HIPAA COMPLIANCE GUIDE

HIPAA-Compliant Phone Service, Explained

SIPNEX ·

“HIPAA-compliant phone service” legitimately means two things: a vendor that will sign a Business Associate Agreement where one is required, and a service supporting the safeguards you need — encryption for stored voice and messages, access controls, audit logs. It does not mean a certification, because no official HIPAA certification exists. And the most useful fact in the whole topic is the one vendors rarely lead with: for plain phone calls, your carrier usually isn’t a business associate at all.

SIPNEX is an FCC-licensed carrier providing HIPAA-compliant VoIP and SIP trunking to healthcare practices, with BAAs signed for the stored-PHI functions you deploy — and this guide is sourced to HHS and OCR primary documents, with the marketing fog removed.

The conduit exception: where compliance actually starts

HIPAA’s business-associate rules do not reach entities that act as mere conduits — transporting PHI without accessing it beyond what transmission requires. HHS’s own examples are the postal service, couriers, and their electronic equivalents: ISPs and traditional telephone service connecting calls. OCR restated it plainly in its 2022 audio-only telehealth guidance: a covered entity is not required to sign a BAA with a telecommunications provider that has only transient access while acting as a conduit.

The exception is deliberately narrow, and the dividing line is transient transmission versus persistent storage. The Omnibus Rule preamble draws it exactly there: temporary storage incident to transmission stays conduit; maintaining PHI on a covered entity’s behalf makes a vendor a business associate — even if it never looks at the data. OCR’s cloud-computing guidance extends the point: still a business associate even when the data is encrypted and the vendor holds no decryption key.

So: the carrier connecting your calls, as carriage, sits under the conduit exception. The analysis begins the moment your phone system starts keeping things.

When a phone vendor becomes a business associate

Applying OCR’s create-receive-maintain-transmit test (these are applications of the test, not a published HHS list): a BAA enters the picture when the service stores PHI on your behalf

  • Hosted voicemail holding patient messages
  • Call recording that captures and retains clinical or billing conversations
  • SMS platforms storing message threads with patients
  • Voicemail or call transcription
  • Fax-to-email services storing fax images

Using a vendor for those functions without a BAA is the compliance gap — not the dial tone. The right question for any “HIPAA-compliant” phone vendor is therefore precise: which stored-PHI functions will we use, and will you sign a BAA covering them?

Calls, voicemails, and texts: what’s actually permitted

  • Calling patients is fine. Appointment reminders are treatment/operations — no authorization needed (HHS FAQ 286). Leaving messages is permitted with reasonable safeguards: keep voicemails minimal — name, callback number, appointment confirmation — per HHS FAQ 198.
  • Texting patients is permitted with a documented warning. Under the right of access and confidential-communications rules, a patient may request unencrypted text or email; OCR’s position is that after you warn them of the interception risk and they still want it, you may send it and aren’t liable for transit risk. Document the warning and the choice.
  • Texting between providers over ordinary SMS is a different story — the Security Rule applies and secure messaging platforms are the accepted method; there’s no patient-consent pathway for staff-to-staff PHI texting.
  • Hospitals texting orders: CMS revised its position in 2024 (memo QSO-24-05): texting patient orders among the care team is permissible through a HIPAA-compliant secure texting platform, with orders filed into the record — CPOE still preferred. The old flat prohibition is no longer current (and this memo speaks to hospitals and CAHs specifically — the carrier-layer view is in our hospital phone systems overview).

When voice data is stored: the Security Rule safeguards

Stored voicemail files, recordings, and message threads are ePHI, and the Security Rule applies to them: risk analysis, unique-user access controls, audit controls, transmission security — and encryption, which is technically “addressable,” a term HHS explicitly says does not mean optional: implement it, implement a documented equivalent alternative, or document why neither is reasonable and appropriate. (A 2025 rulemaking proposes making encryption flatly mandatory; as of mid-2026 it remains a proposal, not law.)

The certification myth

There is no government HIPAA certification — HHS says so directly (FAQ 2003), and OCR states it does not endorse private certifications, which “do not absolve covered entities of their legal obligations.” A vendor waving a “HIPAA Certified” badge is describing a purchased assessment at best. What you can actually verify: will they sign a BAA for the stored-PHI functions you use, and do those functions support encryption, access controls, and audit logs.

Where SIPNEX sits

As the FCC-licensed carrier transmitting your calls, SIPNEX operates in conduit territory — carriage, transiently handled. Where a deployment adds stored-PHI functions — cloud PBX voicemail, recording, texting on your practice numbers — the business-associate analysis applies to that configuration — and SIPNEX signs BAAs covering the stored-PHI functions you deploy. The design conversation with your compliance officer happens before anything ships: which functions you’ll use, how they’re safeguarded, and the BAA scoped to exactly that. Practices that want the checklist first: bring it — we answer line by line, starting with the dental and therapist workflows we see most.

Frequently asked questions

Is a regular phone call HIPAA-compliant?

Yes. Ordinary calls to patients — reminders, results follow-ups, scheduling — are permitted under HIPAA without authorization, with reasonable safeguards like limiting what you leave in a voicemail. OCR has also noted traditional voice calls aren’t “electronic media” for Security Rule purposes; the Security Rule attaches when voice data gets stored electronically.

Do I need a BAA with my phone company?

Not for pure call carriage — HHS treats telecommunications providers with only transient access as conduits, not business associates. You do need a BAA with any vendor that stores PHI for you: hosted voicemail, call recordings, text platforms, transcription. SIPNEX signs BAAs covering those functions when your deployment uses them. Map your functions first; the BAA question answers itself.

Can medical offices text patients under HIPAA?

Yes, with the documented-warning pathway: patients may request text communication; you warn them unencrypted texting carries risk; they choose it; you document that. Keep clinical detail minimal regardless. Staff-to-staff PHI texting is different — use a secure messaging platform, not ordinary SMS.

What makes a VoIP service HIPAA-compliant?

Two verifiable things: a BAA covering the stored-PHI functions you actually use, and Security Rule-grade safeguards on those functions — encryption of stored voice/messages, unique-user access controls, audit logging, secure disposal. No certification exists to check instead; compliance is a configuration outcome shared between you and the vendor.


SIPNEX is an FCC-licensed carrier serving healthcare practices: carriage under the conduit rule, cloud PBX and texting deployments designed with your compliance checklist on the table — BAAs signed where storage requires them — and A-level STIR/SHAKEN attestation so your calls display as trusted. Talk to an operator or see rates.

SIPNEX

The carrier built by operators, for operators.

FCC-licensed carrier with its own STIR/SHAKEN SP certificate. Operator-owned. SIP trunks built for operators who dial at volume.