HIPAA Compliance FAQ's

All of your Phone.com HIPAA compliancy questions are answered here

What’s the Process and How Long Does it Take?  

How do I request a BAA?

Special Grey Area Involving HIPAA:

 How VoIP Creates Electronic Protected Health Information (ePHI)

How HIPAA Compliant VoIP Providers Protect ePHI

How You Can Help Protect VoIP Created ePHI



Phone.com is responsible for:

  • HIPAA - Health Insurance Portability and Accountability Act of 1996.
  • HITECH - Health Information Technology for Economic and Clinical Health Act of 2009.

What does this mean?  
Phone.com is involved in the electronic exchange of health information.


What does that look like?  
There are two forms of data in this context, these are data at rest and data in motion.

  • Data At Rest: is protected via encryption on a server and includes an audit trail
    • This includes faxes, VMs, SMS’, and call recordings
    • Because VMs and Faxes are protected by Phone.com, it would go against the rules of HIPAA to attach them in an email, which is why this setting is disabled by default
    • If you wish to attach VMs and Faxes to an email service, you are assuming the risk of a data breach at that point in time, we highly sugget the use of a HIPAA compatible encrypted email service such as Hushmail (not affiliated with Phone.com)
  • Data In Motion: as suggested involves voice that is in transit (
    • We are not responsible for what is communicated over an audio conversation

Big Picture: Who is responsible for HIPAA oversight?  
The Health and Human Services (HHS) > Office of Civil Rights, responsible for HIPAA oversight (privacy and security)


Who is responsible for HIPAA compliance?  

  • No such thing as a HIPAA certification authority, you can simply be compliant or not. The Office of Civil Rights only responds to breaches and they can issue fines that go up to millions of dollars.

What’s the Process and How Long Does it Take?  
We sign a Business Associate Agreement (BAA), that says Phone.com follows the rules. Anything that happens outside of Phone.com is the responsibility of the covered entity.

  • Phone.com’s Internal BAA process should be complete within one to two business days.

How do I request a BAA?
Contact our support team via phone or email and we can submit your BAA request


Is Phone.com HIPAA certified?  
Phone.com is not HIPAA certified because nobody can be certified, we are simply HIPAA compliant.


Special Grey Area Involving HIPAA:

SMS is a grey area because once data has been sent via SMS, there is no way to know who may be reading said information/responses. 

  • Phone.com can set up an auto-responder, using the language the customer wants. For example, we can set up an auto-reply stating (but not limited to) the following, “We do not accept SMS at this number”.


How VoIP Creates Electronic Protected Health Information (ePHI)
  • Call Logs and Recordings
  • Contact Lists
  • Text Messages
  • Video Meetings and Recordings
  • Voicemail Messages and Transcriptions
  • Fax to Email
  • Mobile Apps

How HIPAA Compliant VoIP Providers Protect ePHI

Authentication-  Only authorized users should have access to ePHI so that confidential patient data is kept safe. 

Encryption- All patient data needs to be encrypted during transmission or sharing. This may be done with the help of high-level encryption technologies including triple DES encryption and transport layer security (TLS).

Business Associate Agreement (BAA)- A HIPAA compliant VoIP phone system should be able to offer a business associate agreement (BAA) to clients in the healthcare industry.

Secure Transmission & Storage –  It is important for VoIP phone systems to maintain the security of ePHI through voice recording encryptions, TLS, SIP security measures, secure elastic SIP trunking, and so on.

How You Can Help Protect VoIP Created ePHI

Training-  All employees should have annual training on how the phone system creates ePHI and how they can keep it secure.

Annual Audits – The organization should undergo an annual HIPAA compliance audit.

Physical Security – Access to work areas with phones should be limited to authorized individuals.

Offboarding – When employees leave the organization, access to VoIP systems, including mobile applications should be removed immediately.