📍 16 East 40th St, Midtown Manhattan
get@callifi.com
Your phone system handles patient data every day. Here's what HIPAA actually requires from your VoIP provider — and what most providers get wrong.
When medical offices think about HIPAA compliance, they think about their EMR software, their patient portal, and maybe their email. They rarely think about their phone system. But every voicemail, every fax, every call recording, and every text message that passes through your office phones could contain ePHI (electronic Protected Health Information).
If your phone system isn't set up to handle that properly, you have a compliance gap — and it's one that an auditor will find.
Here's what actually matters, without the jargon. See our full medical office phone system page.
A Business Associate Agreement (BAA) is a legal contract between your practice (the "covered entity") and any vendor that handles ePHI on your behalf (the "business associate"). Your VoIP provider stores voicemails, routes calls, and may log call data that includes patient information. That makes them a business associate.
HIPAA requires a BAA. Without one, your practice assumes all liability for any breach that occurs through the phone system.
The problem: many VoIP providers won't sign a BAA, or they only offer it on expensive enterprise tiers. Some providers claim to be "HIPAA compliant" on their website but won't put it in writing when you ask for the actual agreement.
What to do: Ask your VoIP provider for a BAA. If they hesitate, push back, or tell you it's only available on a higher plan — find a different provider. Callifi will sign a BAA with medical offices on request. We don't make it difficult.
HIPAA's Security Rule requires safeguards to protect ePHI during transmission. For a VoIP phone system, this means:
Most modern VoIP platforms support TLS and SRTP, but they're not always enabled by default. Some providers turn on encryption only for healthcare customers who specifically request it. Others charge extra for it.
What to do: Ask your provider whether TLS and SRTP are enabled on your account. If they're not, ask to have them turned on. At Callifi, encryption is available on request for practices that require it for compliance.
Think about what patients say in voicemails. "Hi, this is John Smith, date of birth 3/15/1965, I'm calling about my lab results for the blood work I had on Tuesday." That voicemail now contains a name, date of birth, and medical information — that's ePHI.
If those voicemails are stored on a server without proper access controls, or forwarded to personal email accounts without encryption, you have a compliance problem.
What to do: Make sure your VoIP system has role-based access controls for voicemail (the billing department shouldn't be able to access the nurse's voicemail). If voicemails are delivered by email, understand how they're transmitted and stored. Ask your provider about voicemail-at-rest encryption.
Medical offices can't escape fax. Referrals, lab results, insurance authorizations, and prescriptions still flow by fax between practices, hospitals, labs, and pharmacies. The question isn't whether you need fax — it's whether your fax setup is compliant.
A physical fax machine sitting in a hallway where anyone can see incoming faxes is a HIPAA problem. Faxes sent over analog lines are technically not encrypted. And a dedicated fax line costs $30-60/month on top of the machine and supplies.
What to do: Cloud fax solves most of these issues. Incoming faxes arrive as PDF attachments to a designated email, not on a paper tray in the hallway. Outgoing faxes are sent from your computer. CalliFax is available as an add-on to Callifi phone systems — keep your existing fax number, ditch the machine.
When a doctor calls a patient back from their personal cell phone, several things happen:
This is one of the most common HIPAA gray areas in medical offices.
What to do: A VoIP system with a mobile app solves this completely. The doctor calls the patient from the app — the practice's main number shows on caller ID, the call is logged in the system, and it's covered under whatever compliance setup you have in place. The doctor's personal number stays private. See how this works for medical offices.
If you're evaluating phone systems for your medical office, here are the questions that matter:
National VoIP providers like RingCentral, Dialpad, and Vonage can check the HIPAA boxes on paper. But when your front desk phones go down at 9am on a Monday and 40 patients are trying to call in for appointments, you need someone on-site — not a ticket in a queue.
Callifi is based at 16 East 40th Street in Midtown Manhattan. We install phone systems in medical offices, dental practices, mental health clinics, and specialty practices across NYC, Westchester, Long Island, Northern New Jersey, and Connecticut. When something needs to be fixed, we show up.
See everything we build for medical offices or call (212) 423-1234 for a free assessment.
