How To Choose HIPAA Compliant Video Conferencing

7 min read Michael Carroll on Mar 27, 2020

Video conferencing is a powerful tool that is revolutionizing the way healthcare professionals communicate. It enables doctors to provide more convenient patient interactions, including remote clinical services and live chat. It can improve the quality of patient care by allowing medical experts to confer with colleagues across the country. When patients are extremely contagious, such as during the global pandemic COVID-19, video conferencing can protect doctors, nurses, and other patients from exposure. 

However, embracing these technological advancements within a HIPAA-compliant app also means finding HIPAA compliant video conferencing solutions. While patients seek the best medical care possible, they also care about confidentiality and information security.

What Is HIPAA?

The Health Insurance Portability and Accountability Act is designed to safeguard the privacy of patients and keep their health information secure. These days, sensitive records are primarily stored in digital format known as protected health information, or PHI. To protect the integrity of PHI, HIPAA compliance involves a series of rules and regulations related to server security and user authentication.

Many healthcare providers are considered covered entities under HIPAA. Any organization that stores and transmits PHI electronically is generally required to abide by HIPAA guidelines. Covered entities can include doctors, dentists, chiropractors, hospitals, clinics, health insurance providers, and pharmacies, regardless of the size of the practice.

Requirements for HIPAA Compliant Video Conferencing

To be HIPAA compliant, a covered organization has to implement safeguards to keep PHI secure. Above all, client confidentiality must be guaranteed. HIPAA guidelines are divided into two main categories: the Privacy Rule and the Security Rule.

The Privacy Rule

The Privacy Rule ensures that information of patients and other parties stays confidential. At the same time, it allows health professionals to share relevant data to protect the health of patients. Video conferences can be beneficial in this regard since sharing information with colleagues can help doctors to reach a correct diagnosis.

In simple terms, the Privacy Rule permits healthcare organizations to share data with authorized individuals while requiring them to keep it private from everyone else. One of the most important parts of this rule is the Notice of Privacy Practices. Covered entities must create and update this document as it helps patients stay informed about how their personal information is used.

The Security Rule

The HIPAA Security Rule requires organizations to establish and maintain administrative, physical, and technical safeguards to protect PHI. Its purpose is ensuring that all stored and transmitted patient data remains confidential, accurate, and secure. The Security Rule applies to a wide range of digital information, including electronic health records, test results, pharmacy prescriptions, and X-ray images. Whether doctors want to access lab tests from a mobile device or have a remote video conference with patients, the system needs to follow HIPAA guidelines for information security.

Video conferencing can meet HIPAA requirements, but covered entities must use the proper tools to effectively manage patient data. As long as appropriate security protocols are followed, video conferencing can stay within HIPAA guidelines. Due to the sensitive nature of patient information, however, this is no simple matter.

What Issues Can Arise With Video Conferencing and HIPAA?

It's common for PHI to be involved in video conferencing. PHI can include electronic documents, videos, images, voice conversations and other content. PHI can be summarized into 18 HIPAA identifiers. As long as this information is effectively protected during video conferencing, covered entities can include video as part of their communication. 

HIPAA violations often occur by accident, so companies should regularly run risk assessments on their processes to avoid a data breach. Here are three possibilities for HIPAA violations related to video conferencing:

  • Talking over a non-secure connection: If the software used for video conferencing doesn't meet HIPAA standards, then calls where PHI is shared represent a violation. The video conference connection should use end-to-end encryption, and the inter-organizational network must be secure.

  • Sharing PHI accidentally with unauthorized parties: This situation can arise unknowingly if sensitive patient information is visible in the background of a video conference call. Many applications can capture and enlarge screenshots, meaning forms, X-rays, or other items with patient information constitute a violation.

  • Speaking while unauthorized individuals are present: If a conference call between two or more medical professionals includes additional individuals not authorized to access PHI, it's a HIPAA violation. A secretary walking into the office to grab a document during an ongoing voice conference may not seem like a big deal, but it's a serious breach of privacy.

Any time patient data is available to individuals outside of a patient's healthcare team, it constitutes a HIPAA violation. This includes names, Social Security Numbers, addresses, photos, or payment information. HIPAA compliance is vital for building a relationship of trust with clients.

How Can Doctors Use HIPAA Compliant Video Conferencing Correctly?

Carrying out HIPAA compliant video conferencing depends on two important areas: the type of software used and the behavior of personnel. The software has to fulfill stringent criteria for healthcare usage. At the same time, medical personnel need to follow security best practices to ensure PHI remains confidential.

Healthcare organizations should take the time to plan before implementing video conferencing. That way, organizations can ensure everything remains HIPAA compliant. It's important to establish administrative, physical, and technical safeguards.

Only authorized personnel should have sign-in credentials. All electronic devices used must be password protected, including tablets and smartphones. Video conferencing software must have access-control features such as password protection and user authentication. It's best to implement automatic sign-out features in case a medical personnel forgets to sign out after a session.

