HHS published a sweeping NPRM on January 6, 2025. Every "addressable" specification — including VoIP encryption and MFA — becomes required by Q3–Q4 2026. Three enforcement cases already cite VoIP. Is your vendor ready?
📅
Under the current HIPAA Security Rule, "addressable" specs let covered entities skip controls if they documented a rationale. The 2026 Final Rule closes that loophole. These three apply directly to VoIP.
All ePHI transmitted over VoIP — voice media (RTP), call signaling (SIP), voicemail — must be encrypted using TLS 1.2 or higher. "Industry-standard encryption" without specifics is no longer acceptable language in a BAA.
⚠ Now Required Was: AddressableMFA must be enforced for all users accessing systems that process ePHI. This applies to VoIP admin consoles, softphone apps, and call recording platforms. SMS-only MFA may not satisfy the standard.
⚠ Now Required Was: AddressableVoIP vendors processing ePHI must sign a BAA that covers all subprocessors — AI transcription engines, call recording storage, SMS gateways. The 2026 rule requires explicit subprocessor disclosure and downstream BAA coverage.
⚠ Now Required Was: AddressableNot all VoIP vendors are equal. This table shows readiness across the four criteria that matter most for the 2026 rule. Verified from public certifications and vendor compliance documentation.
| Vendor | 2026 Readiness | BAA Available | E2E Encryption | MFA Enforced | Subprocessor BAAs |
|---|---|---|---|---|---|
| Weave | ✓ Pass | ✓ | ✓ | ✓ | ✓ |
| RingCentral RingEX | ✓ Pass | ✓ | ✓ | ✓ | ✓ |
| 8x8 XCaaS | ✓ Pass | ✓ | ✓ | ✓ | ✓ |
| Microsoft Teams Phone | ✓ Pass | ✓ | ✓ | ✓ | ✓ |
| Cisco Webex Calling | ✓ Pass | ✓ | ✓ | ✓ | ✓ |
| Nextiva | ⚠ Needs Updates | ✓ | ~ | ~ | ~ |
| Dialpad Ai Voice | ⚠ Needs Updates | ✓ | ✓ | ~ | ~ |
| Five9 | ⚠ Needs Updates | ✓ | ✓ | ~ | ✕ |
| Vonage Business | ⚠ Needs Updates | ✓ | ~ | ~ | ~ |
| Ooma Office | ✕ High Risk | ~ | ✕ | ✕ | ✕ |
| Grasshopper | ✕ High Risk | ✕ | ✕ | ✕ | ✕ |
| Avaya (legacy SIP) | ✕ High Risk | ~ | ✕ | ✕ | ✕ |
| Unmanaged SIP Trunking | ✕ High Risk | ✕ | ✕ | ✕ | ✕ |
ⓘ ✓ = confirmed • ~ = partial / in progress • ✕ = not confirmed. Data from vendor compliance docs & public certifications. Run a full analysis for your specific configuration. Get my full vendor report →
OCR has already been penalizing VoIP-related HIPAA violations — before the 2026 rule makes encryption mandatory. After the rule takes effect, exposure increases significantly.
The 2026 HIPAA Security Rule is a federal floor. These three states have laws that exceed it — adding additional liability for healthcare organizations operating in them.
Stricter than HIPAA on some provisions. Requires specific written authorizations for electronic health information sharing. VoIP vendors that transmit ePHI are subject to Texas AG enforcement independent of OCR action.
California's CMIA provides private right of action — patients can sue directly. The CPPA can add additional penalties. Healthcare VoIP vendors operating in CA must address both state laws plus federal HIPAA requirements.
New York's AG has been actively enforcing health data security failures. NY SHIELD Act requires "reasonable" security — a bar that the 2026 HIPAA Security Rule helps define. Healthcare organizations in NY face dual enforcement risk.
Answer 15 questions about your organization and compliance needs. Get a ranked list of HIPAA-ready VoIP vendors matched to your size, use case, and 2026 readiness requirements — at zero cost.
Start My Free VoIP Analysis →