Skip to Content

Telecom Regulation: What Buyers Should Actually Care About

A short, honest read on the telecom rules that affect your phone bill, your data, and your provider's reliability — without the policy lecture.
August 1, 2023 by
Telecom Regulation: What Buyers Should Actually Care About
Earl Rusnak

Most articles about telecom regulation are written for policy people. This one is written for the person paying the phone bill. The rules that affect your business aren't the abstract ones — they're the half-dozen specific requirements that change what your provider can do, what they have to do, and what you're responsible for.

We're VoIP International, an operator headquartered in Ocoee, Florida. We work inside these rules every day. Here are the ones that actually matter for buyers.

The five rules that affect your phone system

  • Number portability. The FCC requires carriers to release your phone numbers when you switch providers. That means no provider can hold your numbers hostage. We charge $15 per number to port in — and your old provider can't legally refuse the request, even if you're under contract for service.
  • E911. Every business line must have a registered service address so 911 dispatch knows where to send help. We include E911. A misdial caused by a bad or outdated address triggers a $150 charge from emergency services — keep addresses current as people move desks or work from home.
  • STIR/SHAKEN. The framework that makes carriers digitally sign outbound calls so they show up as "verified" on the called party's caller ID. Calls from providers who aren't compliant get flagged "Spam Likely" or blocked. Ask any provider you're considering whether they're fully attesting — we are.
  • HIPAA (for healthcare). If a patient's name and a clinical detail can be reconstructed from a voicemail or recorded call, the phone system is processing PHI. That requires a Business Associate Agreement and HIPAA-compliant infrastructure. Our healthcare phone system and dental phone system include HIPAA at $49/mo.
  • CPNI. Customer Proprietary Network Information rules govern how carriers handle your call records. Reputable providers will only release call detail to authorized account contacts. Make sure the contacts on file are current.

Number portability in practice

People hear "portability is your right" and assume it's frictionless. It isn't always. Old providers can drag a port for weeks if the paperwork on your account doesn't match the LOA (Letter of Authorization). The single most common reason ports fail or delay: the business name on the account isn't exactly the legal entity name, or the billing address doesn't match the latest invoice.

Before you submit a port, grab a current bill from your old provider and compare it line by line to what you give us. Match the business name and address exactly, even if it has odd capitalization or an old suite number. We won't accept an LOA that doesn't match the bill, because the losing carrier will reject it and we'd rather catch it on day one than day fourteen.

What you control during a port

Your job during a port is: keep paying the old provider until the port confirms (canceling early loses you the number), notify whoever updates printed materials in case the port slips a few days, and keep at least one person watching the old system to confirm nothing is failing silently. The provider's job is to drive the port forward, escalate when needed, and tell you the actual scheduled FOC (Firm Order Commitment) date.

STIR/SHAKEN, in the call center

This is the rule that affects answer rates more than anything else in the last five years. STIR/SHAKEN signs outbound calls with one of three attestation levels:

  • A — Full attestation. The carrier knows the customer and knows the customer owns the calling number. This is what your calls should be marked.
  • B — Partial. Customer is known, number ownership isn't verified.
  • C — Gateway. Call arrived from another carrier, no verification possible.

If your provider is signing your calls B or C, your calls get flagged "Spam Likely" more often. We sign A. If you've been seeing answer rates drop, that's the first thing to check with whoever you have today.

Caller name (CNAM) and what it costs

Separately from STIR/SHAKEN, your outbound caller ID has a name field (CNAM) that downstream carriers look up against a national database. If your CNAM isn't registered, your business name shows up blank or as the area's default. CNAM registration is a one-time setup and adds a small monthly fee at most providers. We include it for outbound on business accounts; if you want a specific CNAM string different from your registered name, ask.

The 10DLC piece (for SMS)

If your business is sending SMS — appointment reminders, two-factor codes, marketing — the 10DLC framework requires you to register your business and your messaging campaigns with mobile carriers. Unregistered traffic gets blocked. We handle this for customers using SMS through our system; it's not optional anymore.

E911 for remote and hybrid teams

The old model: phones were nailed to the wall, addresses were obvious. The new model: a softphone in Denver, a mobile app in Charlotte, a desk phone in Ocoee, all on one extension. When a remote worker dials 911, the address dispatched to is the address registered against that endpoint — not the company HQ.

Make this part of your onboarding for remote workers:

  • Have them confirm their home address when the softphone is provisioned.
  • Update it any time they move.
  • Tell them they can override 911 location from the mobile app if they're traveling.

We expose the update flow in the user portal. It takes 30 seconds. The $150 misdial charge for a bad address is rare but real, and the bigger cost is dispatch going to the wrong location during an actual emergency.

Kari's Law and RAY BAUM'S Act

Two federal rules that became enforceable in the last few years and affect every business phone system: Kari's Law requires that any internal phone allow direct dialing of 911 (no "dial 9 first" prefix), and RAY BAUM'S Act requires that 911 calls deliver a "dispatchable location" — not just a building address, but enough detail to find the caller inside a multi-story or multi-suite building. Our system handles both by default; if you have a custom PBX setup, verify both are configured on your end.

HIPAA and the BAA

For covered entities (healthcare practices, dental practices, anyone billing insurance directly), the phone and fax system handles PHI. The provider has to sign a BAA. The traffic has to be encrypted. Access has to be controlled. The audit log has to exist.

