
In 2017, CardioNet paid $2.5 million to settle potential HIPAA violations after a thief stole an unencrypted laptop containing patient data from an employee's parked car.
Investigators also found that the company had never finalized its mobile device privacy policies.
CardioNet isn't an isolated case. Healthcare providers around the country still struggle to meet HIPAA and HITECH standards.
The most common HIPAA violations are:
- Sharing PHI through regular SMS or unsecured texting apps
- Staff using personal phones for patient communication
- Failing to sign a BAA
- Storing data on unencrypted devices
- Using outdated phone systems to communicate with patients
And privacy lapses come at a steep price. A single HIPAA violation can expose a healthcare facility to hefty fines, a dented reputation, and lost patients.
The good news? These problems are preventable.
Healthcare providers can secure patient data, maintain compliance, and avoid costly penalties with iPlum, a mobile-first phone system built for team management, security, and scale.
The case study below explains how a three-location primary care group moved 28 staff members from personal phones to compliant business lines in a couple of days, resulting in a 31% drop in front-desk turnover.
Table of Contents
1. Meet Diane, the administrator running three clinics on personal phones
7. iPlum — the HIPAA-compliant phone system for multi-location clinics
Meet Diane, the administrator running three clinics on personal phones
Diane is the practice administrator at a primary care group with three locations in the same metro area.
Her staff of 28, including six providers, two office managers, and twenty front desk staff and medical assistants, coordinates multiple patient interactions daily.
But there was a problem. Three, to be exact.
One. 24 of her 28 staff members — 85% — used personal cell phones for patient coordination. As a result, appointment reminders, reschedules, and prescription questions all flowed through private devices.
Two. None of it left a record. The clinic had no call logs or text archives for mobile communication. Plus, there was no signed BAA for any of it.
Three. Patients saved staff members' personal numbers and texted them at night, on weekends, and during vacations.
Diane knew the setup was fragile.
And to confirm her fears, a front desk employee resigned and walked out with 200+ patient contacts saved on her personal phone. Nothing malicious happened, but the near-miss forced the issue.
"We had protected health information sitting on two dozen personal phones," Diane recalls. "One lost device, one wrong screenshot, and we'd be reporting a breach."
Diane set a must-achieve goal: get patient communication off personal numbers, meet HIPAA standards at all three locations, and give her staff their evenings back.
The search led her to iPlum's HIPAA-compliant solution for healthcare practices.
The challenge
The phone setup at the practice where Diane worked created compliance exposure and a staffing issue simultaneously.
Let's start with compliance.
Texts containing medication instructions and appointment details were sent via regular SMS with no encryption or audit trail. If a regulator or an attorney requested records, Diane had nothing to produce.
Therefore, audit preparation meant chasing screenshots from two dozen personal devices, and the clinic's last internal compliance review dragged on for three weeks.
The staffing toll ran just as deep.
Front desk employees fielded patient texts at dinner, on weekends, and on holidays. In fact, exit interviews cited after-hours patient calls as a top-three complaint, with annual turnover in front-desk roles reaching 42%. Recruiting and training replacements consumed weeks Diane couldn't spare.
"My best scheduler quit because patients texted her at 9 p.m.," Diane says. "We were losing good employees over a phone problem."
Coordination between locations suffered, too.
Patients called one office about appointments at another, and there was no phone tree to route them to the right desk.
Traditional fixes didn't offer relief either.
A legacy phone vendor quoted $12,000+ for hardware, installation, and contracts across three sites before a single compliance feature was even mentioned.
The solution
Diane chose iPlum after comparing quotes and reading reviews from other multi-location practices.
The rollout required no new hardware. Her staff installed the iPlum app on the phones they already carried, and IT involvement ended there.
iPlum provisioned all 28 lines in six business days, and onboarding took under 20 minutes per person.
Here's what the clinic deployed.
1. HIPAA-compliant text messaging
iPlum's encrypted texting replaced regular SMS at all three locations.
Messages now travel with end-to-end encryption and two-factor authentication, and the system archives every exchange automatically for audit purposes.
