How to be HIPAA compliant and help your phones sound better

Posted on May 22, 2014

When your carrier stays out of the way of your call audio, you win tighter call security and better sounding phone conversations.


If HIPAA matters for your business or your customers, you need information to be as secure as possible. In the world of Internet-based telephone service, that means you need to secure your IP PBX as you would any other network appliance, your phone passwords need to be secure, and ideally, you run your voice over a dedicated VLAN, isolated from the rest of your network (and all the vulnerabilities there in).

Phone calls aren’t considered digital media governed under HIPAA because as the HIPAA Survival Guide puts it, “the information being exchanged did not exist in electronic form before the transmission”. But Paul Rausch of GreenWire Technology Solutions says, “You still need to be sure that your VoIP provider is maintaining adequate technical and administrative controls.” He points out that if your provider isn’t taking the right steps to keep their network secure, and someone gains access and records your calls, you could be the one getting trouble.

Of course, there are steps you can take to secure your connections. Setting up a VPN will protect your transmission as long as it travels along that route. You can connect to carriers through a VPN, but once your call goes beyond your carrier, it’s riding the public network. Using SRTP is a good step too. With a strong transportation protocol in place, your communications are protected against replay attacks and the authentication and integrity of your data is secure.

But there is another way to keep calls secure.

Your calls typically go through your carrier’s network and out to the PSTN before connecting to your call destination. When it comes to information security, that setup adds vulnerability by creating transition points that can be infiltrated. And, if any call data is stored on their servers, you need to be sure it is properly protected. There is a safer way.

The solution comes down to how SIP trunking works, the signaling and media travel separately. The signaling carries all the information about call setup and take down, the media (audio) is what most people consider the actual call and the part that contains any information that might potentially be HIPAA sensitive.

Because signaling precedes call audio, and tells the other end how audio should be transmitted (where it’ll come from, and where it’ll go), signaling can set up an audio path that bypasses your carrier’s data center. When that’s possible, you cut out two risky transitions (one into your carrier, and one out) that could pose a threat to the security of your conversations.


Routing call audio directly to destination carriers improves quality too. Most people want a carrier that routes calls through the data center that’s closest to them. But the shortest distance between two points has no layover. When audio data skips carrier servers, travel time is reduced, and latency is kept as low as possible.

For added security, when signaling and media travel separately, they become anonymous. Without signaling, no identifying data is attached to the audio, and there is no way to be sure who is talking. Without media, the conversation is just a series of protocol pings back and forth, you know a call happened, but you can’t hear what was said.

When call audio doesn’t go through your carrier’s data center, the voice component of your calls is transmitted directly to where you want it to go with no detours. And because hand-off points are another chance for things to get muddled up, cutting them out means overall call quality is improved.

So if you’re sweating HIPAA compliance, it’s worth knowing how your carrier is handling your call audio. Ideally, they won’t be handling it at all.

We have updated our Privacy Policy found here. By continuing to use our website, you agree that you understand these policies.

Got it!