What HIPAA actually says about phones
The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996, well before hosted VoIP was a category. The rule that matters for a phone system is the HIPAA Security Rule (45 CFR Part 164, Subpart C), and the way it treats phones depends on a single distinction: does the carrier store, process, or access Protected Health Information?
A traditional copper-wire phone company is a "conduit" — it carries the signal but never stores the content. The Office for Civil Rights (OCR) has historically said conduits don't need a Business Associate Agreement (BAA). The catch: nearly every modern VoIP service is not a conduit. It stores voicemail, generates call detail records, often records calls, and sometimes transcribes voicemail to email. The moment any of that PHI lives on the vendor's servers, the conduit exception is gone and you need a BAA.
This is the part most medical office managers don't realize until an auditor asks. If your phone system handles PHI in any form — even just a voicemail from a patient saying "I'm calling to schedule my mammogram" — your VoIP provider is a Business Associate under HIPAA, and you need a signed BAA on file.
The three technical safeguards your VoIP must meet
The Security Rule breaks safeguards into administrative, physical, and technical categories. For a VoIP buyer, the three technical safeguards you can actually evaluate in an RFP are:
1. Encryption in transit (signaling and media)
Calls travel as two streams: signaling (which numbers, who's on hold, who hung up) and media (the actual audio). Signaling should run over TLS 1.2 or 1.3 using SIP-TLS on port 5061. Media should be wrapped in SRTP (Secure RTP) with SDES or DTLS keying. If either stream travels in cleartext, anyone with packet capture on the network path — including a hotel Wi-Fi sniffer — can reconstruct the call audio.
Surprisingly few "HIPAA compliant" providers enforce SRTP on every device by default. Ask the vendor specifically: "Is SRTP required, or just supported?" Required means non-encrypted endpoints get rejected. Supported means a misconfigured deskphone can silently fall back to RTP and you'd never know.
2. Encryption at rest (voicemail, recordings, CDR)
Anything stored on the vendor's servers — voicemail audio files, call recordings, transcripts, call detail records that include callback numbers — must be encrypted at rest, ideally with AES-256. This is table-stakes for any modern cloud platform; if a vendor can't confirm it, walk away. Bonus question: "Are encryption keys rotated, and are admin-portal logins tied to MFA?"
3. Access controls and audit logging
HIPAA requires "audit controls" — the ability to record and examine activity in information systems that contain PHI. For a VoIP system this means: who logged into the admin portal, who pulled call recordings, who listened to a voicemail, when. The vendor should give you a tamper-resistant audit log with at least 6 years of retention (the HIPAA documentation retention requirement). Most don't, by default. Ask.
The Business Associate Agreement — what to look for
A BAA is the contract that makes your VoIP vendor legally accountable for PHI handling. Without one, your practice is solely liable if their breach exposes patient data. With one, liability shifts (in part) to them, and you have a defensible position with OCR.
Boilerplate BAAs are common; useful ones are rare. Things to look for:
- Breach notification timeline. HIPAA requires notification "without unreasonable delay" and no later than 60 days from discovery. A good BAA commits the vendor to notify you within 5–10 business days so you have time to meet your own 60-day clock.
- Definition of PHI handled. The BAA should explicitly enumerate what categories the vendor touches: voicemail, recordings, transcripts, call metadata, fax-to-email. Vague BAAs are worthless during an audit.
- Subcontractor flow-down. If the vendor uses Twilio for SMS or AWS for hosting, those subcontractors are also Business Associates. The BAA should commit the vendor to flow down equivalent terms to each subcontractor and disclose them on request.
- Data return or destruction on termination. When you cancel service, what happens to existing voicemails and recordings? The BAA should require return or certified destruction within a defined window.
- Indemnification. Pay attention to whether the vendor indemnifies you for their breach — many cap liability at the prior 12 months of fees, which is useless if a breach triggers a six-figure OCR fine.
If the vendor refuses to negotiate any of the above, or only offers a BAA on enterprise plans, that tells you everything about how they view smaller practices.
12 questions to ask any VoIP vendor before signing
Copy-paste this into an email to your shortlist. The answers you get back (and how long they take) tell you more than any sales call.
- Will you sign a BAA on the plan I am evaluating, with no upcharge?
- Is SIP-TLS required (not just supported) for every endpoint on my account?
- Is SRTP required (not just supported) for media on every call?
- What encryption is applied to voicemail audio and call recordings at rest?
- How is voicemail-to-email delivered? Is it encrypted in transit beyond standard SMTP?
- Do you retain audit logs of admin-portal access and per-recording playback? For how long?
- Can I export and delete voicemail and recordings on demand?
- Where are my voicemails physically stored, and is that location HIPAA-eligible?
- Who are your subcontractors that touch PHI (hosting, SMS, voicemail transcription)?
- What is your breach notification timeline to me, in writing?
- If I cancel, will all my PHI be returned or destroyed within 30 days?
- Has any past incident triggered an OCR investigation tied to your platform?
Don't accept "yes we're HIPAA compliant" as an answer to any of these. The vendor's answer should be specific and reference a section of their security documentation.
