HIPAA

Compliance · HIPAA

HIPAA without the BAA-as-an-afterthought.

Healthcare phone systems touch PHI from the first ring. Encryption, recording controls, and a BAA need to be defaults, not upsells.

Request a compliance briefing   or call 866-304-4300

Founded 2001

Triton Cloud PBX — hipaa
99.999%
Uptime SLA
150+
Countries DID
Since 2001
Northeast roots
3 offices
Worcester · Dublin · BVI
B2B only
No residential

What the regulation requires

  • Business Associate Agreement (BAA) between covered entities and business associates
  • Administrative, physical, and technical safeguards (45 CFR §164.308-312)
  • Encryption of PHI at rest and in transit
  • Audit logs of access to PHI
  • Workforce access controls + termination procedures
  • Breach notification within 60 days

How Triton Cloud PBX meets each requirement

  • BAA available pre-sales for legal review
  • SRTP for media encryption, TLS 1.2+ for signaling
  • Recording opt-out at the IVR or extension level (never record minor patients, etc.)
  • Audit logs of recording access; export via API
  • Role-based admin access; immediate revocation on workforce termination
  • Breach notification SLA in the BAA

Attestations + documents available

  • Business Associate Agreement (BAA) template (available pre-sales)
  • Encryption attestation
  • Access control attestation
  • Breach notification process documentation

What we will NOT claim

We do not provide legal advice on whether your specific practice meets HIPAA. We provide a phone platform that meets the technical safeguards and a BAA that documents our role as a business associate. Your privacy officer makes the final call on your overall compliance posture.

Frequently asked

Questions we get asked the most

Will you sign a BAA before contract?

Yes. We share the BAA pre-sales for your counsel's review and execute it concurrent with the master service agreement.

Are voicemails and recordings considered PHI?

Anything that identifies a patient and discusses health is PHI. Voicemails routinely include both. We treat all recordings and voicemails as PHI for healthcare accounts.

What is your encryption standard?

SRTP for media (AES-128 minimum). TLS 1.2+ for signaling. AES-256 for data at rest. Key management via HSM.

What happens if there is a breach?

BAA specifies our notification SLA. We notify customer within the timeframe required by the BAA (typically faster than the 60-day HIPAA mandate).

Are you HITRUST or SOC 2 certified?

Certification status is shared under NDA. Contact us with your specific question.

Need this in writing for your audit?

Tell us your auditor's requirements. We will provide documentation under NDA.

Request a compliance briefing

or call 866-304-4300