VoIP HIPAA Compliance

1. What falls under HIPAA scope

HIPAA's Security Rule (45 CFR 164.312) applies to ePHI — electronic Protected Health Information. PHI includes any individually identifiable health information: patient names, diagnoses, appointment details, treatment information, billing information, and more.

VoIP infrastructure is in scope when it carries:

• Clinical communications between providers and patients
• Appointment scheduling and reminder calls
• Prescription refill requests or authorizations
• Insurance verification calls where patient identity is confirmed
• Any call where a patient's medical status or treatment might be discussed

This covers not just the call itself but the signaling infrastructure — SIP servers, SBCs, PBX systems, voicemail, call recording platforms, and any system that stores or transmits call metadata (call logs, CDRs) that could identify a patient and their healthcare interaction.

2. Specific HIPAA requirements for VoIP

The Security Rule doesn't mandate specific technologies, but it requires "reasonable and appropriate" safeguards. For VoIP, regulators and auditors expect:

3. Encryption requirements in detail

Signaling encryption (TLS)

All SIP signaling on external network segments must use TLS 1.2 or higher (port 5061). TLS protects caller identity, called number, call metadata, and any information in SIP headers from interception. Self-signed certificates are technically permissible for internal infrastructure but publicly trusted certificates are expected for carrier and third-party connections.

Media encryption (SRTP)

All RTP media streams on external segments must use SRTP. Without SRTP, anyone who can capture network traffic can listen to call content. SDES key exchange is acceptable when combined with TLS. DTLS-SRTP provides independent media encryption not reliant on signaling security.

Call recording encryption

Recorded calls stored as audio files must be encrypted at rest using AES-128 or AES-256. Access must be authenticated and logged. Cloud storage of recordings requires a Business Associate Agreement (BAA) with the storage provider.

What about internal calls?

Calls that never leave your physically controlled network (internal LAN/VLAN) are lower risk but should still be encrypted if the network carries other non-HIPAA traffic or if there is any risk of unauthorized network access. Zero-trust architecture eliminates the "internal network is trusted" assumption entirely.

4. Auditing your infrastructure

A HIPAA VoIP audit should cover:

1. Network diagram review — Map all call paths and identify any segments where ePHI traverses without encryption
2. SIP trace analysis — Capture and analyze SIP signaling to confirm TLS is in use and SDP contains SRTP crypto lines
3. Certificate audit — Verify all TLS certificates are valid, not expired, and from trusted CAs
4. Access control review — Confirm only authorized personnel can access call recordings, CDRs, and SIP administration
5. BAA inventory — List all third-party vendors (SIP trunk providers, cloud PBX, recording platforms) and confirm BAAs are in place
6. Log retention — Confirm SIP transaction logs are being retained per your retention policy (minimum 6 years for HIPAA documentation)

5. Technical controls checklist

• TLS 1.2+ enabled on all SIP trunks and carrier connections (port 5061)
• SRTP negotiated on all external call legs (RTP/SAVP or UDP/TLS/RTP/SAVPF)
• Self-signed certificates replaced with CA-signed certificates on external interfaces
• SIP ALG disabled on all firewalls in the call path
• Call recording files encrypted at rest (AES-128 minimum)
• Recording access authenticated and logged with user identity
• CDR and call log access restricted to authorized personnel
• SIP administrator access protected with MFA
• BAAs signed with SIP trunk provider, cloud PBX vendor, and recording platform
• Network segmentation — VoIP VLAN separated from general data traffic
• SIP transaction logging enabled and retained for minimum 6 years
• Annual risk assessment documenting VoIP security posture

6. Compliance reporting with SIPSymposium

SIPSymposium's Teams tier includes compliance reports that map encryption and security findings from your SIP traces directly to HIPAA Security Rule controls. Upload a PCAP or paste a trace and export an audit-ready PDF showing which controls are satisfied and which require attention.

This is particularly useful for demonstrating due diligence during a HIPAA audit or risk assessment — giving auditors specific technical evidence that your VoIP infrastructure encrypts ePHI in transit.

Frequently asked questions

Does VoIP need to be HIPAA compliant?

VoIP systems are subject to HIPAA when they carry calls involving Protected Health Information — patient appointments, clinical communications, billing calls where patient identity is confirmed. HIPAA Security Rule 164.312(e)(2)(ii) requires encryption of ePHI in transit, which means TLS for SIP signaling and SRTP for media on all external call legs.

What encryption does HIPAA require for VoIP?

HIPAA requires TLS 1.2 or higher for SIP signaling on all external segments, SRTP for RTP media streams, and AES-128 or AES-256 encryption at rest for call recordings. Self-signed certificates are technically permissible for internal infrastructure but publicly trusted certificates are expected for carrier and third-party connections.

Do I need a BAA with my VoIP provider for HIPAA?

Yes — any third-party vendor that handles ePHI on your behalf requires a Business Associate Agreement. This includes your SIP trunk provider, cloud PBX vendor, and call recording platform. Review each vendor's BAA availability before using them in a HIPAA-covered deployment. Many major providers offer BAAs — confirm before signing up.