Voicemail, recordings & transcripts — the easy-to-miss leak
About 80% of the HIPAA exposure in a small medical office's phone system is in three places nobody thinks about until it's too late:
Voicemail-to-email
If a patient's voicemail is auto-emailed to scheduling@yourpractice.com hosted on standard Gmail without a BAA, that's a violation the moment the message contains PHI. The fix is either: (a) keep voicemail inside the VoIP portal and don't auto-email, (b) use a HIPAA-covered email provider with its own BAA (Google Workspace BAA-tier, Microsoft 365 with HIPAA Addendum, or a HIPAA-specific provider like Paubox), or (c) use a vendor that delivers voicemail over an encrypted, BAA-covered portal link rather than email attachment.
Call recording
Recording outbound or inbound calls is fine — millions of practices do it — but the recordings must be stored encrypted, with access logged, and disposed of on a schedule defined in your retention policy. The other half of the legal picture is call recording consent laws, which vary by state. Florida, California, and ten other "two-party consent" states require you to announce that the call is being recorded before any PHI is discussed.
Voicemail transcription
Auto-transcription is convenient but worth scrutinizing. Who transcribes? If it's an automated speech-to-text service from a third-party (Google Speech-to-Text, Amazon Transcribe, OpenAI Whisper, etc.), that vendor is now in the chain of custody for PHI. They need their own BAA with your VoIP provider, and the flow-down language in your master BAA needs to cover them.
Staff workflow gotchas
The most common HIPAA findings in small medical practices aren't technology problems — they're workflow problems. Your VoIP can be perfectly compliant and your staff can still create violations:
- Speakerphone in a shared room. Front desk on speakerphone discussing a patient appointment with anyone in the waiting room hearing is the textbook minimum-necessary violation.
- Voicemail forwarding to personal cell phones. A receptionist forwarding the practice's voicemail box to her personal cell so she can "check it from home" puts PHI on a device that isn't under your control or BAA.
- Call recordings shared by email. "Hey can you listen to this complaint call?" with the .wav file attached to a regular email is the same violation as voicemail-to-email above.
- Shared admin passwords. If three people use the same login to the VoIP portal, you have no audit trail. Each user needs their own account, MFA enabled, and least-privilege role.
None of these require a different VoIP product — they require a documented phone policy your staff actually reads and signs annually. Most HIPAA training programs include phone hygiene as a 15-minute module.
What happens if there's a breach
HIPAA breach response runs on tight clocks. From the moment your VoIP vendor notifies you of an incident affecting PHI, you have 60 days to notify each affected patient and, if 500+ records are involved, OCR and prominent local media. If your BAA gives the vendor 60 days to notify you, you have zero days left when you finally find out. This is why "vendor notifies within 10 business days" matters so much in the BAA negotiation.
OCR fines from 2024–2026 range from $50,000 for negligence to $1.9M for willful neglect. The mitigating factors that reduce a fine are nearly all process-related: did you have a Security Risk Analysis on file, did you have a signed BAA with the vendor, did you have a workforce training program, did you respond promptly. A well-documented VoIP procurement file (vendor BAA, risk analysis, training records) is the single best insurance you can buy.
FAQ
Is VoIP HIPAA compliant by default?
No. HIPAA does not "certify" phone systems. A VoIP service becomes HIPAA-compatible when the vendor (1) signs a BAA with your practice, (2) encrypts call media and signaling in transit, (3) protects voicemail and call recordings at rest, and (4) provides the audit logging required by the Security Rule's technical safeguards.
Do I need a BAA for my phone system?
If your phone system stores, transmits, or has access to PHI — including voicemail transcripts, recorded calls, and patient callback numbers logged in call detail records — then yes, your VoIP vendor is a Business Associate under HIPAA and must sign a BAA. The conduit exception is narrow and doesn't cover most modern hosted VoIP.
Does voicemail-to-email violate HIPAA?
It depends on how it's delivered. Unencrypted SMTP to a personal Gmail or Yahoo is almost certainly a violation when the message contains PHI. Delivery to a HIPAA-covered email provider (Google Workspace with BAA, Microsoft 365 with BAA, Paubox) over TLS can be compliant. The safest pattern is to keep voicemail inside the VoIP portal and only send a non-PHI notification email.
Can a $19/month VoIP service actually be HIPAA compliant?
Yes. Encryption and a BAA aren't expensive features to implement — they're policy choices. The real cost driver is whether the vendor signs a BAA at the entry tier or forces you to upgrade. Always ask in writing before subscribing: "Will you sign a BAA on my current plan?" If the answer is no, the price doesn't matter.
What about texting patients from a VoIP system?
SMS in the US travels through the carrier network in cleartext and is logged at multiple points. If you text PHI to a patient — even an appointment reminder with their name and procedure — it's a HIPAA gray zone. The OCR's official position is that patients can request communication via SMS knowing the risk, but you should document that consent and never initiate a PHI text without it.
Related reading on voip.army
- VoIP for medical offices — built around patient calls
- VoIP for dental practices — built for your operatory
- Full feature list — what's included in every plan
- Pricing and FAQ
Disclaimer: This guide is general education, not legal advice. Speak to a qualified HIPAA attorney about your practice's specific risk profile and compliance obligations.