What if I told you that you could get a completely separate second phone line for your business, that doesn’t require a second phone, and that costs ZERO dollars?
Sounds too good to be true? It isn’t. But it also is.
Google Voice is a free service from Google where they give you a phone number at absolutely no cost. You use it from an app on your smartphone, so you don’t need extra equipment. It’s a business line for practically no cost in any sense of the word.
Too bad it isn’t HIPAA-secure. *cue the sad trombone*
(Psst! You can still use Google Voice — or any of the other low-cost “VoIP” services I’m going to mention in this article — to get that second phone line for your business. You need to think flexibly and exercise those creative risk management muscles. I’ll let you think about the solution while you read the article. My solution is at the end.)
How is Google Voice Different From My Usual Phone Service?
“Hey, look! It’s the series of tubes again!”
“I think that’s called ‘The Internet.'”
Google Voice is an Internet phone service, which is more technically called “Voice over IP,” or “VoIP” phone service. VoIP is an alternative to “classic” phone service, which has a wide variety of names.
VoIP is not the same as “cellular.” Whether your phone is cellular or landline makes very little difference here.
(Aside: many years ago, cellular phones were vulnerable to easy eavesdropping. That is no longer true for nearly every cellular phone on the market. So no worries there!)
VoIP on a cell phone would use your cellular data plan or WiFi (when connected), while classic cellular phone service would use your minutes and cannot take advantage of WiFi. VoIP on your cell phone would also use its own special app. It would probably have a fancy name, too.
A landline that uses VoIP would use a different kind of cable from the classic phone landline. Also, a VoIP landline would plug into your Internet connection. Usually that means it would plug into a router somewhere in the office or home.
A classic phone landline would use the kind of phone cord you remember from your childhood, and it would use the kind of old-school phone jacks that were in our homes even before cable TV became popular.
If you have DSL Internet service, then your Internet connection’s wall plugs and the classic phone jacks may be the same thing.
VoIP services are Internet apps. Imagine doing a Skype call without the video and you’re imagining a VoIP call.
Classic phone services often take advantage of the Internet infrastructure to ferry your calls over long distances, but they are not Internet services.
How Does VoIP Phone Service Become HIPAA-Secure (or Not?)
This is where it gets wacky. Unfortunately, we don’t have space in this article to discuss HIPAA’s relationship to classic phone service, since that relationship is filled with twists and turns that don’t always make sense. We do discuss it in Level I of our Digital Confidentiality course series, however.
I can say that HIPAA Business Associate concerns are much more present with VoIP phone services than with classic phone services, regardless of the company that provides them. So this article focuses on just the VoIP concerns.
VoIP phone services are viewed by HIPAA authorities as electronic transmissions. That means that they fall under the HIPAA Security Rule without exception. As such, we are required by HIPAA to:
- Include our VoIP services in the risk analysis that we perform for HIPAA compliance.
- Execute a Business Associate Agreement with the VoIP service provider (not sure what that is? See our article, What is a HIPAA Business Associate Agreement?)
Including a product in our risk analysis is relatively easy. Security risk management, in general, is a flexible and sensible process (not sure what I’m talking about? See our article on why risk management is empowering for you and for clients.)
The rigid piece is the requirement for a Business Associate Agreement (BAA.) That is not a flexible point for HIPAA. If the company won’t do it, then it’s a HIPAA no-go.
So here’s where we get to the main point. The following VoIP service providers won’t execute BAAs with customers, even if the customer is a HIPAA covered entity. The product names are struck through to emphasize that these products are HIPAA no-gos.
Google VoiceGrasshopperLine2Sideline
And many, many more that I won’t bother to list. If you aren’t sure whether the VoIP service of your choice will do a BAA, contact the company to ask.
For those who are working on guessing how Google Voice can still be made usable: Google will execute BAAs for their Google Workspace business accounts, but to get access to Google Voice with your BAA you need to pay an extra monthly fee for “managed users.”
There are, indeed, VoIP service providers out there who will happily execute BAAs with health care professionals. Providing VoIP service that meets the standards for HIPAA Business Associates is an expensive thing to do, however, so such services are not as cheap as the ones on the crossed-out list above.
HIPAA-secure VoIP services may still be less expensive than classic phone service, however. So it may still be worth your time to research them if you’re looking for an alternative to classic phone services, or if you need advanced phone services like voicemail transcription and the like.
Our free, informative articles are brought to you by Hushmail,
who is offering our readers 15% off for life!
Wondering why this is here? See our sponsorship policy for details.
Roy says: Hushmail is one of several secure email options that serves health care practitioners like us. Hushmail is highly trusted, affordable, includes secure web forms that accept e-signatures, and has earned a recommendation from us for use by mental health professionals. Learn more about Hushmail for Healthcare and get 15% off for life.
