A guide to HIPAA-compliant VoIP

illustrated phone keypad

COVID-19 forever changed the ways patients interact with healthcare providers. After routine office appointments became risky, physicians fast-tracked the adoption of telemedicine. Powered by video and Voice over Internet Protocol (VoIP) technologies, virtual visits are no longer the exception.

HIPAA compliance, however, is still the rule.

Having HIPAA-compliant communications means patient privacy is protected through a strict set of features and software rules. Having them in place leads to more secure communications — and happier patients.


But, given the internet isn’t often secure, many wonder whether VoIP can be HIPAA-compliant. VoIP can be HIPAA-compliant, but not all VoIP products are. There are many laws and ethical principles that make up HIPAA, and you must make sure that the VoIP software you use is HIPAA-compliant so you avoid patient risk and potentially hefty fines.

What is VoIP?

Voice over internet protocol (VoIP) is a way to communicate via voice and multimedia (audio and video) over IP networks like the internet.

VoIP uses your existing internet connection to route your call to your doctor or vice versa. Typically, when you talk to a healthcare provider over the phone, your voice goes over phone lines to get to their practice.

In VoIP, your phone is transmitted over the internet or cell data to get to the practice. For example, cell phone calls versus WhatsApp or Google Voice calls.

Why HIPAA compliance is important for a VoIP service

Compliance with HIPAA means more than avoiding fines and following the law. Practices need technological alternatives to in-person visits and mail — both things that maintain HIPAA standards — to help them stay ahead, follow the laws, and protect their patients’ privacy. While print and mail used to be the main form of communication outside of traditional office visits, COVID-19 created a shift to a reliance on digital services, particularly VoIP services.

On the patient side, a majority of patients already assume that their personally identifiable information (PII) is secure and that they’re protected while speaking with a practitioner over the phone. To maintain that trust — and uphold their Hippocratic Oath — doctors and caregivers must ensure the VoIP service they use is HIPAA-compliant.

On the business side, violating HIPAA can lead to heavy fines. Violations can range from $100 to $50,000 per single violation or from $25,000 to $1.5 million per year total, fines sizable enough to easily leave any small practice bankrupt.

How to determine if your VoIP service is HIPAA-compliant

HIPAA compliant VoIP exists. However, whether or not your VoIP is compliant depends on a few factors. When checking the compliance of your software, take a look at the FAQ page of the software website, talk with your IT service, or talk with your liaison with the software company to answer these vital questions. The following guidelines come in part from the CDC’s HIPAA software guidelines.

  • Your data should be encrypted. Fully encrypting all voice while in transit (going from one computer to the other and back) ensures all information stays confidential and protected while you and your patient talk.
  • Your data should be protected. Having a firewall safeguards your data from attackers who might try to hack in and listen or steal files while you and your patient are talking.
  • Your software should do automatic audits. Regular audits protect against future vulnerabilities by catching them early and letting you and your IT team know or fix them via an update.
  • Your software should use single-tenant equipment. Single-tenant-based software keeps your data separate from another company's data, reducing the risk of breach should another company be vulnerable.
  • Your integrations should be compliant. Integrations** should follow all the same rules as the original software to prevent privacy concerns and keep all data and conversations HIPAA-compliant and secure.
  • You've signed a BAA (Business Associate Agreement) with the VoIP provider. Any truly compliant VoIP system that deals in personal health information (PHI) must enter into a HIPAA Business Associate Agreement, a contract that sets compliance obligations.

3 best HIPAA-compliant VoIP services

The best HIPAA-compliant VoIP services make sure to go above and beyond compliance, not just reach it.

CallRail’s Call Tracking

We are a call tracking and analytics software starting at $45 a month with additional costs if features like white labeling are needed. We offer offline and online call tracking, recordings, call routing and queues notifications, analytics, scoring, integrations, custom reporting, unlimited users, and more. Track and analyze calls to measure and improve your marketing and customer service performance while remaining HIPAA compliant.

Zoom for Healthcare

HIPAA-compliant Zoom meetings start at $200 per month for up to 10 hosts. Unlike some options, this is a video + voice software with features like in-app file sharing, chatting, recording, and encryption, making this tool popular among doctor’s offices.

SimplePractice Telehealth

An all-in-one option that starts at $39 or $59 per month, depending on the features wanted. It merges virtual doctor's appointments with a patient portal, documentation storage, billing, insurance management, and more to create the entire telehealth experience.

Use HIPAA-compliant VoIP and keep data secure

HIPAA-compliant VoIP must follow a strict set of guidelines set out by the CDC to protect doctors from expensive HIPAA fines. However, the best software doesn’t just follow the guidelines. It goes above and beyond by protecting data in every way possible to ensure that your ethical standards are well met and that patients can rest assured their information is protected.

Ensure HIPAA compliance with CallRail’s phone tracking services. Start your free trial today – no credit card required!