Other technical safeguards required for HIPAA compliance include audit controls and monitoring features that allow administrators to track session activities. Finally, the organization needs a secure communications platform for all devices used within a network.

Warning Factors for Video Conference Platforms

To avoid HIPAA violations, medical personnel can't choose a video conferencing platform based on popularity or a whim. This decision is serious, and it can have a significant impact on overall HIPAA compliance. Here are three factors that should throw up red flags when considering software:

  • Lack of Secure Sign-ins: Complicated sign-in and authentication systems can increase the likelihood of human error. But, if users can view your data without signing into a secure account, it is a big red flag. Look for software with simple-yet-powerful two-step verification. This type of login pairs personnel IDs with unique passwords.

  • No End-to-End Encryption: AES-256 bit encryption is an excellent means of securing PHI because it makes sensitive data unreadable to unauthorized individuals, especially over vulnerable networks such as Wi-Fi. However, if this encrypted stream is routed through a third-party server, it can still violate HIPAA. The best way to protect patient data is with E2EE, which uses encryption that only the sender and recipient can view.

  • No BAA provided: One of the most important documents when choosing a video conferencing application is the Business Associate Agreement. This establishes a legal relationship regarding PHI for HIPAA compliance. With a BAA, the video conferencing partner is subject to the same HIPAA requirements as the user. If the software company refuses to sign a BAA, it can constitute a violation.

A common error when selecting a video conferencing solution for healthcare is to confuse user-established settings with built-in settings. Some popular apps allow users to set stricter privacy settings, including password sign-in options. However, these apps are not HIPAA compliant. To fulfill HIPAA requirements, features must be built-in and impossible for users to disable. Additionally, each employee must comply with HIPAA’s rules and regulations while using video conferencing tools. Even if a certain tool is labeled as being HIPAA compliant, your company must create a usage policy to ensure compliance. Use our HIPAA compliance checklist to see if your company is following basic HIPAA standards.  

What Type of Video Conferencing Software Should Medical Organizations Use?

There are several popular options for video conferencing, including Zoom, Skype, and FaceTime, but not all meet HIPAA criteria. Where telehealth and video conferences play a large part in business activities, it may be wise to invest in a platform specifically created for healthcare professionals. Attempting to adapt software designed for casual use to the field of medicine frequently doesn't provide the best results.

Is Zoom a HIPAA Compliant Platform?

Zoom offers many positive features for HIPAA compliance. As long as healthcare providers have a BBA with Zoom, it can be considered compliant. Many medical professionals routinely use the platform for telehealth services. In April 2017, the software company launched Zoom for Telehealth, a solution specifically designed for the healthcare market.

Zoom is attractive for healthcare organizations because it checks off all the boxes for HIPAA. Unlike many popular platforms, it includes access controls, authentication measures, and electronic health record-keeping. Data transmission takes place using end-to-end AES-256 bit encryption. This focus on healthcare also includes being willing to sign a BBA.

Is Skype HIPAA Compliant?

Health professionals should be cautious about sharing patient information or hosting telehealth sessions over Skype. Microsoft, who currently owns Skype, explains that many of its products are HIPAA compliant. The Skype platform offers AES 256-bit encryption, and Microsoft is willing to sign a HIPAA-compliant BBA. However, there are several aspects of the application that can potentially lead to violations.

The normal version of Skype doesn't support HIPAA compliant video conferencing because it doesn't allow for tracking or auditing of video messages. In order to be HIPAA compliant, all involved parties would need to agree to only use the Enterprise E3 or E5 package of Skype for Business. These situations can lead to a great deal of confusion, make it hard to monitor compliance, and create a situation prone to accidental violations.

Is FaceTime a HIPAA Compliant Option?

The question of whether Apple’s FaceTime is appropriate for health-related video conferencing comes down to whether it qualifies for the HIPAA Conduit Exception Rule. Telephone service providers and ISPs are considered conduits, but cloud service providers are not. FaceTime offers secure peer-to-peer AES-256 encryption, and Apple doesn't store or decrypt the transmissions.

Apple’s Legal Agreement prevents users from creating, receiving, maintaining, or transmitting any PHI on the Cloud. It also states that Apple refuses to be a business associate. Since Apple refuses to sign a BAA, its platform would not typically qualify as HIPAA compliant. However, if the government considers FaceTime a conduit, then it would qualify under the related exception. Whether or not to use it for video conferencing depends on each organization's willingness to assume the risk. It may be better to implement a system known to be HIPAA compliant to avoid potential issues.

Where Can You Find HIPAA Compliant Communication Solutions?

In addition to video conferencing, many types of medical communication are subject to HIPAA regulations. Before pressing send on a social media messaging app, think again. Sending text messages to patients or transmitting patient data via these platforms can be a privacy and security violation. To make sure messaging is HIPAA compliant, trust a healthcare-focused chat solution from PubNub. Learn more by contacting our team right away.