Staff also gained text templates for routine reminders and auto-replies for after-hours messages, so patients receive a response even when the office is closed.
2. Dedicated business lines on personal devices
All 28 staff members received a dedicated iPlum business number on their existing phones. Now, outgoing calls display the business number, so personal numbers remain private.
And, when an employee leaves, Diane reassigns the line in minutes. More importantly, the number and its message history remain with the clinic, not the departing employee — the exact problem the near-miss exposed.
3. Centralized admin console for three locations
Diane manages all 28 lines from one dashboard. She can add users, set permissions, review usage, and pull call or text records for any location within minutes.
4. Phone trees, business hours, and call routing
An advanced phone tree with unlimited extensions at each location now routes callers to the right desk, so patients reach the correct office on the first try.
Meanwhile, business hours settings send after-hours calls to voicemail and trigger auto-replies for texts. With iPlum, patients get an answer, and staff get their evenings back.
5. A signed BAA and audit-ready records
iPlum signed a BAA with the clinic, closing the compliance gap left by the old setup. Call logs and message archives now sit in an audit-ready format that Diane can produce on request.
The results
Within 30 days, Diane eliminated personal phone use for patient contact entirely, reducing it from 85% of staff to 0%.
The table below summarizes the main improvements after the switch.

As you can see, compliance audit preparation dropped from 3 weeks to 4 days — an 81% reduction — because records now live in a single archive that Diane controls.
In addition, after-hours interruptions on employees' personal time fell 90% once business hours and auto-replies went live.
On top of that, exit interviews stopped mentioning after-hours patient calls, and over the following year, front desk turnover fell from 42% to 29%, a 31% drop. While turnover has multiple causes, Diane credits the phone change as the biggest contributor.
The clinic now pays roughly $2,400 per year for all 28 lines, 80% less than the $12,000+ quote for a traditional multi-site phone system.
Why it worked
iPlum solved two compliance problems and a staffing problem with a single change.
To begin with, dedicated business numbers separated work from personal life on the same device. Staff carried one phone, and patients never saw a personal number again.
The BYOD model also removed the usual barriers to a multi-site rollout. With no hardware, no installation, and no IT project, all three locations went live in under a week.
Also, the centralized administration gave Diane oversight she never had before. She got one dashboard that manages user setup, permissions, and records for the entire practice.
In addition, business hours and auto-replies protected employees' personal time. With iPlum, patients still received timely responses, so satisfaction held steady while burnout eased.
And the signed BAA, encryption, and automatic archiving made compliance provable instead of assumed. The clinic can now produce complete records for any audit, attorney request, or internal review.
Long-term impact
180 days after signup, the numbers remained impressive.
Personal phone use for patient contact remained at zero. Also, the clinic reported no privacy incidents, and a follow-up internal compliance review closed in four days with complete records.
The staffing trend continued as well.
Two front desk employees who had planned to leave decided to remain, and Diane onboarded four new hires onto compliant lines in under 20 minutes apiece.
Patients adapted quickly, too. The phone trees reduced misrouted calls between locations, and secure texting became the default channel for reminders and reschedules.
"I used to dread audits and resignation letters in equal measure," Diane says. "Now both are routine paperwork."
iPlum — the HIPAA-compliant phone system for multi-location clinics
Diane's experience demonstrates how the right communication system can change how a multi-location practice runs.
Before iPlum, Diane had no records on two dozen personal phones, lost staff to after-hours burnout, and had no way to track time. After switching to iPlum, patient communication turned compliant, documented, and contained within business hours.
Today, Diane runs three locations with confidence.
"I can prove our compliance now, and my staff can eat dinner in peace," Diane concludes. "Both seemed impossible a year ago."
The case study underscores iPlum's commitment to give healthcare practices the tools they need to protect patient data and their employees' time.
And the beauty of it is that iPlum is one of the most affordable HIPAA-compliant phone systems for multi-location practices.
Want in?
Click the link below to get started with iPlum

%20(1).avif)
.avif)