What do you think?

Please log in to leave a comment.
No comments yet. Be the first!

MGMA Health Care Consulting Group Blog

The VOIP HIPAA dilemma

By Derek Kosiorek, CPEHR, CPHIT, principal consultant

For the better part of 30 years, telephone answering systems have been a standard part of any medical practice. What started as large machines with tape drives has evolved into digital transcriptions texted directly to a device in our pockets. At some point in between, the messages themselves made a very important transition, going from analog to digital.

For the most part, that transition is a good one. Keeping information in digital form comes with many advantages. For medical practices, however, adopting Voice Over Internet Protocol (VOIP) means that voicemails are now electronic. If you leave patient information on one of these voicemails, it’s now electronic protected health information (ePHI).

A VOIP system provides two functions: the transmission of the message (a phone call) and its storage (a voicemail). While telephone calls in general continue to be covered under the HIPAA Privacy regulation, as the 2013 Omnibus notes, “Certain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media …” In other words, you don’t need to worry about including phone calls in your HIPAA Security risk analysis, regardless of whether or not they’re transmitted digitally.

But since the voicemails are stored on computer servers, they are just as digital as an email, PDF or Excel spreadsheet. And if they contain ePHI, they require HIPAA compliance. In fact, email is a perfect analogy since many voicemail systems send the audio files to your inbox anyway.

This realization has forced many practices to mitigate their risk by including VOIP in their security risk assessment and even requesting that VOIP vendors sign a business associates agreement (BAA).

These are good things to do, but the real question on the table may be cultural rather than technical. If your practice is in the habit of leaving ePHI on voicemails, maybe this is a good opportunity to review your office workflow. ePHI is best tracked in the patient’s EHR chart. Voicemails generally aren’t accessible from an EHR, so by definition they sit outside of the chart. Some staff may be using voicemail as information-request messages or tasking assignments. These are also better done in an EHR because tasking and work lists are integral functions of the software.

In summary, ask yourself which is the better way to reduce the risk of exposing ePHI. Is it adding technical safeguards or is it changing the way you use the system itself?

Learn more about the consulting team and get a calendar of speaking engagements.


Call Consulting877.275.6462, ext.1877
FormRequest a quote

MGMA Consulting Resource Center

Meet Our Consultants Hot Topics Speaking Events Download Brochure FAQs Client Matrix