08/05/2021 | News release | Archived content
Guest Post:This is a guest post contributed by Atlantic.Net, Inc. Atlantic.Netprovides an array of hosting services, including cloud, dedicated, colocation, private virtualization, and managed hosting. Their state-of-the-art infrastructure is SOC2, SOC3, HIPAA, and HITECH compliant and housed in secure, climate-controlled facilities with constant monitoring and multiple direct connections to the Internet backbone to ensure the availability and safety of customer data.
Video conferencing has become ubiquitous in the post-COVID-19 era and is an important enabler for telehealth services. However, to use video calls for healthcare, you must ensure your video conferencing service is compliant with relevant regulations. In this article, we'll explain compliance requirements for video calls in the USA, essential features of HIPAA-compliant services, and how to select a service to suit your needs.
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 was created for the purpose of protecting personal health information (PHI) and the personally identifiable information (PII) of patients.
HIPAA requirements apply to any entity handling sensitive patient information, as well as business associates handling PHI on behalf of a covered entity. For example, software vendors operating in the healthcare industry are often considered business associates and must comply with HIPAA requirements.
HIPAA regulations are designed to protect PHI in any medium or form. While PHI may include information like names, drivers' licenses, and social security numbers, it also represents a broader category of information including photographs, fingerprints, and voiceprints.
Your organization's health data management practicesmust also extend to video conferencing services. Here are several security requirements video chat solutions must implement to meet HIPAA requirements:
However, even if the SaaS tool has all the necessary security measures, it cannot be used with PHI without a signed Business Associate Agreement (BAA). This agreement requires all parties to take proactive steps to adequately safeguard protected health information.
The requirement for a BAA with solution vendors was recently overlooked by the regulator, to enable the use of "telehealth in good faith" during public health emergencies such as the COVID-19 crisis.
Software compliance depends on individual use. To use video chat tools in a HIPAA-compliant manner, it is essential to train staff in proper usage practices.
Another important consideration for HIPAA complianceis who has access to sensitive personal data. Video conferencing providers can protect patient data from the outside world, but they should also prevent their own employees from gaining access to PHI. In addition, it is important to audit the vendor's use of video APIsor other external services to process or store video content. Any such third-party API provider must also sign a BAA and demonstrate HIPAA compliance.
Providers must take administrative, physical, and technical safeguards to prevent unauthorized users from accessing information classified as ePHI. For example, only a small percentage of selected approved individuals should have sign-in credentials. All employee devices, including smartphones and tablets, must be password protected (ideally with multi-factor authentication) and the video solution must leverage user authentication and password protection.
Ideally, vendors should be able to implement robust auditing tools and generate reports that include logs of when each file was accessed and by whom. This is useful for protecting healthcare professionals in cases where intentional violations are discovered, or for identifying and resolving vulnerabilities.
As mentioned, encryption is not strictly required by HIPAA but is extremely effective in preventing threat actors or unauthorized third parties from accessing a video call, or data generated during the call. Encryption can help prevent unauthorized access because only authorized devices and users (ideally) have access to encryption keys.
Some tools, like Zoom, may be technically considered HIPAA compliant. However, if a user sends meeting invitations to patients or inadvertently stores patient data in a Zoom account, they may violate HIPAA regulations. This is why it is important to work with vendors who understand HIPAA regulations internally and externally and can prevent unintended violations. The solution must restrict activities that can result in HIPAA violations.
Video calls solutions that are compliant with HIPAA put patient privacy and confidentiality first. The best systems go beyond minimum safety standards and provide a layer of security for both providers and patients. In addition to providing video conferencing functionality that is easy to use and affordable, these solutions must set up privacy standards that protect users.
To determine the right HIPAA compliant video conferencing system for your use case, consider the following criteria:
HIPAA-compliant video calls require three essential elements: end-to-end encryption, robust access control, and auditing capabilities, allowing you to monitor and prevent unauthorized usage.
When evaluating a video conferencing service for use in the healthcare industry, ensure it:
These points will help you provide convenient video chat services to medical practitioners and patients, without violating privacy or risking compliance penalties.