The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/900970
46 PEER TO PEER: THE QUARTERLY MAGAZINE OF ILTA | FALL 2017 Many law firms regularly handle protected health information (PHI). By doing so, they oen automatically fall under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) business associate classification. However, traditional (non-VoIP) phones and faxes are not considered as transmission via electronic media by federal regulations (45 CFR ยง160.103): "[C]ertain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media if the information being exchanged did not exist in electronic form immediately before the transmission." It is up to each law firm to carefully interpret the above regulation and decide if a VoIP voice call where PHI is discussed should be safeguarded by the HIPAA Security Rule in the same way as other electronic PHI (ePHI) communication. When deciding, one can consult the National Institute of Standards and Technology (NIST) guide titled "An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule" (NIST SP 800-66 R1). This guide cites another NIST paper (NIST SP 800-58) titled "Security Considerations for Voice Over IP Systems." One might interpret these papers to imply that at least the NIST considers VoIP communication to be included in the HIPAA Security Rule. Law firms have been upgrading to better phone systems at a rapid pace. Most, if not all of these new systems are using a protocol called "voice over IP" (VoIP) and provide a technological leap ahead of old systems. This is raising the question of whether VoIP phone systems need to adhere to HIPAA regulations. by George Bessenyei of YoCierge LLC HIPAA Compliance with Voice Over IP EXTRAS HIPAA Compliance with Voice Over IP It is important to note that the audio connection must be encrypted by one of the methods listed in the 800-58 guideline. Encrypted audio uses more computing resources that older VoIP phones have difficulty handling under some scenarios, such as during conference calls. P2P