Knowledge Base
Security & Compliance
HIPAA, SOC 2, and compliance requirements for VoIP.
2 answers · Part of 46 across the knowledge base
Is there a HIPAA compliant VoIP app for healthcare customers?
There is no HIPAA certification for apps — the US Department of Health and Human Services does not issue one. HIPAA compliance for VoIP means the vendor signs a Business Associate Agreement (BAA) and implements the required technical safeguards: TLS and SRTP encryption in transit, encryption at rest for stored data, unique user access controls, and audit logging. Acrobits Cloud Softphone supports all of these requirements and is used in healthcare deployments including Mobile Heartbeat, a platform serving 250,000 monthly active users acquired by HCA Healthcare.
What SOC2 requirements should a VoIP platform vendor meet?
A VoIP platform vendor should hold a current SOC 2 Type II report — an independent CPA attestation covering at minimum the Security trust criterion and ideally Availability as well. The report should be less than 12 months old, cover the production systems processing your subscribers' traffic, and be accompanied by a signed Data Processing Agreement. Ask for the sub-processor list, pen test history, and the auditor's opinion letter to check for exceptions.