Among the many challenges of running a medical or dental practice is coping with the important yet complex law called the Health Insurance Portability and Accountability Act of 1996, commonly known as HIPAA.
HIPAA applies to many aspects of running a healthcare office, including phone systems and related communications features such as faxes, texts, and videoconferences.
Here’s a guide to some of the HIPAA considerations when looking for business phones or unified communications service.
What is HIPAA?
HIPAA is a federal law addressing the confidentiality, security and accessibility of patient medical records, known under the law as Protected Health Information or PHI.
The law is enforced by the U.S. Department of Health and Human Services (HHS) through its Office of Civil Rights (OCR).
HHS offers in-depth information on its website, including a section on HIPAA for healthcare professionals at https://www.hhs.gov/hipaa/for-professionals/index.html.
Why is HIPAA compliance important?
Few people would disagree with the spirit of HIPAA – keeping patients’ medical information confidential and secure, as well as giving them rights to access that information – even if the letter of the law can sometimes be complicated.
On a more practical level, there can be significant reputational and financial consequences for HIPAA violations.
How does HIPAA apply to business phone systems and unified communications?
Internet-based phone and unified communications systems can contain Protected Health Information in many ways, such as a voicemail from a patient describing a medical problem, a copy of a virtual fax to an insurance company detailing a treatment plan, text messages between a dentist and a patient discussing an upcoming root canal, or a call recording between a doctor and a patient discussing test results.
Healthcare practitioners must either make sure they don’t create such data or make sure such data is protected.
Note that phone and video calls are not subject to HIPAA requirements providing no information is recorded or saved.
Are there HIPAA-certified phone systems?
No. This is a common misunderstanding. The Department of Health and Human Services does not offer any certification program to confirm that a third-party offering – such as phone service – meets all HIPAA requirements. Nor does any other government agency.
There are private firms that audit healthcare service providers and award their own home-grown HIPAA compliance logos – typically for a fee. But these awards are in no way legally binding.
What policies can help with HIPAA compliance for business phone systems?
HIPAA compliance depends just as much on how a system is used as the protections built into the system itself.
Consider a traditional fax machine used to send billing information to an insurance company. If the sheets of paper remain in the machine after transmission, and that fax machine is in area where multiple employees or even patients have access, there is a potential HIPAA violation.
On the flip side, there’s less risk in using phones, faxes or videoconferencing systems if no PHI is involved.
For example, there may be fewer HIPAA concerns with recording a videoconference on continuing medical education, as long as no individual patients are discussed, or receiving an unencrypted voice mail message from a patient who is only requesting a change in an appointment time.
In short, anyone in a medical or dental practice who discusses PHI with patients or handles PHI needs to be trained on that practice’s policies for HIPAA compliance.
How can Ooma Office be configured for HIPAA compliance?
There are multiple options for using Ooma Office in a manner consistent with HIPAA, both in how the system is configured and how individuals use it.
Ooma Office does not encrypt stored data, so healthcare practitioners need to decide whether to turn off features involving data storage or to put policies in place to make sure these features are not used in connection with PHI.
Here are Ooma Office features that involve data:
Voicemail. Practitioners’ voicemail greeting should instruct patients not to leave confidential information in their messages and instead ask them to simply request a return call if they have a medical issue to discuss.
Ooma Office also provides voicemail notification by email, either as an audio file attachment (for all levels of service – Ooma Office Essentials, Ooma Office Pro and Ooma Office Pro Plus) or as an audio file attachment accompanied by an automatically generated transcription (Office Pro and Pro Plus). These notifications should not be used if you expect patients to leave PHI in voicemail, because email is generally not encrypted and therefore isn’t considered secure.
Ooma Office admins can disable voicemail notifications by following these steps:
• Log in to the Ooma Office portal as an administrator and navigate to the Settings page.
• Locate the user whose email notification preferences will be updated and click the corresponding line.
• Under the Voicemail tab, un-check the checkbox to disable voicemail notifications.
• Click Save.
Voicemail transcriptions can be disabled by following these steps:
• Log in to the Ooma Office portal as an administrator and navigate to the Settings page.
• Locate the user whose email notification preferences will be updated and click the corresponding line.
• Click the Voicemail tab, un-check the checkbox to disable voicemail transcriptions.
• Click Save.
Virtual Fax. Virtual faxes sent from Ooma Office are not encrypted, so they shouldn’t be used for communications involving PHI. Traditional analog fax machines, because they don’t store any data, can be used in a HIPAA-compliant manner with Ooma Office. Analog fax machines can be connected to an Ethernet network using an Ooma Office Base Station or the Grandstream HT812 and HT814 Analog Telephone Adapters.
Text Messaging. Text messaging is turned off by default for all Ooma Office accounts. If texting has been turned on, account administrators can contact Ooma customer support to have it disabled. Alternatively, text messages that don’t involve PHI, such as confirming appointments or responding to questions about office hours, are likely to be permissible under HIPAA.
Call Recording. Practitioners and their staff should only use Call Recording (available in Ooma Office Pro and Ooma Office Pro Plus) in contexts that don’t involve PHI or can contact Ooma support to have the feature disabled for all users.
Videoconference Recording. Practitioners and their staff should only use Videoconference Recording (available in Ooma Office Pro Plus) in contexts that don’t involve PHI.
All of the advice above is intended to help medical and dental practices take advantage of the power and flexibility of VoIP phone service and unified communications while keeping HIPAA requirements in mind. However, healthcare providers still need to make sure they have the training and tools in place to avoid HIPAA violations.
As we state in the Terms and Conditions for Ooma services, including Ooma Office:
“HIPAA: You acknowledge and agree that the use of the Services are not designed, intended, or recommended for use as a repository or means by which to store ‘protected health information’, as defined under the Health Insurance Portability and Accountability Act of 1996, the Health Information Technology for Economic and Clinical Health Act, and similar legislation in other jurisdictions, and the regulations promulgated pursuant thereto (such laws and regulations, ‘HIPAA’) on a non-temporary basis, and you represent and warrant that neither the Services nor any ancillary product or service that is a part thereof will be used for such purpose. OOMA SPECIFICALLY MAKES NO REPRESENTATION, WARRANTY, OR GUARANTEE THAT YOUR SERVICES, THE ACCOUNT(S), OR THE EQUIPMENT (OR THE USE OF ANY OF THE FOREGOING BY ANY PARTY) COMPLIES OR WILL COMPLY WITH HIPAA OR ANY OTHER LAW OR WILL RENDER ANY PARTY COMPLIANT WITH HIPAA OR ANY OTHER LAW.”
Even though we can’t fully lift the HIPAA burden from your shoulders, we hope this guidance is useful. Contact your Ooma sales rep or call our customer support line if you have questions.
Robert Ferrer is responsible for all Ooma Business sales. He has over 20 years of senior sales leadership in building, growing and scaling enterprise and SMB sales teams for SaaS and UCaaS companies including Cisco/Webex, Siemens and Shoretel. Rob has built and led multiple $200 million organizations and has extensive experience building rapid growth field, inside sales teams and channel sales organizations; opening and deploying new routes to market; integrating acquisitions; and expanding into new geographic markets.