So What’s The Solution? How Can I Use a Cheap VoIP Service and Be HIPAA Compliant?
A security risk management expert at work
I am happy to say that I learned this solution from a student. I was lecturing for my old grad school internship site on private practice tech issues for the interns.
They were excited about Google Voice, because its low cost (free) makes it a great option for fledgling businesses.
I had to inform them of the HIPAA Business Associate issue there, and saw the usual sunken expressions. Then one of the students asked, “Wait, what if I use my phone’s default phone service — the classic service that my phone company provides — for my practice? Then I can set up a Google Voice number for my personal needs and give that number to my friends and family?”
Genius!
Hi, Roy. AT&T, my classic landline that I pay a fortune for at the office, has just switched to Voice over internet protocol for voicemail. They do not do business associates agreement….I guess this means that I have to switch from AT&T and try to find someone who is still doing traditional landline service. That’s getting harder and harder to come by.
Huh. I assume you already asked them? I’ve seen AT&T do the BAA for their VoIP services in the past.
If they won’t do it, then you can also look at 8X8 and AllCall for landline services. If it’s gonna cost an arm and a leg and be VoIP anyways, might as well go all the way!
I just discovered Sideline: http://www.sideline.com and thought I would share it…it uses your cellular network (as opposed to VOIP and if I am understanding things correctly, would not be subject to the same sticky rules?), gives you a free second number, and has free and paid versions…it seems like it would be a great option, but perhaps I am missing something?
Sideline is definitely VoIP, actually. Don’t forget that your cellular service can be used for data, just like WiFi can!
Shoot, I was all good until the last paragraph. I’m not sure what your student meant by default cell phone number? I have Verizon and a personal cell number. what would the steps be, exactly? Sorry for my confusion!!! Thanks ?
Hi Jen,
No apologies necessary! These things can be confusing, which is exactly why we’re here. The default service the article refers to is the Verizon service.
If you would like consultation with Roy about your particular considerations and questions, we have 2 options available. Person-Centered Tech Support, which gives you access to Roy’s office hours that are designed to provide a forum where he can directly address specific questions in detail. For each office hours session, you can submit all your questions and then either join the session via live webinar or watch the recording on demand like a podcast. There is also the option of receiving 1:1 Consultation, but I think you’ll find PCTech Support to be a more economical means of addressing your questions.
I’m curious – if I set up a Google voice account and direct it to go straight to my cell phone at all times, meaning that voicemails are left on my cell and not on Google voice, does that still pose a compliance issue? (I haven’t figured out the outgoing call part yet…)
The details of how it works are what’s vital for the compliance piece. So I can’t really give consulting advice about your compliance needs in a blog comment. :)
If you’d like to look into it more deeply with us, we have an excellent consulting service that is very inexpensive with very extensive service: https://dev-personcenteredtech.com/person-centered-tech-support/
In addition to 8×8, my company identified Intermedia as another VOIP provider that will do a BAA for those services. They have thus far been very good with support, we got a good deal (lower front-end cost than 8×8) and there’s no monthly contract. Just figured I’d share that as an additional possible option.
Sarah, thanks for the tip! Glad you’re having a good experience thus far :)
If no voicemail, recording, or storage of messages, even under the HIPAA omnibus you can use such VOIP services under the conduit exemption if you do an appropriate assessment.
Thanks for commenting. We’re always happy to see people contribute here!
So, the assessment you refer to would have to conclude that the VoIP service qualifies as a conduit under the Business Associate Rule. A conduit would have to not “persistently store” any protected health information *at all*, which means not even storing IP addresses or phone numbers of people involved in the calls (among many other things.) I can’t imagine a free VoIP service omitting those things from their logs.
I am eager to be proven wrong, however. If you have examples of free VoIP services that log absolutely no meta data, please do share! :)
Hello,
I would like to find a VOIP that’s affordable and HIPPA compliant who will port my current business phone number (with Verizon), and no longer use the cell phone. Do you have a reference list of VOIP companies that would offer this… and are affordable for someone running a part-time solo practice?
Thank you
Hi Stefan,
Great question! We do not, at this time, have a reference list of VOIP companies that fit the specifications you’re asking for. We’re currently in the process of completing HIPAApropriateness reviews for several VOIP providers. (HIPAApropriateness reviews are a resource we offer by request to subscribers of our Person-Centered Tech Support service and entail a review of both the HIPAA security and ethical appropriateness of various products and services.)
We know that some VOIP providers will port numbers, while others will not. However, we don’t know which companies fall into which category.
