What is the Tennessee Medical Records Act and how does it affect VoIP compliance?

The Tennessee Medical Records Act (Tenn. Code Ann. § 68-11-304) requires healthcare providers to retain medical records for a minimum of 10 years for adult patients — longer than HIPAA's 6-year minimum for compliance documentation. For VoIP, this means call recordings containing patient information must be retained for 10 years under Tennessee law. Your VoIP provider must support configurable retention policies that meet this state-specific requirement.

Does a Tennessee medical practice need a separate BAA for each VoIP vendor?

Yes. A Business Associate Agreement is required with every vendor that handles protected health information on your behalf — including your VoIP provider, your voicemail transcription service, and any third-party call recording storage provider. If your VoIP provider uses a subcontractor for transcription or storage, that subcontractor must also be covered under your BAA chain.

Can Tennessee medical practices use SMS texting through their VoIP system?

Yes, provided the SMS service is covered under your BAA and messages are encrypted in transit and at rest. Standard carrier SMS (text messages sent from a regular phone number without an encryption layer) is not HIPAA compliant for PHI. HIPAA-compliant VoIP systems route business SMS through encrypted channels with compliant storage — the patient's phone does not need any special app.

How do I verify TLS and SRTP encryption are active on my VoIP system?

Ask your VoIP provider for a technical configuration document confirming TLS 1.2+ for SIP signaling and SRTP for voice media on all call paths, including internal extension-to-extension calls. Reputable healthcare VoIP providers will provide a written encryption verification statement as part of their BAA documentation package. You can also test independently using a packet capture tool — ATS Voice walks healthcare clients through this verification during onboarding.

What happens if our VoIP system is audited by the HHS Office for Civil Rights?

An OCR audit will review your signed BAA, your system's security configuration documentation, your audit logs, and your workforce training records. You must be able to produce a BAA signed before your VoIP system went live, documentation of your encryption configuration, audit logs covering the audit period, and evidence of staff HIPAA training. ATS Voice provides all required documentation as part of the healthcare onboarding package.

HIPAA VoIP Compliance Checklist for Tennessee Medical Practices (2026)

2026-05-08 · Mihir Modi · 11 min read

Tennessee medical practices face a compliance challenge that most phone vendors understate: federal HIPAA requirements and Tennessee state law impose different — and sometimes stricter — obligations on how you manage voice communications. Getting your VoIP system compliant with both requires a systematic approach, not just a vendor checkbox.

This checklist covers every step Tennessee healthcare providers need to complete before going live on a cloud VoIP system. It reflects both HIPAA Security Rule requirements and Tennessee Medical Records Act obligations that apply specifically to practices in this state. For a deeper explanation of why each requirement exists, read our comprehensive HIPAA compliant VoIP guide.

Why Tennessee Practices Face a Double Compliance Standard

Tennessee healthcare providers must meet both federal HIPAA requirements and the Tennessee Medical Records Act — which imposes a 10-year record retention minimum that exceeds HIPAA's 6-year compliance documentation standard.

The HIPAA Security Rule applies nationwide. The HHS Office for Civil Rights enforces compliance and publishes detailed audit protocols that form the basis of this checklist. But Tennessee Code Annotated § 68-11-304 (the Tennessee Medical Records Act) adds state-level obligations that can affect your VoIP configuration:

Record retention: Tennessee requires 10 years of medical records for adult patients (HIPAA requires 6 years for compliance documentation — not the same thing)
Patient notification: Tennessee law requires specific patient notification procedures that must be reflected in how your phone system handles after-hours calls and message retrieval
Provider-to-provider communication: Tennessee regulations govern how clinical information is transmitted between providers — relevant when configuring call transfer and conferencing features

Any VoIP compliance checklist for a Tennessee practice must account for both layers.

Phase 1: Provider Selection Checklist

Complete this checklist before signing any VoIP contract.

