If you are an interpreter providing medical interpretation services via phone (OPI) as a contractor for U.S. healthcare clients and the interpreting agency or company you are interpreting for says you have to have your own phone line to take calls, you may need to have an agreement in place to protect you from legal liability called a Business Associate Agreement or BAA. Specifically, if you are utilizing a VoIP (voice over IP) service, sometimes also referred to by phone companies as “Digital Voice,” this agreement might be considered legally required to ensure that both you and the service you use are on the same page when it comes to protecting PHI.
This doesn’t seem to be something well-known among interpreters, or even in the interpreting field, and I even see some unscrupulous interpreting agencies encouraging their contract interpreters to use non-HIPAA-compliant means to make/take calls (Business Associate Agreements aside!). At the end of the day, we need to look out for ourselves and each other as best as we can because individual interpreters can open themselves up to a world of hurt legally and financially if they don’t comply with the law, even if they don’t know they’re violating it!
Please note that the information provided in this post is not intended to replace advice from a qualified legal professional. This post was not written by a lawyer, but is compiled from a variety of sources that are listed at the end of this article.
Table of Contents
While it is recommended that you read this article in its entirety to understand this topic and the context in which this information is being provided, I’ve provided links to different sections of the article to jump to them for future reference.
Quiz: Do I Need a BAA or Business Associate Agreement?
So Does VoIP for Medical Interpretation Require a BAA, Then?
VoIP Services that Will Provide a BAA
What Laws?
There are two parts of legislation within HIPAA (which we should really already know inside and out as medical interpreters!) that outline requirements in terms of Business Associate Agreements:
1) The HITECH Act (as part of the HIPAA Omnibus Final Rule)
This is the Health Information Technology for Economic and Clinical Health (HITECH) Act. It was originally passed in 2009 to encourage healthcare entities to switch to digital health records. I’m not going to get too much into the nitty-gritty here, but when the HIPAA Omnibus Final Rule was passed in 2013, some changes were implemented to the HITECH Act that held Business Associates (which most interpreters are) accountable for HIPAA breaches.
Until 2013, a business associate was considered to be an entity that creates, receives, or transmits PHI or Protected Health Information for a covered entity. This Omnibus final rule added the verbiage “maintains” to that phrase, making things a little more specific. This is key because it now implicates companies that store PHI (even in passing) as business associates, including companies that store digital data.
But VoIP services aren’t storing my calls!
– Inevitably some interpreters reading this article
This is actually something some unscrupulous VoIP services claim when you ask about a BAA. They claim that they’re only transmitting call data, not storing it. However, this brings us to our next handy dandy piece of legislation:
2) The HIPAA Conduit Exception Rule
This is a rule within HIPAA that a lot of VoIP service providers like to indirectly refer to when they claim they’re only “transmitting” call data. The Conduit Exception Rule (there’s that term conduit again!) is sort of ambiguous, but it does state that if the only way the entity handles PHI is “transient” in nature (e.g. they only transmit it and they don’t have access to it), they don’t need to enter into a BAA. Here are some examples of businesses that fall under this rule:
- The U.S. Postal Service, FedEx, UPS, & DHL
A doctor’s office can mail documents with PHI without entering into a BAA with the mailing service, because a reasonable expectation exists that they’re not going to open that mail and access that information, they’re just passing it along. Additionally, mail-order prescription businesses don’t need to enter into a BAA with their couriers either, despite the fact that the prescription bottles have a bunch of PHI on them. - Internet Service Providers (ISPs)
When a healthcare facility signs up for internet services, let’s say for internet with Verizon, Verizon is only transmitting the PHI they’re passing along. However, if that facility purchases a digital voice plan with Verizon, depending upon how it’s set up, they may need to enter into a BAA with Verizon because it may be considered a VoIP service. - Phone Carriers
Cell phone providers and traditional landline phone service providers are conduit exceptions. However, as an end user of their services who is a covered entity, medical interpreters need to be mindful of device security because we often store PHI (such as patient phone numbers) on these devices if we use them in any capacity in our line of duty. For instance:- When you make a call to a patient on your cell phone, the call itself doesn’t involve the storage of voice data, just the transmission of it. However, the second you type that phone number into that phone? It’s stored on that device. Phone numbers are considered one of the PHI identifiers. Then you become responsible for safeguarding that information on that device, which can be tricky because cellphones are prone to being lost or left behind! Aside from ethical reasons, this is why making calls to patients like this are super risky.
- When you make a call to a patient on your landline phone, again, the call itself doesn’t get saved by the phone company, but the typing in of that phone number to that device often stores it on that device. Thankfully landline phones aren’t as portable as cell phones, but if someone gains physical access to it, you might have an issue
Being considered a conduit under the Conduit Exception Rule is actually really strict and really limited. These are the only three concrete examples of conduit exceptions I was able to find in terms of what the U.S. government actually endorses. I was, however, able to find a BUNCH of examples of entities incorrectly classified as conduits that faced legal repercussions, including fax, e-mail, and cloud storage service providers.
So Does VoIP for Medical Interpretation Require a BAA, Then?
