rules, the HHS stated "data transmission organizations that do not require access to protected health information on a routine basis would not be treated as business associates." (78 federal register, page 5571 – 01/25/2013). This is consistent with its prior interpretation of the definition of "business associate," in which HHS stated that "entities that act as mere conduits for the transport of protected health information but do not access the information other than on a random or infrequent basis are not business associates." (78 federal register, page 5571).

What s a business associate agreement?

Each entity covered by HIPAA is required to have a signed agreement (also called “Business Associate Agreement”) with any person or entity considered a “business associate.” The Business Associate Agreement lists the obligations and responsibilities of both organizations pertaining to the protection and use of the protected health information.

HIPAA covered entities may be issued a non-disclosure for business purposes, but should not be considered under HIPAA regulations as a "Business Associate Agreement". In cases where Magoo & Associates maintains or accesses protected information, a "Business Associate Agreement" may be issues. Generally under the context of VOIP or related services, this is not required.

What is the impact in the context of Cloud Hosted VOIP?

Anyone providing health care services that electronically transmit PHI, any health plans and health care clearing house, as well as any service provider to any of these entities which services involve the use or disclosure of PHI should follow the HIPAA rules when using cloud services, making use of electronic PHI and other regulated data for business processes to protect sensitive data that transit in the cloud. Before undertaking a cloud-based solution, be sure to consult a legal advisor to understand the HIPAA rules applicable to your business, potential enforcement and liabilities.

Is Magoo & Associates a business associate under HIPAA in the context of Cloud Hosted VOIP?

No, Magoo & Associates is not a business associate within the definition of HIPAA in respect to VOIP, or Next Generation Voice Services..

In the context of Cloud PBX Services, Magoo & Associates does not create, receive, maintain, access, process, nor view PHI on behalf of its customers. The data transmission conducted in the course of the services does not require access to protected health information on a routine basis. Therefore, Magoo & Associates is not a business associate in the context of the VOIP, Next Generation Voice Services and customers do not need to sign a Business Associate Agreement with Magoo & Associates in the context of the Cloud PBX Services.

How can you ensure HIPAA compliance with your VOIP phone system/ PBX?

Magoo & Associates values customer security and data privacy. The Magoo & Associates Cloud VOIP/ PBX platform is hosted in North American data centers and meets the highest security standards. We deploy the best equipment that protects our network from security breaches and our service is covered by a 99.999% SLA.

As part of its business, Magoo & Associates does not store any PHI and restricts access to voicemails, voice accounts and administrative management to authorized users. It is the customer’s responsibility to keep its credentials secured. Cloud PBX customers are responsible for ensuring that the following functionalities have been disabled to maintain their HIPAA compliance:

  • Fax-to-email & email-to-fax (ATA Fax falls under entity privacy policies)
  • Voicemail-to-email
  • Voicemail transcription
  • Call recording
  • Unified Communication Connector with Microsoft Skype for Business or Microsoft Teams

A covered entity could technically be in violation to HIPAA if any caller left PHI in a voicemail that was transmitted to an email.

Again, it is always the customer’s responsibility to ensure full compliance with applicable regulations. Make sure to consult your legal advisor if you have any concerns or questions regarding your compliance with HIPPA.

The above compliance guide is strictly for Cloud VOIP, PBX, and Next Generation Voice Services. Customers are encouraged to speak with their sales engineer regarding instances of on-premis PBX or similar configurations to ensure comliance on a routine bases.

This article was:   Helpful | Not helpful
Report an issue
Article ID: 127
Last updated: 14 Sep, 2019
Revision: 1
Views: 6
Comments: 0
Also listed in