BAA Availability

Provider offers a Business Associate Agreement (BAA) as a standard contract term — not an add-on
BAA is available before system configuration begins (not just at go-live)
BAA explicitly names all subcontractors who process ePHI (hosting, transcription, call recording storage)
BAA includes a breach notification provision of 60 days or less (HIPAA maximum); prefer providers that commit to 24-hour initial notice
BAA covers all communication channels: voice calls, voicemail, SMS texting, fax, call recordings
BAA includes your right to audit the provider's HIPAA compliance practices

Encryption Standards

TLS 1.2 or higher confirmed for SIP signaling encryption
SRTP confirmed for voice media encryption in transit
AES-256 encryption at rest confirmed for voicemail storage
AES-256 encryption at rest confirmed for call recording storage
Mobile app communications encrypted end-to-end (not just server-side)
Provider can supply written technical documentation confirming all encryption standards

Infrastructure and Certification

Provider's infrastructure is SOC 2 Type II certified (annual third-party security audit)
Data centers are located in the United States (Tennessee practices should confirm U.S.-only storage)
Provider carries cyber liability insurance that covers HIPAA breach events
Provider has an established incident response process with documented procedures

Tennessee-Specific Requirements

Call recording retention can be configured to 10 years (Tennessee Medical Records Act requirement)
Provider supports configurable retention policies by content type (clinical calls vs. administrative calls may have different retention needs)
Provider's support team has experience with Tennessee-specific healthcare compliance requirements

Phase 2: Pre-Configuration Checklist

Complete this checklist after contract signing but before any system configuration begins.

Documentation and Agreements

BAA signed and dated — before any patient calls are routed through the system
BAA signed copies retained in your compliance documentation for minimum 6 years (HIPAA) — retain for 10 years to align with Tennessee records standards
Existing HIPAA risk assessment updated to include the new VoIP system as an ePHI-handling asset
Previous VoIP provider or phone system added to your BAA termination log if applicable
IT/compliance officer designated as primary owner of VoIP HIPAA compliance

System Inventory

Complete inventory of all phone numbers being ported from prior carrier
All extensions documented with assigned staff roles
External integrations identified (EHR, appointment scheduling, after-hours answering service) — each integration may require a separate BAA review
Fax lines inventoried — virtual fax must also be covered under BAA

Call Flow Design

After-hours routing documented: who receives urgent clinical calls, how on-call rotation is configured
Emergency call handling verified: E911 must route correctly from every extension including mobile app users
Patient-facing call flows reviewed for PHI exposure risk — auto attendant prompts should not request PHI before the call is connected to a live staff member
Appointment reminder SMS flow reviewed — confirm encryption chain before patient messages are sent

Phase 3: Configuration Verification Checklist

Complete this checklist during system setup, before any live patient calls.

Encryption Verification

TLS encryption confirmed active on all SIP trunks — provider must supply written confirmation
SRTP confirmed active for all internal extension calls, not just external calls
Voicemail at-rest encryption verified — request storage configuration documentation
Call recording at-rest encryption verified — confirm recordings are not stored in unencrypted S3 buckets or similar
Mobile app: iCloud and Google Drive sync disabled on all healthcare-configured devices
Mobile app: confirm voice calls route through provider's encrypted infrastructure, not native cellular when on WiFi

Access Controls

Role-based access controls (RBAC) configured — minimum necessary access principle applied to every role
Front desk role: access to incoming call queues, transfer capability, appointment-related voicemail only
Clinical role: access to clinical voicemail and call recordings — no access to billing or administrative-only recordings
Administrative role: access to administrative call recordings only — no access to clinical voicemail
System administrator role: configuration access logged and audited
All default/shared credentials changed — no shared user accounts for compliance audit traceability
Multi-factor authentication enabled on admin portal if available

Audit Logging

Audit logging confirmed active on all call types: incoming, outgoing, transferred, recorded
Voicemail access logging confirmed — every retrieval event timestamped with user identity
System configuration change logging confirmed — every admin action logged with user and timestamp
Login/logout event logging confirmed on all devices and portals
Log retention confirmed for minimum 6 years (HIPAA) — configure for 10 years to meet Tennessee standards
Log export process tested — confirm you can produce a complete audit log for any date range on request

Voicemail and Recordings

Voicemail transcription service covered under BAA — confirm if transcription uses a third-party AI service
Call recording access limited to authorized roles only — no public or shared links
Recording retention policy set to 10 years for clinical content, 6 years minimum for administrative content
Voicemail inbox routing verified — clinical voicemails route to correct department, not to shared general mailbox
After-hours voicemail: confirm PHI is not exposed in outgoing greetings (callers should not be asked to leave clinical details in a greeting that routes to an unmonitored mailbox)

Phase 4: Staff Training Checklist

HIPAA violations in phone systems are most commonly caused by staff behavior, not system configuration. Complete this checklist before go-live.

