What if I told you that you could get a completely separate second phone line for your business, that doesn’t require a second phone, and that costs ZERO dollars?
Sounds too good to be true? It isn’t. But it also is.
Google Voice is a free service from Google where they give you a phone number at absolutely no cost. You use it from an app on your smartphone, so you don’t need extra equipment. It’s a business line for practically no cost in any sense of the word.
Too bad it isn’t HIPAA-secure. *cue the sad trombone*
(Psst! You can still use Google Voice — or any of the other low-cost “VoIP” services I’m going to mention in this article — to get that second phone line for your business. You need to think flexibly and exercise those creative risk management muscles. I’ll let you think about the solution while you read the article. My solution is at the end.)
How is Google Voice Different From My Usual Phone Service?
Google Voice is an Internet phone service, which is more technically called “Voice over IP,” or “VoIP” phone service. VoIP is an alternative to “classic” phone service, which has a wide variety of names.
VoIP is not the same as “cellular.” Whether your phone is cellular or landline makes very little difference here.
(Aside: many years ago, cellular phones were vulnerable to easy eavesdropping. That is no longer true for nearly every cellular phone on the market. So no worries there!)
VoIP on a cell phone would use your cellular data plan or WiFi (when connected), while classic cellular phone service would use your minutes and cannot take advantage of WiFi. VoIP on your cell phone would also use its own special app. It would probably have a fancy name, too.
A landline that uses VoIP would use a different kind of cable from the classic phone landline. Also, a VoIP landline would plug into your Internet connection. Usually that means it would plug into a router somewhere in the office or home.
A classic phone landline would use the kind of phone cord you remember from your childhood, and it would use the kind of old-school phone jacks that were in our homes even before cable TV became popular.
If you have DSL Internet service, then your Internet connection’s wall plugs and the classic phone jacks may be the same thing.
VoIP services are Internet apps. Imagine doing a Skype call without the video and you’re imagining a VoIP call.
Classic phone services often take advantage of the Internet infrastructure to ferry your calls over long distances, but they are not Internet services.
How Does VoIP Phone Service Become HIPAA-Secure (or Not?)
This is where it gets wacky. Unfortunately, we don’t have space in this article to discuss HIPAA’s relationship to classic phone service, since that relationship is filled with twists and turns that don’t always make sense. We do discuss it in Level I of our Digital Confidentiality course series, however.
I can say that HIPAA Business Associate concerns are much more present with VoIP phone services than with classic phone services, regardless of the company that provides them. So this article focuses on just the VoIP concerns.
VoIP phone services are viewed by HIPAA authorities as electronic transmissions. That means that they fall under the HIPAA Security Rule without exception. As such, we are required by HIPAA to:
- Include our VoIP services in the risk analysis that we perform for HIPAA compliance.
- Execute a Business Associate Agreement with the VoIP service provider (not sure what that is? See our article, What is a HIPAA Business Associate Agreement?)
Including a product in our risk analysis is relatively easy. Security risk management, in general, is a flexible and sensible process (not sure what I’m talking about? See our article on why risk management is empowering for you and for clients.)
The rigid piece is the requirement for a Business Associate Agreement (BAA.) That is not a flexible point for HIPAA. If the company won’t do it, then it’s a HIPAA no-go.
So here’s where we get to the main point. The following VoIP service providers won’t execute BAAs with customers, even if the customer is a HIPAA covered entity. The product names are struck through to emphasize that these products are HIPAA no-gos.
Google Voice Grasshopper Line2 Sideline
And many, many more that I won’t bother to list. If you aren’t sure whether the VoIP service of your choice will do a BAA, contact the company to ask.
For those who are working on guessing how Google Voice can still be made usable: Google will execute BAAs for their Google Apps for Work service. That BAA excludes Google Voice, however. So that’s not the solution. Keep trying, though! (Curious? You can read more in our article about HIPAA and Google Apps for Work.)
There are, indeed, VoIP service providers out there who will happily execute BAAs with health care professionals. Providing VoIP service that meets the standards for HIPAA Business Associates is an expensive thing to do, however, so such services are not as cheap as the ones on the crossed-out list above.
HIPAA-secure VoIP services may still be less expensive than classic phone service, however. So it may still be worth your time to research them if you’re looking for an alternative to classic phone services, or if you need advanced phone services like voicemail transcription and the like.
So What’s The Solution? How Can I Use a Cheap VoIP Service and Be HIPAA Compliant?
I am happy to say that I learned this solution from a student. I was lecturing for my old grad school internship site on private practice tech issues for the interns.
They were excited about Google Voice, because its low cost (free) makes it a great option for fledgling businesses.
I had to inform them of the HIPAA Business Associate issue there, and saw the usual sunken expressions. Then one of the students asked, “Wait, what if I use my phone’s default phone service — the classic service that my phone company provides — for my practice? Then I can set up a Google Voice number for my personal needs and give that number to my friends and family?”