top of page

HIPAA Compliance

The Health Insurance Portability and Accountability Act (HIPAA) became United States law on August 21, 1996. Its main purpose is to improve the portability of health insurance coverage by ensuring employees

Medical form with stethoscope

retain health insurance coverage when between jobs.  Its secondary focus is to protect Americans' electronic medical information from being improperly stored, copied or stolen.   For those not familiar with the basics of HIPAA and how it affects healthcare businesses, keep in mind any entity or individual who transmits and/or stores electronic Personal Health Information (ePHI) via: Email, Voice Conversations, Recordings, Faxes, Transcriptions or other methods must do so on a HIPAA compliant system to ensure that the data is safe and secure.  If not, these businesses or people are instantly in violation of HIPAA regulations and subject to civil and criminal fines, imprisonment or both.  While these penalties have been around for years, the enforcement side has always been very lax until now.  Examples of healthcare businesses requiring HIPAA compliance are Doctors, Psychologists, Dentists, Chiropractors, Nursing Homes, Pharmacies, Insurance Companies, Labs, Mental Health Facilities, Hospitals, etc.


Under HIPAA, VoIP providers like PrimeVOX are categorized as Business Associates if any of their customers transmit or store ePHI on their phone system.  As Business Associates, VoIP providers are forced to share liability with their healthcare customers and must adhere to the following:

  • Specific Safety Protocols

  • Audit Controls

  • Person or Office Authentication

  • Transmission Security / Encryption

  • Workstation Security

  • Device and Media Controls

  • Security Management Process

All Business Associates need to sign a Business Associate Agreement (BAA) with covered entities to ensure the Business Associate is aware of their need to become or remain compliant with all HIPAA requirements as it relates to protecting the ePHI. Please note very few VoIP providers are willing to sign a BAA or take the necessary steps to ensure ePHI protection. Therefore, it is essential for businesses who work with ePHI to choose a VoIP provider that meets or exceeds HIPAA requirements and is willing to sign a BAA.


Please Note: PrimeVOX is always happy to sign a BAA with any of our healthcare customers.


The Health and Human Services Office of Civil Rights (responsible for HIPAA enforcement) does not have a department for verifying/certifying an organization’s HIPAA compliance.  Reliance comes down to two options: self-governance or very expensive 3rd party verification.  With self-governance, it is the word of the business saying it is HIPAA compliant.  There is not an expert to verify or confirm this.  Customers must simply take their word for it.  With 3rd party verification, there is the peace of mind in knowing a company who specializes in HIPAA compliancy has looked at the business’s inner workings, vetted them and deemed them to be fully HIPAA compliant. 


PrimeVOX is 3rd party HIPAA compliant as verified by the Compliancy Group, the largest 3rd party HIPAA   compliance verifier in the United States. 


Click to
Learn More

Commonly asked questions:

Is SMS / MMS texting HIPAA compliant?
It is if it is through an encrypted softphone applications or VoIP portal of a HIPAA compliant phone company.  If texting on a cell phone, it must have a mobile encryption service installed in addition to having a password of 10 characters or greater with letters, numbers and a special character.  It must also be set so that after 10 attempts to enter your password, your data is cleared.

How much are HIPAA fines?
There is no one-size-fits-all fine; however, it does max out at $1.5 million for each violation.

What if I am a healthcare business and my phones are not HIPAA compliant? 
If your organization is currently violating HIPAA laws, your first step is to take immediate action and correct the violation. PrimeVOX can help by having your new phone system up and running in just a few days, and in emergency situations within hours, preventing you from any continued liability. 

Can I get out of a contract with a phone company that is not HIPAA compliant?
Once the non-HIPAA compliant phone company has been made awaren that they are handling ePHI, it will most likely NOT want to continue to accept the risk, possible fines and jail time that go along with being a non-HIPAA compliant Business Associate.  Such non-conforming companies should easily and quickly let a healthcare business out of any remaining contract term.

How many VoIP companies are HIPAA compliant?
This is a difficult number to pin down since no one officially tracks this number, but we can use some solid estimates. Out of the 30 random VoIP websites we researched, only 5 listed they were HIPAA compliant or 16.67%.  Currently in the United States there are 1,275 VoIP companies, so that makes for around 216 VoIP companies in the United States that are HIPAA compliant.

After becoming educated with HIPAA law, it is easy to see just how important it is to make sure any healthcare business that handles ePHI has chosen a 3rd party verified HIPAA compliant phone company.  If you are not currently teamed up with PrimeVOX Communications call us and we can help avoid some very heavy fines and criminal activities.
Hospital Staff



Get up-to-date information on how HIPAA governs your transmission and storage of electronic Personal Health Information (ePHI)

bottom of page