facebook_pixel

Vintage TelephoneWhat if I told you that you could get a completely separate second phone line for your business, that doesn’t require a second phone, and that costs ZERO dollars?

Sounds too good to be true? It isn’t. But it also is.

Google Voice is a free service from Google where they give you a phone number at absolutely no cost. You use it from an app on your smartphone, so you don’t need extra equipment. It’s a business line for practically no cost in any sense of the word.

Too bad it isn’t HIPAA-secure. *cue the sad trombone*

(Psst! You can still use Google Voice — or any of the other low-cost “VoIP” services I’m going to mention in this article — to get that second phone line for your business. You need to think flexibly and exercise those creative risk management muscles. I’ll let you think about the solution while you read the article. My solution is at the end.)

How is Google Voice Different From My Usual Phone Service?

Colored Tubes

“Hey, look! It’s the series of tubes again!”
“I think that’s called ‘The Internet.'”

Google Voice is an Internet phone service, which is more technically called “Voice over IP,” or “VoIP” phone service. VoIP is an alternative to “classic” phone service, which has a wide variety of names.

VoIP is not the same as “cellular.” Whether your phone is cellular or landline makes very little difference here.

(Aside: many years ago, cellular phones were vulnerable to easy eavesdropping. That is no longer true for nearly every cellular phone on the market. So no worries there!)

VoIP on a cell phone would use your cellular data plan or WiFi (when connected), while classic cellular phone service would use your minutes and cannot take advantage of WiFi. VoIP on your cell phone would also use its own special app. It would probably have a fancy name, too.

A landline that uses VoIP would use a different kind of cable from the classic phone landline. Also, a VoIP landline would plug into your Internet connection. Usually that means it would plug into a router somewhere in the office or home.

A classic phone landline would use the kind of phone cord you remember from your childhood, and it would use the kind of old-school phone jacks that were in our homes even before cable TV became popular.

If you have DSL Internet service, then your Internet connection’s wall plugs and the classic phone jacks may be the same thing.

VoIP services are Internet apps. Imagine doing a Skype call without the video and you’re imagining a VoIP call.

Classic phone services often take advantage of the Internet infrastructure to ferry your calls over long distances, but they are not Internet services.

How Does VoIP Phone Service Become HIPAA-Secure (or Not?)

Stone HippoThis is where it gets wacky. Unfortunately, we don’t have space in this article to discuss HIPAA’s relationship to classic phone service, since that relationship is filled with twists and turns that don’t always make sense. We do discuss it in Level I of our Digital Confidentiality course series, however.

I can say that HIPAA Business Associate concerns are much more present with VoIP phone services than with classic phone services, regardless of the company that provides them. So this article focuses on just the VoIP concerns.

VoIP phone services are viewed by HIPAA authorities as electronic transmissions. That means that they fall under the HIPAA Security Rule without exception. As such, we are required by HIPAA to:

  • Include our VoIP services in the risk analysis that we perform for HIPAA compliance.
  • Execute a Business Associate Agreement with the VoIP service provider (not sure what that is? See our article, What is a HIPAA Business Associate Agreement?)

Including a product in our risk analysis is relatively easy. Security risk management, in general, is a flexible and sensible process (not sure what I’m talking about? See our article on why risk management is empowering for you and for clients.)

The rigid piece is the requirement for a Business Associate Agreement (BAA.) That is not a flexible point for HIPAA. If the company won’t do it, then it’s a HIPAA no-go.

So here’s where we get to the main point. The following VoIP service providers won’t execute BAAs with customers, even if the customer is a HIPAA covered entity. The product names are struck through to emphasize that these products are HIPAA no-gos.

  • Google Voice
  • Grasshopper
  • Line2
  • Sideline

And many, many more that I won’t bother to list. If you aren’t sure whether the VoIP service of your choice will do a BAA, contact the company to ask.

For those who are working on guessing how Google Voice can still be made usable: Google will execute BAAs for their Google Apps for Work service. That BAA excludes Google Voice, however. So that’s not the solution. Keep trying, though! (Curious? You can read more in our article about HIPAA and Google Apps for Work.)

There are, indeed, VoIP service providers out there who will happily execute BAAs with health care professionals. Providing VoIP service that meets the standards for HIPAA Business Associates is an expensive thing to do, however, so such services are not as cheap as the ones on the crossed-out list above.

HIPAA-secure VoIP services may still be less expensive than classic phone service, however. So it may still be worth your time to research them if you’re looking for an alternative to classic phone services, or if you need advanced phone services like voicemail transcription and the like.

Click here for our continuously-updated list of HIPAA-friendly phone services for mental health professionals

This free, informative article is brought to you by Hushmail,
who is offering our readers 15% off for life!
Wondering why this is here? See our sponsorship policy for details.

Hushmail Image

Roy with coffee mugRoy says: Hushmail is one of several secure email options that serves health care practitioners like us. Hushmail is highly trusted, affordable, includes secure forms for your web page, and has earned a recommendation from us for use by mental health professionals. Learn more about Hushmail for Healthcare and get 15% off for life.
(Disclosure: Roy now does a small amount of consulting for Hushmail to make their product better for mental health professionals.)

So What’s The Solution? How Can I Use a Cheap VoIP Service and Be HIPAA Compliant?

Exploring Kiddo

A security risk management expert at work

I am happy to say that I learned this solution from a student. I was lecturing for my old grad school internship site on private practice tech issues for the interns.

They were excited about Google Voice, because its low cost (free) makes it a great option for fledgling businesses.

I had to inform them of the HIPAA Business Associate issue there, and saw the usual sunken expressions. Then one of the students asked, “Wait, what if I use my phone’s default phone service — the classic service that my phone company provides — for my practice? Then I can set up a Google Voice number for my personal needs and give that number to my friends and family?”

Genius!