What this looks like in our product:

  • BAA signed at the account level for healthcare customers
  • Voicemails, recorded calls, and faxes encrypted at rest
  • User access controls so only authorized staff can hear recordings or read faxes
  • Audit logs for retrieval during a compliance review

HIPAA is a $49/mo add-on on our healthcare, dental, and wellness clinic plans. If the provider you're talking to says "we're HIPAA compliant" but won't sign a BAA, walk away.

What HIPAA doesn't say

A common confusion: HIPAA doesn't ban voicemail messages that mention a patient's name, or call recording, or texting with patients. It requires reasonable safeguards. What's reasonable depends on context — encrypted storage, controlled access, audit trail. Practices that try to over-comply by banning common workflows usually end up with worse care coordination and the same audit risk. Talk to your compliance counsel; the answer is almost always "set it up correctly," not "don't do it."

What regulation gets you, practically

The rules above are why a few things work the way they do:

  • You can change phone providers without changing your phone number.
  • Your customers can usually trust the caller ID they see when you call them.
  • 911 finds your office even if you call from a softphone in a hotel.
  • Your healthcare practice can use cloud phone service without violating HIPAA, if the provider is set up right.
  • Your SMS to customers actually gets delivered.
  • Your call detail records can be pulled during a dispute or audit.

What regulation doesn't get you

It doesn't guarantee uptime. It doesn't guarantee call quality. It doesn't stop a reseller from disappearing and leaving you with a frozen account. It doesn't make any provider technically competent. Those are operator choices, not rule-driven outcomes. Most of the bad provider stories aren't regulatory failures — they're business failures. Pick a provider whose business model makes sense and whose support phone gets answered.

The 988 line and the FCC sunset of POTS

Two pieces of recent regulation that affect buyer decisions even though they aren't directly about your phone system: the 988 Suicide and Crisis Lifeline became enforceable on all business systems, meaning your PBX has to route 988 like any other dial code. And the FCC's TDM-to-IP transition (the "POTS sunset") allows carriers to retire copper service in many regions, often with significant rate hikes during the transition. If you're still on copper lines, the bill is going up regardless of whether you move; the only question is what you move to.

What to ask a provider before you sign

  • Are you fully STIR/SHAKEN attesting on all outbound calls?
  • Do you sign a BAA if we need HIPAA?
  • What's your porting timeline and per-number fee?
  • How do you handle E911 for remote workers?
  • Where are your data centers, and what's the published uptime?
  • Are you the operator, or are you reselling someone else's platform?
  • How do you handle 10DLC registration for SMS?
  • What's your stance on customer-initiated cancellation — can I leave with my numbers, today, without a fight?

If a provider can't answer those in a sentence each, keep looking. We answer them on our FAQ and our pricing page.

What we don't do

We don't sell phone service into countries we're not licensed to operate in. We don't help customers spoof caller ID for unverified destinations. We don't sign BAAs casually — we sign them when a customer is a covered entity and the integration actually requires it. We don't charge cancellation fees as a profit center. Compliance is a posture, not a checkbox.

Common mistakes buyers make

  • Trusting marketing copy over a BAA. Get the agreement in writing.
  • Ignoring caller ID flagging until outbound answer rates fall off a cliff. STIR/SHAKEN matters from day one.
  • Not registering remote worker E911 addresses. Set the process before you onboard them.
  • Letting CPNI contacts go stale. If the person who can authorize an account change left the company two years ago, you'll waste hours getting back in.
  • Buying from resellers who can't tell you who's actually running the platform under the hood. If something breaks, the reseller has to call their upstream — which means slower fixes.
  • Forgetting 10DLC. Unregistered SMS gets blocked. Find out now, not after your appointment reminders stop reaching patients.
  • Not testing 911 after a move. Make a test call to your local PSAP non-emergency line and confirm the address is correct.

State-level rules that surprise people

Federal regulations get the attention, but several states layer additional requirements. A few worth knowing about:

California recording consent

California is a two-party (all-party) consent state for call recording. If your business records calls and any party is in California, all parties must be informed. The standard "this call may be recorded for quality assurance" announcement at the start of a call satisfies the requirement. Build it into the auto-attendant if you record routinely.

State 911 surcharge variations

911 surcharges vary state by state and even by county. They appear as line items on your bill. Some providers blend them into their per-user price; others itemize. We itemize because it's more honest, even though it makes our bills slightly less clean to read.

Cross-border porting

You can port a US number from any state to a provider in any state — there's no geographic restriction on operator location. That said, the porting process can take longer when the losing carrier's local rules add friction (Texas and New York have particularly fussy rules). We're operating from Florida and we port numbers from all 50 states routinely.

What to do this week if you're worried about compliance

A short checklist:

  1. Pull a recent call from your outbound and check what STIR/SHAKEN attestation level your provider is using. Most provider portals expose this.
  2. If you have remote workers, confirm their E911 addresses are current. Spot check by sending a test message via your provider's portal that exercises the location data.
  3. If you handle PHI, locate your BAA and confirm it's signed and current. If you can't find it, it probably isn't.
  4. Check who has CPNI authorization on your account. Remove anyone who has left the company.
  5. If you send SMS, confirm your 10DLC registration is current. If not, expect delivery failures.
  6. Review your call recording disclosure language. If you have California customers, make sure consent is captured.

Where to start

If you want to know what changes when you move your service to a compliant operator who answers the phone, ask us. Contact us, look at who we are, or get started. We'll walk through your current setup, identify the regulatory gaps, and quote what it looks like to fix them.

Call Park, Explained Without the Filler
What call park is, how directed and system-wide differ, and how we set it up on a 20-person office.