Training Content Required

HIPAA minimum necessary standard — staff trained not to discuss PHI beyond what is required for the call
Voicemail protocol — staff trained on what PHI is permitted in patient voicemails (name, callback number, provider name — no clinical details)
Mobile app usage — staff trained on correct configuration for personal devices used for work calls
Call transfer procedures — staff trained on how to transfer calls without disconnecting and without exposing PHI to hold music or auto attendant queues
On-call procedures — on-call staff trained on after-hours routing configuration and how to receive clinical calls on the mobile app
Incident reporting — all staff know the procedure for reporting a suspected HIPAA breach involving the phone system

Training Documentation

Training session dates and attendee sign-off sheets retained (HIPAA requires 6 years; retain 10 years under Tennessee standards)
Training materials version-controlled — if HIPAA requirements change, you can demonstrate training was updated
New staff onboarding procedure updated to include VoIP HIPAA training before phone access is granted

Phase 5: Go-Live Verification Checklist

Complete this immediately before cutting over to the new system.

Final Technical Verification

Test call placed through every call flow — document outcome for compliance record
Encrypted voicemail test: leave a test voicemail, confirm it is retrievable only by authorized users
Audit log test: make a test call, confirm it appears in audit log within 5 minutes
E911 test: confirm emergency calls route correctly from office phones and mobile app
Failover test: confirm calls route to backup destination if primary connection is unavailable
Number porting verification: confirm all ported numbers are active and routing correctly

Compliance Documentation Package

Before go-live, have the following on file:

Signed BAA (dated before go-live)
Provider encryption certification document
System configuration documentation (call flows, user roles, retention settings)
Staff training completion records
Updated HIPAA risk assessment documenting the new system
E911 configuration confirmation for all locations

Post-Go-Live: Ongoing Compliance Checklist

HIPAA compliance is not a one-time event. Complete the following on the schedule indicated.

Monthly

Review audit logs for anomalies — unexpected access patterns, after-hours configuration changes, bulk voicemail downloads
Confirm new staff have completed VoIP HIPAA training before phone access was granted
Review any new integrations added to the phone system — confirm BAA coverage

Annually

Update your HIPAA risk assessment to reflect any system changes made during the year
Verify BAA is still current — if your VoIP provider updates their subcontractors, you need an updated BAA
Conduct a call recording retention audit — confirm recordings are being retained and purged according to your configured policy
Refresh staff HIPAA training for phone communications — regulations and best practices evolve

On Provider Change or Contract Renewal

Execute new BAA before migrating any data or calls to the new provider
Obtain call recording and voicemail data export from prior provider — retain per your policy before data is purged
Document prior BAA termination in your compliance records
Update your HIPAA risk assessment to reflect the provider change

How ATS Voice Supports Tennessee Healthcare Compliance

ATS Voice provides Tennessee healthcare practices with a complete HIPAA compliance package: signed BAA before configuration begins, TLS/SRTP encryption on all voice paths, AES-256 encrypted voicemail and call recording storage on SOC 2 Type II certified infrastructure, and configurable retention policies that meet Tennessee's 10-year medical records standard. Our East Tennessee support team has implemented HIPAA-compliant phone systems for medical practices, dental offices, behavioral health providers, and multi-location clinic groups across Knox, Blount, and surrounding counties.

Every healthcare client receives a compliance documentation package at go-live — including the encryption certification, system configuration records, and a risk assessment supplement — ready for an OCR audit. Request a free compliance review for your practice.