Is a Business Associate Agreement required to use video conferencing platforms?

Yes, BAAs are required before any CE uses a third-party video conferencing platform. Without a BAA, CEs would be violating HIPAA and potentially subject to hefty fines or required to implement corrective action plans by the Office for Civil Rights.

What should be included in a BAA?

The BAA states the responsibilities that the Business Associate has in terms of ensuring the privacy and security of PHI. It also stipulates how the BA should dispose of data at the end of the BA, and what procedures should be in place if a HIPAA violation occurs.

If a service provider is secure and will enter into a BAA, is it HIPAA compliant?

Yes, if a video conferencing platform has the minimum securities stipulated by the HIPAA Security Rule, and the CE has entered into a Business Associate Agreement with the service provider, the provider is considered to be HIPAA compliant. However, this does not mean that use of the platform can never lead to HIPAA violations. For example, if employees share login details, and an individual who should not be in a meeting in which PHI is being discussed then attends, this would be a HIPAA violation.

How should employees be made aware of the correct use of video conferencing platforms?

All employees should be trained in HIPAA compliance. This, of course, should focus on how to safely use and disclose PHI for in-person health operations, but also extends to which technologies can and cannot be used for disseminating PHI. The CE and their BAs should have clear, up-to-date guidelines on which videoconferencing platforms are HIPAA compliant.

HIPAA-Compliant Video Conferencing

Video conferencing is HIPAA compliant when a HIPAA Covered Entity or Business Associate uses the service for a permitted purpose under the HIPAA Privacy Rule, protects electronic protected health information with safeguards required by the HIPAA Security Rule, and has a Business Associate Agreement in place when the video conferencing provider creates, receives, maintains, or transmits protected health information on the organization’s behalf.

HIPAA applies to video visits and other conferencing sessions when protected health information is discussed, displayed, recorded, transmitted, or stored. Protected health information can be present in audio and video streams, chat messages, shared screens, uploaded files, meeting titles, and participant lists. Session artifacts such as recordings, transcripts, attendance logs, and cloud-stored chat histories can create electronic protected health information even when the live interaction is brief.

HIPAA compliance depends on how the platform is configured and managed. Administrative safeguards include risk analysis and risk management actions for the telehealth workflow, workforce training on approved tools and acceptable use, and procedures for security incident response. Technical safeguards include access controls, authentication, unique user identification for workforce accounts, audit controls that record relevant activity, integrity protections for electronic protected health information, and transmission security appropriate to the environment. Physical safeguards include device controls and private spaces for sessions to reduce unauthorized viewing or overhearing.

Business Associate requirements apply when the vendor’s role meets the HIPAA Business Associate definition. If the video conferencing vendor handles protected health information for the organization, a Business Associate Agreement is required and should align with the organization’s privacy and security policies, including permitted uses and disclosures, safeguarding obligations, reporting of security incidents and breaches, and subcontractor controls. Use of consumer-grade services without Business Associate Agreements can create compliance risk when protected health information is shared through those services.

Privacy controls reduce exposure during sessions. Meeting links should be protected from unauthorized entry, and sessions should use settings that limit participant access, restrict screen sharing, and control chat and file transfer. Recording should be disabled by default unless there is a documented need, and any recording or transcript that contains protected health information should be stored in approved systems with access controls and retention and deletion practices aligned with policy. Providers and staff should avoid disclosing unnecessary identifiers, avoid displaying unrelated records during screen sharing, and verify participant identity when the clinical context requires it.

A video conferencing workflow is compliant when the organization can show that the platform is authorized for protected health information, configured with appropriate access and security controls, covered by required Business Associate Agreements, and supported by documented policies, training, and monitoring.

Is Video Conferencing HIPAA Compliant?

James Keogh