• Events and Webinars
  • Resources
    • Blog
    • Case Studies
    • News
    • Newsletter
    • Infographics
    • Papers
    • Posters
    • Video
  • Careers
    • Careers at HBS
    • Open Positions
    • Student Opportunities
  • About HBS
    • About Us
    • Leadership
    • Locations
    • Partners
    • Green Initiatives
  • Events and Webinars
  • Resources
    • Blog
    • Case Studies
    • News
    • Newsletter
    • Infographics
    • Papers
    • Posters
    • Video
  • Careers
    • Careers at HBS
    • Open Positions
    • Student Opportunities
  • About HBS
    • About Us
    • Leadership
    • Locations
    • Partners
    • Green Initiatives
HBS logo
HBS Logo
  • Infrastructure
    • CLOUD

      • Cloud Solutions
      • Public Cloud
      • Hybrid Cloud
      • Infrastructure as a Service
      • Cloud Security Solutions
      • Backup, Replication and Disaster Recovery
      • HBS Cloud Hosting Services

      DATA CENTER

      • Data Center Solutions
      • Traditional Data Center
      • Hyperconverged
      • Colocation
      • Directory Services
      • Cloud Email and Calendar Solutions

      NETWORK AND ACCESS

      • Network Infrastructure
      • Enterprise Mobility
      • Wireless Solutions
      • SD-WAN
      • Structured Cabling
      • Staff Augmentation
      Data Center Solutions blue gradient background badge with white text
  • Managed Services
    • MANAGED ONE

      • Managed One Overview
      • Managed Backup and Disaster Recovery
      • Managed Email and Collaboration Security
      • Managed Firewall

       

      • Managed HaaS and SaaS
      • Managed IT Help Desk
      • Managed Network and Server Monitoring

      HBS + PARTNER SOLUTIONS

      • HBS Secure with Verkada
      • HBS Collaborate with Webex
      • Managed XDR
      HBS Managed One Megamenu Graphic
  • Modern Workplace
    • MICROSOFT

      • Microsoft Licensing Management
      • Microsoft Modern Workplace
      • Microsoft Copilot
      • Microsoft Fabric
      • Microsoft Funding Opportunities

       

      • Dynamics 365 Business Central
      • Dynamics 365
      • Dynamics GP

      COLLABORATION

      • Audio Visual
      • Unified Communication Solutions
      • HBS Collaborate with Webex
      HBS Collaborate with Webex blue gradient background badge
  • Professional Services
    • ADVISORY

      • Virtual CISO
      • Virtual CIO
      • Project Management
      • IT Business Consulting

      ENGINEERING SERVICES

      • Staff Augmentation

      AI & ANALYTICS

      • Artificial Intelligence
      • AI Advance
      • AI Predict
      • AI Assist
      • Data Management and Analytics
      • Microsoft Copilot
      • Microsoft Fabric

      APPLICATION INNOVATION

      • Website Development
      • Application Development

      DOCUMENT MANAGEMENT

      • Document Management Services
      • Document and Check Scanners
      Discover your AI Readiness blue gradient background with white text. Bottom right photo of young man in glasses smiling while looking at laptop. Red to green temperature gauge png
  • Security
    • CYBERSECURITY

      • Managed XDR
      • Penetration Testing
      • Vulnerability Scanning
      • Email Security Services
      • Digital Forensics and Incident Response
      • Backup, Replication and Disaster Recovery
      • Firewalls
      • Cloud Security Solutions

       

      • Virtual CISO
      • Virtual Security Team
      • Virtual Security Engineer
      • Cybersecurity Risk Assessment
      • Governance and Compliance
      • SOC 2
      • CMMC
      • Managed Security Awareness Training

      PHYSICAL SECURITY

      • Security Solutions
      • HBS Secure with Verkada
      Cybersecurity Risk Assessment Megamenu Graphic
  • Search
Contact Us
Blog

HIPAA Best Practices for Cloud Services and VOIP

  • Written by: Rob Hoisington
  • April 20, 2021
Ensuring HIPAA Compliance Graphic

Many organizations play fast and loose with the phrase “HIPAA-compliant.” But this isn’t a mere marketing label that everyone can apply however they see fit. HIPAA’s standards for achieving and maintaining compliance are admittedly confusing in many areas. But there ARE HIPAA best practices and standards—well-documented ones at that.

In this blog, we’ll offer insights on two specific areas that frequently cause confusion around HIPAA compliance: cloud services and voice over IP (VOIP).

Is Encryption in Cloud Services Required?

Whenever you see “HIPAA-compliant” and “cloud service provider” in the same sentence, expect things to get confusing. Don’t automatically accept a service provider’s claim that their cloud service is HIPAA-compliant. In their default state, many implementations using cloud services actually aren’t. If a cloud service provider states they are HIPAA-compliant, they generally mean that their platform can be used in a HIPAA-compliant manner if configured and used appropriately.

