If your medical practice uses VoIP and you have not verified HIPAA compliance, you are exposed. The average HIPAA fine for a phone system violation is $50,000-250,000. Here is the checklist your compliance officer needs.
Why VoIP Creates HIPAA Exposure
Traditional landlines are not covered by HIPAA because the phone company is a "conduit" — they do not store or process PHI. VoIP is different:
| VoIP Feature | PHI Risk | HIPAA Requirement |
|---|---|---|
| Call recording | Recordings contain patient info | Must be encrypted at rest (AES-256) |
| Voicemail | Voicemails contain patient info | Must be encrypted, access-controlled |
| Voicemail transcription | Text transcription is ePHI | Must be encrypted in transit and at rest |
| Call logs (CDR) | Show which patients called | Must be protected, minimum necessary access |
| SMS/text messaging | May contain patient info | Must be encrypted, not standard SMS |
| Video consultations | Visual + audio patient interaction | Must use encrypted platform with BAA |
The 15-Point HIPAA VoIP Checklist
Access Controls (45 CFR 164.312(a))
- [ ] Each user has unique login credentials to the VoIP admin portal
- [ ] Role-based access: only authorized staff can access call recordings
- [ ] Automatic session timeout after 15 minutes of inactivity
- [ ] Terminated employee access is revoked within 24 hours
Encryption (45 CFR 164.312(e))
- [ ] SIP signaling encrypted with TLS 1.2 or higher
- [ ] Voice media encrypted with SRTP
- [ ] Call recordings encrypted at rest with AES-256
- [ ] Voicemail files encrypted at rest
- [ ] Voicemail-to-email transcriptions sent over encrypted email (TLS)
Audit Controls (45 CFR 164.312(b))
- [ ] All access to call recordings is logged (who, when, which recording)
- [ ] Audit logs are immutable (cannot be deleted or modified)
- [ ] Audit logs retained for minimum 6 years
- [ ] Regular review of audit logs (quarterly minimum)
Business Associate Agreement (45 CFR 164.502(e))
- [ ] BAA signed with VoIP provider before any PHI is transmitted
- [ ] BAA covers: call recordings, voicemail, CDRs, transcriptions
- [ ] BAA specifies breach notification timeline (60 days maximum)
Additional Safeguards
- [ ] Automatic call recording announcement ("This call may be recorded")
- [ ] Data retention policy documented and enforced
- [ ] Disaster recovery plan includes voice communication continuity
Common HIPAA VoIP Violations I See
| Violation | How Often | Typical Fine |
|---|---|---|
| No BAA with VoIP provider | 60% of practices | $50,000-100,000 |
| Unencrypted call recordings | 40% of practices | $100,000-250,000 |
| No access controls on recordings | 55% of practices | $50,000-150,000 |
| Sending PHI via standard SMS | 70% of practices | $50,000-100,000 |
| No audit logs for recording access | 45% of practices | $50,000-100,000 |
These are not edge cases. The majority of medical practices I audit have at least two violations.
Provider Requirements for HIPAA
Your VoIP provider MUST provide:
- Signed BAA — if they refuse to sign, they are not HIPAA-ready. Period.
- TLS + SRTP encryption — mandatory, not optional
- AES-256 encryption for recordings — at rest, not just in transit
- Role-based access controls — granular, per-recording-level access
- Immutable audit logs — tamper-proof access records
- Data residency documentation — you need to know where recordings are physically stored
- Breach notification process — documented, tested, within 60 days
VestaCall is HIPAA-ready and provides a signed BAA for healthcare clients. All recordings are AES-256 encrypted at rest, access is role-controlled with immutable audit logs, and they publish their security practices transparently.
Disclosure: I work on platform systems at DialPhone. Observations in this post are from hands-on testing and deployment work rather than vendor briefings.
Top comments (0)