Many years ago, the federal government issued guidance that clarified that traditional analog phone systems are NOT subject to the HIPAA Security rule provisions.
So, what about your VoIP phone system? Many organizations have migrated to VoIP service. VoIP (or “Voice over Internet Protocol”) is a method for taking analog audio signals and turning them into digital data that can be transmitted over the Internet instead of traditional analog phone lines. Does patient information stored and processed by these phone systems constitute electronic Protected Health Information?
By definition, electronic PHI is data which is transmitted or maintained on electronic media. Electronic media is defined as either:
- Electronic storage material, which includes, for example, computer hard drives, or
- Transmission media, which includes, for example, the internet. Note that part of this definition changed with the 2013 Omnibus Rule changes, and states “Certain transmissions, including of paper, via facsimile, and of voice, via the telephone, are not considered to be transmissions via electronic media, if the information being exchanged did not exist in electronic form immediately before the transmission”.
Note the words in red which were represent changes made to the rule in 2013. For VoiP systems that do not include voice mail (this eliminates just about all VoiP systems) there might be opportunity for debate whether the information in VoiP systems met the definition of ePHI. However, voice mails are clearly stored on computer hard drives or other electronic storage material.
What features does HIPAA look for with VoIP software that processes ePHI? The implementation specifications in the HIPAA rule that apply to software include:
- Unique User ID & authentication. Phones identify themselves with the phone number or serial number on the phone. A certificate installed on the phone is used for authentication using PKI.
- Access Controls. Certain users may have additional privileges beyond making phone calls so the system should support different classes of users.
- Audit logs. The system should record call meta data, as well as any details regarding any administrative activities performed by an authenticated user.
- Encryption. TLS and or VPNs can be employed between IP Phones and the Communications Manager Software. For data at rest, for example, voicemails, other encryption technologies can be used.
- Business Associate Agreement (for cloud providers). When cloud-based VoIP solutions are used, an essential ingredient is the HIPAA Business Associate agreement. The cloud provider has an additional set of compliance obligations including their own physical, technical and administrative controls.
It is not surprising that some cloud VoiP vendors offer interpretations of HIPAA which claim that their services and VoiP phone technology falls under the so-called “conduit exception”. The “conduit exception” excludes organizations that provide mere courier services including the U.S Postal Service, or internet service providers. For an excellent post regarding this narrow exception, see https://www.hipaajournal.com/hipaa-conduit-exception-rule/.
The takeaway – include your VoIP phone system in application inventory, assess risks during your risk assessment, conduct the appropriate security evaluation and document compliance.
For those interested in a more in-depth technical discussion of the security features provided in VoIP systems, see the following document offered by one vendor, Cisco: https://www.cisco.com/web/about/security/intelligence/IP_Phone_Security_WP.html.
