Guest Post: This is a guest post contributed by Atlantic.Net, Inc. Atlantic.Net provides an array of hosting services, including cloud, dedicated, colocation, private virtualization, and managed hosting. Their state-of-the-art infrastructure is SOC2, SOC3, HIPAA, and HITECH compliant and housed in secure, climate-controlled facilities with constant monitoring and multiple direct connections to the Internet backbone to ensure the availability and safety of customer data.
HIPAA Compliant Video Calls
Video conferencing has become ubiquitous in the post-COVID-19 era and is an important enabler for telehealth services. However, to use video calls for healthcare, you must ensure your video conferencing service is compliant with relevant regulations. In this article, we’ll explain compliance requirements for video calls in the USA, essential features of HIPAA-compliant services, and how to select a service to suit your needs.
What is HIPAA Compliance?
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 was created for the purpose of protecting personal health information (PHI) and the personally identifiable information (PII) of patients.
HIPAA requirements apply to any entity handling sensitive patient information, as well as business associates handling PHI on behalf of a covered entity. For example, software vendors operating in the healthcare industry are often considered business associates and must comply with HIPAA requirements.
HIPAA regulations are designed to protect PHI in any medium or form. While PHI may include information like names, drivers’ licenses, and social security numbers, it also represents a broader category of information including photographs, fingerprints, and voiceprints.
What is Required for HIPAA Compliant Video Chat?
Your organization’s health data management practices must also extend to video conferencing services. Here are several security requirements video chat solutions must implement to meet HIPAA requirements:
- Encryption—prevents unauthorized access to PHI as data can only be read with a decryption key. Although not strictly required by HIPAA, encryption is the most secure way to protect sensitive data. HIPAA treats encryption as an “addressable” security measure—meaning that if it is not reasonably appropriate in your scenario, you must use another equivalent security measure.
- Access control—ensures that authorized individuals use video chats to get access only to the PHI they need to do their job. Access control assigns different levels of access to PHI depending on the employee’s job.
- Audit control—tracks access to PHI to prevent unauthorized usage. Maintaining an audit log of PHI access allows organizations to monitor regular employee access patterns and quickly detect unauthorized access.
However, even if the SaaS tool has all the necessary security measures, it cannot be used with PHI without a signed Business Associate Agreement (BAA). This agreement requires all parties to take proactive steps to adequately safeguard protected health information.
The requirement for a BAA with solution vendors was recently overlooked by the regulator, to enable the use of “telehealth in good faith” during public health emergencies such as the COVID-19 crisis.
Software compliance depends on individual use. To use video chat tools in a HIPAA-compliant manner, it is essential to train staff in proper usage practices.
HIPAA-Compliant Video Calls: Essential Features
Vendor Access and Auditing
Another important consideration for HIPAA compliance is who has access to sensitive personal data. Video conferencing providers can protect patient data from the outside world, but they should also prevent their own employees from gaining access to PHI. In addition, it is important to audit the vendor’s use of video APIs or other external services to process or store video content. Any such third-party API provider must also sign a BAA and demonstrate HIPAA compliance.
Providers must take administrative, physical, and technical safeguards to prevent unauthorized users from accessing information classified as ePHI. For example, only a small percentage of selected approved individuals should have sign-in credentials. All employee devices, including smartphones and tablets, must be password protected (ideally with multi-factor authentication) and the video solution must leverage user authentication and password protection.
Ideally, vendors should be able to implement robust auditing tools and generate reports that include logs of when each file was accessed and by whom. This is useful for protecting healthcare professionals in cases where intentional violations are discovered, or for identifying and resolving vulnerabilities.
As mentioned, encryption is not strictly required by HIPAA but is extremely effective in preventing threat actors or unauthorized third parties from accessing a video call, or data generated during the call. Encryption can help prevent unauthorized access because only authorized devices and users (ideally) have access to encryption keys.
Some tools, like Zoom, may be technically considered HIPAA compliant. However, if a user sends meeting invitations to patients or inadvertently stores patient data in a Zoom account, they may violate HIPAA regulations. This is why it is important to work with vendors who understand HIPAA regulations internally and externally and can prevent unintended violations. The solution must restrict activities that can result in HIPAA violations.
How to Evaluate HIPAA-compliant Video Calls Systems
Video calls solutions that are compliant with HIPAA put patient privacy and confidentiality first. The best systems go beyond minimum safety standards and provide a layer of security for both providers and patients. In addition to providing video conferencing functionality that is easy to use and affordable, these solutions must set up privacy standards that protect users.
To determine the right HIPAA compliant video conferencing system for your use case, consider the following criteria:
- Pricing—evaluate per-user pricing and pay special attention to storage costs for recorded video sessions, and retention capabilities.
- Features—evaluate video chat functionality, to ensure that your staff can practice effective telehealth using the tool.
- Ease of use—ensure easy setup and use for both patients and providers. Keep in mind that many patients are elderly or non-technical, and the solution must cater to them.
- Accessibility—ensure that all your users can access video conferencing through their preferred device, browser, and operating system. Take into account that some patients may be using outdated computing systems.
- Security—evaluate solutions according to the layers of security they provide, the robustness of security measures, and the ease at which they can be administered by IT staff. Ensure the tool provides security by default and prevents unintentional violations.
HIPAA-compliant video calls require three essential elements: end-to-end encryption, robust access control, and auditing capabilities, allowing you to monitor and prevent unauthorized usage.
When evaluating a video conferencing service for use in the healthcare industry, ensure it:
- Provides secure connections
- Limits and audit access by the video conferencing provider’s employee
- Has secure default configuration to prevent accidental compliance violations
These points will help you provide convenient video chat services to medical practitioners and patients, without violating privacy or risking compliance penalties.