Should healthcare organizations use Grasshopper, a popular virtual phone system? Grasshopper provides virtual US and Canada phone numbers, which businesses can use on their existing phones. There’s no need for additional landlines or phone equipment. It’s a convenient and affordable option for anyone running a small business.
Still, using Grasshopper as a tool to handle protected health information (PHI) is another issue altogether. Let’s dig a little further into Grasshopper HIPAA compliance.
Table of Contents
Why HIPAA Compliance Matters for Virtual Phone Systems
Grasshopper and HIPAA compliance. In a healthcare setting, these two should go hand in hand since you cannot just choose any virtual phone system. When you use any cloud-based software to handle PHI, the provider will be classified as a business associate and, therefore, must comply with HIPAA regulations. Any business associate should help your organization adhere to specific privacy and security rules, or you risk facing legal and monetary consequences.
Moreover, virtual phone systems that can’t guarantee strong data privacy measures may accidentally expose your patient’s health information to cyber threats. Failure to follow HIPAA rules on the covered entity’s part empowers cyber attackers to exploit PHI for criminal activities like ransomware, phishing, scams, and identity theft.
The Department of Health and Human Resources (HHS) requires covered entities (hospitals, health insurance companies, and the like) to sign a written contract with their business associates. A virtual phone system can only claim HIPAA compliance when it signs a written contract or a Business Associate Agreement (BAA) with the covered entity. Plus, it should display its capability to employ adequate security measures and the resources to conduct routine assessments and train staff. I
It is, therefore, understandable to be concerned about Grasshopper compliance, especially when PHI is involved.
Is Grasshopper HIPAA Compliant?
Grasshopper’s answer is: “At this time, Grasshopper is not HIPAA compliant.” According to its documentation on HIPAA compliance, the virtual phone system needs access to your account information and settings, including messages like text, fax, and voicemails. Based on this information, it doesn’t have adequate security measures to protect your data when they need to troubleshoot your system.
Instead, Grasshopper’s support routes you to another product, GoTo Suite, for HIPAA-compliant video conferencing and meeting tools. The product comes from the same developer as Grasshopper. Since the latter doesn’t support compliance with HIPAA, it’s best to choose GoTo Suite or look for alternatives that are inherently compliant with the said regulation.
But if you’re particularly interested in using Grasshopper, it’s best to avoid using it as a healthcare solution. You need a phone system that implements security measures that align with HIPAA to avoid compromising PHI and breaking the law.
HIPAA-Compliant Features of Virtual Phone Systems
Since Grasshopper isn’t HIPAA compliant, consider looking for another virtual phone system with the following features:
Business associate agreement: The provider should be able to provide a BAA. Most HIPAA-compliant companies advertise their services as HIPAA-compliant and make their BAA public. If the BAA is not viewable online, the company should at least explicitly mention that they can sign an agreement or contract.
User authentication and access controls: The phone system should have adequate measures to verify a user’s identity. Aside from basic passwords, they may employ other access control features like multi-factor authentication (MFA), session time-outs, biometrics, and administrator controls.
Secure storage: A provider should not only ensure the secure transmission of data from end to end, but it should also provide secure storage. Look for encryption methods and other security measures when data is stored on the cloud. The phone system should have a secure infrastructure and architecture for its servers.
Third-party auditing: HIPAA-compliant phone system providers proactively identify their system’s potential security vulnerabilities. Third-party certifications from expert assessors like SOC 2 provide proof that the company’s security measures are up to industry standards.
Activity logs: Administrators should be able to view user activities and security events on audit logs. Detailed activity logs can show you the possible causes of an existing security issue or potential vulnerabilities that could lead to data breaches.
Explore HIPAA-Compliant Alternatives to Grasshopper
Small business owners usually choose Grasshopper because of its advanced features and affordability compared to physical landlines and mobile subscriptions. It can transcribe voicemails, handle simultaneous calls, create custom greetings, send faxes virtually, and provide a business phone number. Fortunately, there are HIPAA-compliant alternatives to Grasshopper.
With iFax, you can get a toll-free or local business fax number, making it possible to handle calls and transmit thousands of high-definition faxes worldwide.
Best of all, iFax is HIPAA-compliant. Our cloud-based communications platform uses military-grade encryption to keep PHI safe. You can also request a signed BAA. Meanwhile, its developer-friendly API allows seamless fax and call integration with different EHR and EMR systems.
See how iFax can neatly fit into your business. Request a free demo now.