Is WebEx HIPAA Compliant?

WebEx is an online video conferencing and collaboration platform that organizations use to facilitate communication among persons and partners from different places so that they are as if meeting all in one place. Can healthcare organizations use WebEx as well? Is it HIPAA compliant?

If using resources such as WebEx, healthcare organizations can make connections quickly and easily between employees, no matter where they are. Healthcare employee trainings, regional operational meetings, medical learning and even patient communications may all be done on the web. However, it is important for healthcare organizations to be sure that this platform is HIPAA compliant prior to using it in connection with protected health information (PHI).

Cisco designed WebEx with several security controls that ensures all communications take place securely and no information is intercepted. Any information transmitted to the WebEx cloud using a WebEx application is encrypted. The app supports TLS 1.0, 1.1 and 1.2 protocols and uses high strength ciphers which include AES-256. Media packets are secured by encryption utilizing AES 128. There is also an option to utilize end-to-end encryption, which if used guarantees that Cisco never decrypts any media stream.

Many media streams can be documented for use in the future particularly in the event of a HIPAA audit. Documents are similarly secured at rest by means of encryption whereas audio, video, and data streams are stored in a separate area. Administrators can configure the platform to have the security level as follows:

  • restrict unsuccessful attempts to login
  • Immediate deactivation of account if the user remains inactive for a specified time period
  • allow strong passwords only
  • utilize 2-factor authentication
  • strictly regulates who has access to the platform

Cisco provides complete documentation on functionality, technology and security to help healthcare organizations in doing their risk analysis. Cisco is likewise willing to enter into a business associate agreement (BAA) with HIPAA covered entities or their business associates.

In summary, WebEx supports HIPAA Compliance. It offers administrative and technical controls that meet HIPAA requirements; however, it is the covered entity’s responsibility to set up WebEx properly and use it in compliance with HIPAA. As long as the platform’s security measures are working, and a BAA has been signed by Cisco to cover the application of WebEx for healthcare, WebEx is HIPAA compliant and healthcare organizations can use it.