HIPAA-Compliant Video Conferencing

The Health Insurance Portability and Accountability Act (1996) covers all areas of patient privacy. Its main purpose is to ensure that all protected health information (PHI) and electronic PHI (ePHI) remains secure and confidential. However, it must not be so restrictive that when healthcare professionals need to share PHI to accomplish a treatment-related task they still can.

This is particularly relevant with the advent of technology. Text messages, emails, portable electronic devices and video calls have all revolutionised how we live our daily lives and communicate with each other, and the same can be said for the healthcare sector. However, here they have an added complication – how can these technologies be implemented in a HIPAA-compliant manner? For this article in particular, we consider how video calls and video conferences can be conducted without violating the legislation.

How can video conferences be HIPAA-compliant?

For doctors, nurses, or associated health workers who use video conferencing, PHI may be exchanged during the conference. However, if the network is not adequately protected, this may result unauthorized individuals accessing the video and recording it. They can then steal any PHI that was shared during the conference.

If a video conference is to be secure and meet all the technical safeguards stipulated in the Security Rule, the platform used to host the video must have sufficient encryption. Regrettably, many platforms often used by members of the public – such as Skype or Facebook – do not meet this security safeguard as the data encryption transmission technology is too weak.

What are peer-to-peer networks?

Using a peer-to-peer network means that data can directly and securely transmitted from one device to another without being re-routed through a central server. There are many benefits to this, but one stands out: by having fewer points of interception, it is harder for hackers to access data. The server is usually the most vulnerable point of attack, so it is of obvious benefit to use a video conferencing platform that does away with one altogether.

Business Associate Agreements

Under HIPAA, a business associate (BA) is any third party contracted by the covered entity (CE) to perform a service. This extends from accounting to advertising, but does include managing services such as video conferences. Before hiring or employing a video conference platform, ensure the vendor has signed a BAA that clarifies how they are to use, store, and protect any data collected. It is also imperative that the BA knows that they are liable for protecting PHI under HIPAA’s Omnibus Rule.

Summary

Video conferencing offers a wide range of benefits, from its speed and ease of use to the fact it dramatically reduces cost and allows more patients to be accessed. However, unless done securely, PHI cannot be transmitted over video conferencing platforms as they are not adequately secure. Before holding a video call or conference, ensure that the platform used to host the video has adequate encryption to prevent unauthorized access to PHI.