More likely than not, yes. It depends on if that service is storing call data. The following are all examples of features of a VoIP plan that would, based on what the law lays out, necessitate a BAA or Business Associate Agreement:
- The ability for others to leave voicemails at your number
- Voicemail-to-text or “visual voicemail”
- Voicemail-to-email
- Call recording or call-to-text
- Digital SMS (text messages)
- vFAX (virtual fax)
So, if your voice over IP service does any of these things (which the vast majority of them do), you need to have a BAA with them. Even so, any reputable VoIP service provider you decide to go with, in my personal and professional opinion, should feel confident enough in the security measures they have in place for their services to enter into a BAA with you if you have a paid account with them. If not? They’re handing you a big box of red flags!
Additionally, if you are utilizing a FREE VoIP service (like Google Voice)? There is the possibility that they may be selling your data anyways. There are no shortage of free services, or free versions of paid services, that aren’t actually “free” at all because they stand to profit from the data you provide them (see: Facebook).
Why a BAA is a GREAT Idea
It’s a badge of trust in the form of a legal contract
Even if your VoIP service provider doesn’t have any of the features enabled that I listed in the previous section, as I mentioned before, a BAA is essentially a service provider saying, “Hey, we vouch for the security of our services and you can trust us with the data you’re sharing with us.” And it’s not simply an empty promise, it’s a legal contract laying out expectations with respect to HIPAA compliance.
It means you’re not solely responsible if a breach occurs
So, if a breach occurs, for instance: someone gains unauthorized access to PHI on your VoIP account, it’s not just your problem anymore. If you don’t have a BAA and this happens, your VoIP service provider will likely throw their hands up in the air and say, “But we didn’t know they were storing PHI on our service! They withheld information (the nature of the data they were sharing with us) from us, despite their legal obligation to tell us.” It’s akin to breaking into someone’s office, leaving a bunch of documents face-up with PHI on their desk, and then leaving the door wide open. Is it really the fault of the person whose office it is that the breach occurred? No! It’s yours!
It reflects positively on you as an interpreter
I always made sure to toot my own horn and tell my interpreting agencies I had a HIPAA-compliant phone line for taking calls with a Business Associate Agreement on file. Even if the person you’re talking to doesn’t know what it is (insert shocked Patrick meme here), it not only makes you look good, but also opens up the door for you to educate someone else on something that isn’t really well-known, but really really should be.
VoIP Services that Will Provide a BAA
Honestly, when I had to find a VoIP provider it was… scary. I didn’t know about Business Associate Agreements but I knew I had to find a service that would be HIPAA-compliant. I seriously went through e-mailing, chatting with, and calling about half a dozen companies that I had narrowed it down to, only to have some of the service providers not even know what HIPAA was (despite speaking with multiple people), some of them flat-out avoiding my questions to try to make a sale, and a few boast about their healthcare clients without being able to answer basic questions about the security of their service.
Why Kelly loves Nextiva
Then, I found Nextiva. Not only did the person I talked to know what I was talking about, they actually educated me on HIPAA compliance in terms of VoIP services. I actually used them for my VoIP needs in 2020-2021 but have since moved away from OPI, so I no longer have my line with them. That being said I was very pleased with their services and often recommend them to folks. They also disabled many features on my account to make it as secure as possible in keeping with HIPAA. However, Nextiva will not work for you if you are based outside of the U.S., so I’ve prepared this handy little chart with some of the VoIP services I know of that my colleagues already either use and recommend, or I have been eyeing myself because of their explicit mentioning of offering HIPAA-compliant services.
| Service Provider | BAA Availability | Kelly’s Comments |
|---|---|---|
| Nextiva | U.S. | Slightly on the pricey side but well worth it for their incredible customer service, transparency, and dedication to HIPAA compliance. For more about Nextiva’s HIPAA compliance info, click here. |
| Zoom Phone | International | This is the only service I am aware of at this time that offers a BAA for folks when they are outside of the U.S. Have a colleague that uses it with zero issues. Need to be able to provide a U.S. address. |
| Dialpad | U.S. | Specifically marketed as a solution for businesses that need to be HIPAA-compliant. Cheaper than Nextiva but I’ve never used it nor do I know anyone who does. |
Please note: none of the links listed above are affiliate or referral links, meaning I will not receive a penny from any of them if you purchase a plan through the links above. However, if you would like to say I (Kelly Grzech) referred you to Nextiva, I am part of their affiliate program, and at no extra charge to you I may receive a nominal referral fee from them in return for your business. And, as always, if you have any further questions about this, you are welcome to reach out to me via my contact page.
Do you have any other recommendations for VoIP services that are HIPAA compliant for medical interpreters? Be sure to drop them in the comments below.
Sources
- 3 Common Misconceptions About Business Associate Agreements
- Conduit Exception Remains Narrow Under New HIPAA Rule
- The HIPAA Conduit Exception Rule and Transmission of PHI
- VoIP Phones and HIPAA Compliance
- What is the HITECH Act?
Scan to Share
Did you know? If you would like to share this page easily or save it for later, you can always use the camera on your phone to scan the QR code shown here! Cool, huh? 😎