Best of luck! :)
I tried the suggested option before (used the cell phone/number for my practice and made a google voice for friends/family), but I was later told that this is still not HIPPA compliant because my cell phone company (AT&T) has a record of the calls. In other words, AT&T keeps a log of the calls made and received (visible in my monthly statement) and although they likely wouldn’t care about these calls, they still have access to those logs so it’s not HIPPA compliant. Is that correct?
Hi Susan,
Great question. The person who advised you is technically correct, but there is an atmosphere of excusing it with “classic phone service.” We can follow up more with consultation. If you would like to explore or pursue this option, please email [email protected] and I’ll send you details on arranging consultation with Roy. This is also a topic covered in our Digital Confidentiality According to Professional Ethics and HIPAA course series.
RingCentral will sign a BAA if you have 20 users, but we’re under that threshold. Instead they offer an option to enable a “HIPAA conduit” setting that results in data being purged after 30 days. Have you seen other VoIP providers making a similar practice? Have you seen guidance from HHS that 30 days satisfies the not “persistently store” standard?
Hi JB,
Funny, we were just discussing Ring Central’s “conduit configuration” at Office Hours a couple weeks ago. :)
I don’t recall seeing any guidance on that strategy for the conduit exception that makes for a an easy yes/no answer, so I can’t really speak to it in this context here.
I meant to thank you for your reply Liathana
Thank you for your thank you, Stefan! :)
I got a BAA from Google via their paid Google Apps service, now called G-Suite. Would that cover me using Google voice for my business?
Hi Arnold. Good question! Unfortunately Google Voice is not included in the “HIPAA covered functionality” of G-Suite. You can view what is included in that functionality here: https://gsuite.google.com/terms/2015/1/hipaa_functionality.html If you’re looking for VoIP services like Google Voice that are covered by a BAA — you can view a few of those options that we’ve reviewed here:
Go Daddy has recently released a second line that doesn’t use VoIP, it uses your cellular network to make and receive call and texts. So if that’s the case, would it be HIPPA compliant?
Hi Amy,
Great question! And one that reveals how quickly the tech landscape is changing and that those changes bring up new questions for mental health professionals as they evaluate tech for how it fits with their risk management needs and legal+ethical obligations. This is _exactly_ the sort of thing we cover in our HIPAApropriateness reviews (HIPAA-propriateness reviews are a resource we offer by request to subscribers of our Person Centered Tech Support service and entail a review of both the HIPAA security and ethical appropriateness of various products and services.)
GoDaddy’s SmartLine is not a HIPAA secure option; even though they do not use VoIP and use the cellular network for call and SMS transmission, it is a cloud service (operative word being cloud) and GoDaddy is handling and storing data — including PHI — which means there is a business associate relationship in place, but GoDaddy does not offer and will not execute a BAA. They also do not qualify for the conduit exception (which is extremely rare.) For more details on HIPAA business associates (and how this applies to all cloud services) please see Roy’s article, “What is a HIPAA Business Associate?”
For some HIPAA secure VoIP options, please check out our HIPAApropriateness reviews here: https://dev-personcenteredtech.com/pct_vendorreview_tag/voip/
I hope that’s helpful!
Here is another option!
https://www.phone.com/features/hipaa/
That one is, indeed, waiting on our list of products to review! :)
Hi, Roy,
I first want to thank you for all your wonderful information. Have you reviewed the above yet? I am assuming I cannot use my cell phone as is for Private Practice, or does it fall under classic phone service? If not, I will need a solution ASAP. What would you recommend at this point? Janita
Hi Janita,
It sounds like your question calls for some back-and-forth, so I would recommend consulting or membership (where you can get all the consulting you need.)
Consulting info is here: https://dev-personcenteredtech.com/web-consulting-services-and-fees/consulting-for-mental-health-professionals/
Membership info is here: https://dev-personcenteredtech.com/person-centered-tech-support/
T-mobile as a new feature called DIGITS, a VOIP line that you can add to your account and use an app on a current t-mobile phone. Do you know if DIGITS is HIPAA compliant? When I called tech support that did not know.
Hi Renee,
Through membership with Person Centered Tech we offer a service called “Vendor Reviews.” We review products for their HIPAA Appropriateness. PCT members have the benefit of submitting Vendor Review requests. Check out membership here.
I found the article a few months ago and followed the link to Phone.com. I had 8×8 and was miserable. I have been 100% happy since. Thank you for the suggestion.
If anyone else needs it this is where I signed up. https://www.phone.com/features/hipaa-compliant-voip-service/
Great! We’re glad that our article helped you select a tech solution that better fit your needs!
I started using iPlum for my health practice which is HIPAA complaint. They gave us BAA. It provides both VoIP & PSTN calling options on mobile for a low price. Our staff likes it because it is very reliable.
I spend significant time and have changed 3 providers to find the right vendor now.
https://iplum.com/hipaa-calling-texting-compliance/
We have been using it now for couple months.