HIPAA-Compliant Video Conferencing

The Health Insurance Portability and Accountability Act (1996) covers all areas of patient privacy. Its main purpose is to ensure that all protected health information (PHI) and electronic PHI (ePHI) remains secure and confidential. However, it must not be so restrictive that when healthcare professionals need to share PHI to accomplish a treatment-related task they still can.

This is particularly relevant with the advent of technology. Text messages, emails, portable electronic devices and video calls have all revolutionised how we live our daily lives and communicate with each other, and the same can be said for the healthcare sector. However, here they have an added complication – how can these technologies be implemented in a HIPAA-compliant manner? For this article in particular, we consider how video calls and video conferences can be conducted without violating the legislation.

How can video conferences be HIPAA-compliant?

For doctors, nurses, or associated health workers who use video conferencing, PHI may be exchanged during the conference. However, if the network is not adequately protected, this may result unauthorized individuals accessing the video and recording it. They can then steal any PHI that was shared during the conference.

If a video conference is to be secure and meet all the technical safeguards stipulated in the Security Rule, the platform used to host the video must have sufficient encryption. Regrettably, many platforms often used by members of the public – such as Skype or Facebook – do not meet this security safeguard as the data encryption transmission technology is too weak.

What are peer-to-peer networks?

Using a peer-to-peer network means that data can directly and securely transmitted from one device to another without being re-routed through a central server. There are many benefits to this, but one stands out: by having fewer points of interception, it is harder for hackers to access data. The server is usually the most vulnerable point of attack, so it is of obvious benefit to use a video conferencing platform that does away with one altogether.

Business Associate Agreements

Under HIPAA, a business associate (BA) is any third party contracted by the covered entity (CE) to perform a service. This extends from accounting to advertising, but does include managing services such as video conferences. Before hiring or employing a video conference platform, ensure the vendor has signed a BAA that clarifies how they are to use, store, and protect any data collected. It is also imperative that the BA knows that they are liable for protecting PHI under HIPAA’s Omnibus Rule.

Summary

Video conferencing offers a wide range of benefits, from its speed and ease of use to the fact it dramatically reduces cost and allows more patients to be accessed. However, unless done securely, PHI cannot be transmitted over video conferencing platforms as they are not adequately secure. Before holding a video call or conference, ensure that the platform used to host the video has adequate encryption to prevent unauthorized access to PHI.

Video Conferencing and HIPAA: FAQ

Is a Business Associate Agreement required to use video conferencing platforms?

Yes, BAAs are required before any CE uses a third-party video conferencing platform. Without a BAA, CEs would be violating HIPAA and potentially subject to hefty fines or required to implement corrective action plans by the Office for Civil Rights.

What should be included in a BAA?

The BAA states the responsibilities that the Business Associate has in terms of ensuring the privacy and security of PHI. It also stipulates how the BA should dispose of data at the end of the BA, and what procedures should be in place if a HIPAA violation occurs.

If a service provider is secure and will enter into a BAA, is it HIPAA compliant?

Yes, if a video conferencing platform has the minimum securities stipulated by the HIPAA Security Rule, and the CE has entered into a Business Associate Agreement with the service provider, the provider is considered to be HIPAA compliant. However, this does not mean that use of the platform can never lead to HIPAA violations. For example, if employees share login details, and an individual who should not be in a meeting in which PHI is being discussed then attends, this would be a HIPAA violation.

How should employees be made aware of the correct use of video conferencing platforms?

All employees should be trained in HIPAA compliance. This, of course, should focus on how to safely use and disclose PHI for in-person health operations, but also extends to which technologies can and cannot be used for disseminating PHI. The CE and their BAs should have clear, up-to-date guidelines on which videoconferencing platforms are HIPAA compliant.