Is Grasshopper HIPAA-compliant + a secure alternative

If your practice handles PHI daily through calls, texts, and voicemails, you need a HIPAA-compliant phone system. Otherwise, your patients’ privacy is at risk. You could also face fines ranging anywhere from $100 to $50,000 per violation.*

In your search, you might’ve come across Grasshopper — a lightweight solution for smaller businesses. But is Grasshopper HIPAA compliant? This guide covers why Grasshopper doesn’t meet HIPAA standards and outlines 10 other limitations. You’ll also learn about a compliant alternative with better features that enhance your communication with patients.

Is Grasshopper HIPAA compliant?

In short, no. If you try to use Grasshopper to handle patient interactions involving PHI, you’ll be in violation of HIPAA. Why?

First, Grasshopper doesn’t sign business associate agreements, or BAAs. A BAA is a contract between a healthcare provider, or a Covered Entity, and a third party, or a Business Associate. 

The agreement ensures that both you and your phone vendor are accountable in the event of a PHI breach. It defines your responsibilities as the healthcare provider. It also sets security expectations for both parties. Without a signed BAA, you can’t legally use a service to handle patient information.

Second, Grasshopper doesn’t offer the security features required under HIPAA’s Security Rule. For example, it lacks:

• Encryption for ePHI in transit and at rest
• Access controls
• Audit logs

Healthcare providers need a tool that’s meant for them: a phone system that handles compliance and gives your team what they need to deliver better patient care.

10 More Grasshopper limitations to keep in mind

Along with not being a HIPAA-compliant VoIP platform, Grasshopper has several other limitations:

1. Auto-replies are limited

Grasshopper’s business phone numbers let you send automatic text follow-ups — with some conditions. First, you’re limited to the same message across all communication types. So you can’t set different auto-replies for texts, voicemails, or calls.

Second, each caller only receives one auto-reply per day, even if they reach out more than once a day. 

Without proper auto-replies, you can’t set expectations for patients or let them know you’re out for the day and when you’ll get back to them. You also can’t share instructions for specific situations, like how to book an appointment after hours.

Some other notable limitations to keep in mind:

• You can’t set up auto-replies for callers who leave a voicemail or hang up before selecting an extension.
• Your auto-reply message is limited to 160 characters max. This makes it difficult to write everything you need to say.

With auto-replies from Quo, formerly OpenPhone, you can set multiple auto-reply rules, even on the same number. For example, you can have different messages for missed communications during or after business hours. You can also set up distinct messages for missed calls, texts, and voicemails.

2. You can only store voicemails and call recordings in-app for a short amount of time

Grasshopper stores voicemails within the app for 30 days, though voicemail emails are stored indefinitely in your email inbox. You can also access up to 14 months of communications history through the mobile app.

To comply with HIPAA’s six-year retention requirement, you’ll need to manually download and store call recordings in your own secure system before the 30-day in-app period ends.

3. It’s hard for teammates to work together to solve customer issues

Grasshopper is mainly marketed to solopreneurs or very small teams. It wasn’t built with team collaboration in mind. That means it lacks features like:

• Inbox viewers to let all team members see who’s viewed conversations, call summaries, and call transcripts
• Internal threads so teammates can solve problems behind the scenes or tag each other to handle follow-up calls and texts

For example, a patient’s insurance claim was denied, and they keep calling different staff members asking about it. Without internal threads, staff can’t coordinate on who’s responsible for following up. The patient gets different answers, and staff waste time on duplicate work.

4. The base plan only lets you have one user

Grasshopper’s True Solo plan only gives you one user and one phone number. While this may work for solopreneurs who just need to forward calls, it doesn’t work for a growing healthcare practice.

If you want two or more users, you can upgrade to the Small Business plan and add three more numbers — at an even higher cost.

5. Texting limitations affect how you serve customers

Grasshopper lets you send text messages to numbers in the US and Canada. However, Grasshopper SMS has several restrictions:

• You can’t text international numbers
• Toll-free numbers can’t text Canadian numbers
• Toll-free numbers can’t use group texting or send MMS messages

Another limitation? Few text message automations. There’s no way to create snippets to answer frequently asked questions or queue scheduled texts to customers in different time zones. So, for example, you can’t schedule appointment reminders ahead of time. Without templated texts, staff also have to manually type the same messages over and over.

6. Expensive add-ons that might not be worth the cost

As your team expands, so does the cost of using Grasshopper. According to Grasshopper pricing details, you can only get certain features as add-ons or upgrades, such as:

• Additional phone numbers: $9 per number per month
• More extensions: $3 per month per extension, or $55 per month for a plan with unlimited extensions
• Call blasting: $9 per month 

7. International calling requires a $500 deposit

If you need to make or receive international calls, you’ll have to put down a $500 deposit. Grasshopper withdraws the cost of each call until you use up the amount. Also, note that the provider considers Alaska and Hawaii as “offshore numbers.” They’ll charge you international calling rates if you’ve made or received calls from those states.