For instance, many cloud services do not currently enforce encryption at rest when data is stored on their platforms. (Data at rest is simply data that is being stored rather than data being transmitted or processed. It could be, for example, data stored on a hard drive, in a .txt file, or in an Amazon S3 bucket). In many cases, encryption at rest is a configurable feature/option, but you’ll have to manually turn it on. To make matters even more confusing, at rest encryption can be implemented in many different ways, such as full disk encryption; volume or virtual disk encryption; file/folder encryption; and even database table/field encryption. And, of course, no two cloud providers or solutions do things exactly the same way.

If you don’t encrypt data at rest in cloud environments used to store Protected Health Information (PHI), you will often be non-compliant with HIPAA. That naturally leads to the question, “If HIPAA requires encryption at rest, why doesn’t it just say so?” Here are the details.

 The HIPAA Security Rule and the U.S. Department of Health and Human Services (HHS) do not explicitly require implementation of encryption at rest in every situation. (This is one of the safeguards called "addressable" in HIPAA parlance, which means “not required.”) But HIPAA does require that every organization conduct a risk assessment to determine whether encryption is a "reasonable and appropriate safeguard" for PHI data at rest for their organization in every situation. (This section of HIPAA has the details. Note that HIPAA handles all of its "addressable" safeguards this way.)

Furthermore, HHS has acknowledged that "encryption protects ePHI by significantly reducing the risk of the information being viewed by unauthorized persons.”

Why Encryption Makes Sense

Along with HHS’ recommendation, every covered entity and healthcare organization we’ve worked with has expected that PHI be encrypted at rest when it is outside of the organization’s direct control. Your decision should be even easier when you learn that it doesn’t cost much in time or money to implement at rest encryption.

All of that is why we recommend encrypting PHI in two situations:

  • Whenever PHI leaves your data center/office and your organization's enforced/monitored physical and logical security controls.
  • Whenever PHI resides in a place where it could be stolen more easily, such as cloud services and mobile devices.

Encrypting data in these situations mitigates the risk of data loss. You will be protected in the event of breakdowns of physical or logical security controls in cloud service provider environments or at other potentially uncontrolled locations (such as remote work locations).

Keep in mind that if you want to pass a HIPAA audit, you’ll need to take additional measures for any location/service where you don’t encrypt PHI data at rest. HHS states, "If the entity decides that the addressable implementation specification is not reasonable and appropriate, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate."

Basically, if you decide not to encrypt PHI in a cloud service, you need to document that ahead of time, along with details of the equivalent alternative measures/safeguard you use. All of that must be available to any auditors who come calling from the Office for Civil Rights (OCR, which enforces HIPAA).

For more information on how HIPAA applies to cloud service providers, click here.

Voice Services

Voice services and voicemail present their own HIPAA complexity. Part of the challenge stems from the fact that HIPAA arrived long before anyone used VOIP. HIPAA was released in the same year (1996) that VOIP was invented (specifically, the SIP protocol). But VOIP didn’t hit widespread usage among healthcare providers until around 2011. (Here’s a quick history of VOIP).

HHS has said that telephone and fax services are exempted under the HIPAA Security Rule because they are written and oral communication. But that’s not the end of the story.

This overview of HIPAA’s treatment of telephone and fax services illustrates the challenge. It doesn't address VOIP or video over IP services specifically.

We suspect HIPAA exempted telephone service in the first place because encryption of voice communications wasn’t considered a reasonable and appropriate safeguard in 1996. Transit encryption was ridiculously expensive/difficult to implement for voice transmissions, and voicemail as a service didn’t exist. And no one had even thought about the concept of cloud providers.

The best way to avoid non-compliance in an audit or penalties from OCR is to use transit encryption with VOIP or video services. Both history and recently released information from HHS point to this:

  • HHS tacitly admitted that cloud voice/video providers in general may not be compliant.
  • HHS also indicated that voice/video traffic transmitted over the Internet should be encrypted and that a breach caused by interception of PHI voice or video transmissions sent over the Internet could lead to OCR penalties.

If you need help understanding how HIPAA rules affect your organization, contact us today.

Related Content

Blue textured background with the text "Managed IT Services Your Definitive Guide."

Your Definitive Guide to Managed IT Services

Learn what Managed IT Services are and how they can help you save time and resources while improving your team’s productivity, efficiency, and security.

Learn More »
Microsoft 365 E5 Security and Compliance now available to additional Microsoft customers.

Expanded Access to Microsoft 365 E5 Security and Compliance Add-Ons

Microsoft just expanded eligibility for E5 Security and E5 Compliance add-ons—no full E5 license required. Here’s what’s new and how to get started.

Explore More »
Governance and Compliance

Governance and Compliance

Align information security policies and procedures with the best industry standards through Governance and Compliance services from HBS.

Read More »
  • Cloud, Compliance, Data
Blog

Connect:

[email protected]  |  800.236.7914

HBS logo

HQ | 1700 Stephen Street
Little Chute, WI 54140
Locations

HBS Remote Support | Service & Technical Support | E-Bill Portal
Standard Terms & Conditions | Cookie Policy | Privacy Policy | Onboarding Form | End User Agreements | E-Bill FAQ | Site Map
Any purchase is governed by the HBS Standard Terms and Conditions.
©2026 Heartland Business Systems. All rights reserved.

Halo from HBS
This chat may be recorded as described in our Privacy Policy.