A Guide to HIPAA Compliant Video Conferencing

HIPAA compliance document

The COVID-19 situation has prompted thousands of healthcare organizations to turn to online video conferencing to serve their patients. With numerous video conferencing platforms that claim to be HIPAA compliant, many doctors and physicians do not think twice before switching to one. However, there is a lot more you need to know before making the transition to serving patients online through video. It turns out, the current video conferencing platforms in the market may not be HIPAA compliant after all, and the issue of privacy and security persists within these offerings. 

Let’s start from the very beginning so you can get a better idea of what HIPAA compliant really means and how you can securely implement it for your healthcare organization. 

Who Needs To Comply with HIPAA?

Covered Entities: There are three types of ‘covered entities’ under HIPAA. These are health plans, clearinghouses, and certain healthcare providers such as doctors, dentists, pharmacies, clinics, etc., as long as they transmit data in an electronic form that is in connection with a transaction for which HHS has adopted standards.

Business Associates: These are people or entities that carry out tasks involving the use or disclosure of protected health info on behalf of a covered entity or to provide services to them. Some examples are a CPA firm who needs to access protected healthcare info to provide accounting services to a healthcare provider, or an outside medical transcriptionist providing transcription services to a physician

Organizations That Do Not Need To Comply with HIPAA

According to ShareCare, the following organizations are not required to follow HIPAA guidelines:

  • Life insurers
  • Employers
  • Workers’ compensation carriers
  • Most schools and school districts
  • Many state agencies, including child protective agencies
  • Most law enforcement agencies
  • Many municipal offices

Issues with Current ‘HIPAA Compliant’ Video Conferencing Platforms

Zoom: As one of the most-used video conferencing platforms right now, whether it is for a family reunion or a telehealth appointment, Zoom has quite the reputation for being a reliable platform for communication. However, several issues about Zoom not being HIPAA compliant have come into light this year. From hijacking attacks to malware threats, Zoom has undergone a lot of stress trying to solve the various security concerns. Although they may have found a solution to some of the privacy concerns, this popular video conferencing platform is still not deemed entirely HIPAA compliant as there are still remaining issues to fix.

GoToMeeting: Another widely-used platform to schedule meetings online, GoToMeeting also fell prey to online security concerns this year, including a unique vulnerability that exposed its customers to a lot of risk. They were able to resolve it, but no one can predict when something like this can happen again. 

These are just some of the platforms that are deemed as HIPAA compliant, even though they pose numerous security issues. 

Skype and Facetime Are NOT HIPAA Compliant

It is crucial to note that Skype and Facetime, while they can be good platforms for informal communication, CANNOT be used for telehealth services. The reason is because they do not fully meet the criteria that we are about to cover in the next section. There are a number of healthcare providers who think that Skype and Facetime are reliable platforms when they are far from being HIPAA compliant

So How Do You Implement HIPAA Compliant Video Conferencing?

Here are some components of HIPAA compliance that you need to know before implementing this technology.

End-to-End Encryption: When implementing a secure video conferencing for your healthcare organization, the very first feature to look out for is end-to-end encryption. This means that only the sender’s device and the receiver’s device can encrypt and decrypt messages sent back and forth, offering a much higher level of security. 

Business Associate Agreement (BAA): A step that covered entities often forget, you need to make sure you have a Business Associate Agreement in place to further protect healthcare info and comply by HIPAA guidelines. You can read more about BAAs here

Peer-to-Peer Sessions: For enhanced quality and security, you also want to check and see if the video is routed directly to the patient’s device, or if it involves a server. Direct peer-to-peer sessions without the need for a server is the best route to go. 

For best practices, your video conferencing solution should have all three of the features listed above. 

With that being said, instead of going forward with risky platforms that yet need improvement, it is best to find a good software development agency with decades of development experience including telehealth solutions to craft the perfect secure video conferencing platform for your healthcare organization, which meets all HIPAA guidelines. 

Sunvera can help you implement the right software solution for your healthcare organization while helping you reduce costs and improve operational efficiency. Contact us for a FREE 2-hour consultation.