“I am based in Hawaii. Which apparently is not part of the United States. In order to call people in Hawaii and forward calls to phone numbers in Hawaii, I need to activate international calling, and then I get charged international calling for calling someone down the street in Hawaii, and get charged international calling when someone down the street calls me. I dislike that very much.”  — G2

Assuming you can handle the upfront cost, you still have to wait 60 days before you can enable international calling.

8. Additional extensions require an upgrade

You only get one extension with Grasshopper’s True Solo plan. To add more, you either have to pay a monthly cost or upgrade your plan. Unlimited extensions are available at the highest tier, but it costs $55 per month compared to $14 per month for the base plan.

This can get expensive if you need to route calls to different staff members or locations. But trying to work with a single extension could mean patients get stuck on hold — or sent straight to voicemail.

9. Calls, texts, and voicemails are stored separately

If you want a medical office phone system that shows every detail of patient interactions in one place, you won’t find it with Grasshopper. Instead, your team has to click through different menus in the workspace to string together a history from calls, texts, and voicemails. This takes a long time and runs the risk of someone missing important information.

Grasshopper has recently added a feature called “unified view.” This lets you see all messages from a contact in the same place. However, the unified view is only available on their mobile app. Also,  navigating to this view might not be very intuitive for all users. So team members may still miss important communication. 

10. Call transfer capabilities are limited

Grasshopper offers basic call forwarding, but its transfer features are restrictive and clunky. On plans that offer multiple extensions, calls ring through to each extension in order until someone picks up. 

If you want to transfer a call to a specific extension instead, you’ll run into a few problems:

• You can only transfer inbound calls. When you call a patient, you can’t transfer them directly to another extension if they need to talk to another person in your practice.
• You need to set up the calling card feature to transfer calls from a landline to an external number. Calling cards must be enabled for every landline you use for your practice.

Here’s how that process can look on your phone:

Quo: The best Grasshopper alternative for healthcare providers

Although it’s a popular virtual phone system for small businesses, Grasshopper doesn’t offer HIPAA compliance. If you’re discussing protected health information, you need a compliant option like Quo.

Quo’s Business and Scale plan users can request a BAA to ensure HIPAA compliance. And of course, you get secure PHI storage and transmission across calls and voicemails.

Here’s how Quo protects PHI and keeps your practice compliant:

• Data encryption. Quo encrypts all data in transit using TLS 1.2+ and at rest using AES-256 encryption. These are the same encryption standards used by financial institutions.
• Access controls. Only some users will have full administrative control, while others can only access calling and texting. If someone quits or loses their work device, you can revoke their user access to protect patient data. Multi-factor authentication, or MFA, is also available as an additional layer of security.
• Automatic logouts. Users are logged out after 15 days of inactivity to prevent unauthorized access. You can adjust this to be longer or shorter based on your security protocols.
• Audit logs. Track all staff actions, like call access, voicemail retrieval, and record downloads. This lets you easily spot unusual activity and keep records for compliance reviews.
• Secure storage. PHI is guarded by multiple layers of security through AWS and Google Cloud Platform. This gives your small business phone system enterprise-level protection on top of Quo’s SOC 2 Type 2 certification.

In addition to security, Quo offers other tools to make your practice more efficient. These include:

• Shared numbers. Share responsibility for texts and calls. Improve collaboration and oversight so you never miss a call or forget to reply.
• All patient communication is stored in one inbox. Keep calls, texts, and voicemails centralized so your team has full context and can see who’s handling each conversation. This helps ensure timely, coordinated patient care.
• Scheduled text messages and snippets Create reusable message templates for common communications like appointment reminders. Just select the template, fill in the details, and hit send. You can also schedule messages to go out automatically so patients hear from you at the right time.
• Call forwarding and call routing. Easily direct calls to the right department or team member based on conditions like business hours or availability.
• Customizable auto-attendant. Let callers route themselves to where they need to go. This reduces the load on your receptionist and gets patients to the right department faster.

💡Want to compare your options? Check out our guide on Quo vs Grasshopper

Quo: Patient communication done right

So, can Grasshopper be used in a HIPAA-compliant manner for healthcare communications? The answer is a solid no. Grasshopper doesn’t provide BAAs or the security features your practice needs to protect patient information. This can leave you at risk of costly HIPAA violations and reputational damage.

Quo is a HIPAA-compliant Grasshopper alternative that helps growing practices more effectively manage their phone communication with: 

• Robust security features
• Essential compliance certifications
• Unlimited calls and texts to the US and Canada
• Local and toll-free numbers
• Secure mobile and desktop apps 
• Shared numbers and inboxes
• Customizable call routing and phone menus

Ready to see how these features can improve your healthcare practice? Try Quo for free for seven days.

*American Medical Association, HIPAA violations & enforcement

FAQs