Video-conferencing software like Zoom has been getting a lot of attention of late as more and more people turn to digital tools to communicate remotely, whether to stay connected with loved ones, keep work flowing, or communicate with clients.
Healthcare is certainly no exception. A global FICO study found that around 80% of people want to use their mobile phones to interact with doctors and other healthcare providers.
Digital healthcare solutions were already on the rise before the global outbreak COVID-19, but given the high risk of transmission and the enormous pressure healthcare providers are under, there is a greater need than ever for remote healthcare solutions that reduce interpersonal contact while allowing doctors to continue to deliver a high standard of care.
The challenge? Many popular video-conferencing tools simply aren’t HIPAA-compliant, which means they can’t legally be used to provide the remote care that’s called for. For instance, grave concerns have been raised around Zoom’s security.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) aims to protect patient privacy and ensure that patients have easy access to their medical records.
So what makes a video-conferencing tool HIPAA-compliant? When it comes to video conferencing, both the HIPAA Privacy Rule and the Security Rule apply.
In a nutshell, HIPAA-compliance means that any software used to store or communicate data pertaining to patients’ personal health information needs to adhere to stringent security and privacy standards. Let’s take a closer look at what that entails.
The Basics of HIPAA-Compliant Video Conferencing
With the growth of telehealth, video conferencing commonly involves the transmission of protected health information (PHI) including the following:
- Name or social security number
- Home or business address
- Dates (of appointments, payments, etc.)
- Telephone number, email address or fax number
- Medical record number
- Health plan or insurance number
- Payment information (e.g. account number)
- Device identifiers such as serial numbers
- Internet Protocol (IP) address or web URLs
- Biometric identifiers (fingerprint, retina scan or voice recording)
- Photographic images or video material
- Vehicle identifiers such as license or registration number
- Any other characteristics that may be used to identify an individual
HIPAA Implementation Essentials
There are a number of measures that healthcare industry stakeholders that deal with the transmission of ePHI can take to ensure that they remain HIPAA-compliant, particularly in the crowded video-conferencing landscape where non-compliance is running rife.
Let’s take a look at some of the key considerations.
End-to-End Encryption
One of the critical considerations when it comes to video conferencing is ensuring that bad actors and unauthorized third parties cannot gain access to the video call or the data generated in the course of the call.
This raises the question of encryption. Does your video-conferencing software use encryption? How easy is it to access the encryption key? End-to-end encryption is the golden standard for HIPAA compliance because it means that only the devices used to make the video call have access to the encryption key.
Peer-to-Peer Connection
Another important question to consider is routing. Does the video connect your computer or handheld device directly to your patient’s device, or does it get routed through a server? Direct peer-to-peer routing makes for much faster and better quality video conferencing and offers security benefits. However, for true HIPAA-compliance, your video-conferencing tool should also be encrypted end-to-end.
BAAs
Business Associate Agreements (BAAs) are another essential aspect of HIPAA-compliance. This agreement stipulates that all concerned parties will take active measures to ensure that protected health information is appropriately safeguarded.
Vendor Access and Auditing
Another crucial consideration for HIPAA compliance is who has access to sensitive personal data. Video conferencing providers may protect patient data from outside eyes, but what about their own employees?
It’s crucial that vendors have administrative, physical, and technical safeguards in place to prevent unauthorized users from accessing any information classified as ePHI. For instance, only a select few authorized individuals should have sign-in credentials, all devices including smartphones and tablets should be password protected (preferably 2FA), and the video conferencing software itself should feature user authentication and be password protected.
Ideally, vendors should have robust auditing measures in place and be able to generate reports containing logs of who accessed each file containing ePHI, and when. This can be invaluable in protecting healthcare practitioners when isolated intentional violations occur, as well as in identifying and addressing vulnerabilities such as employees not being sufficiently familiar with compliance best practice.
Accidental Violations
While tools like Zoom might technically qualify as HIPAA-compliant if they turn off certain features for healthcare users, you could still violate HIPAA regulations simply by sending your patient a meeting invitation or inadvertently storing their information in your Zoom account. This is why it’s important to partner with a vendor that understands the HIPAA regulations inside and out and help you to avoid violating them inadvertently.
How to Choose HIPAA-Compliant Video Conferencing
Building any video conferencing software from scratch is enormously complex and takes a lot of time and resources. With the added complication of needing to be HIPAA-compliant, this task becomes even more challenging.
It’s much, much easier to simply use an industry-leading video conferencing tool that’s HIPAA-compliant right out of the box and integrate that into your own telehealth app or platform. However, it’s vital that you select a video API that was built with HIPAA-compliance in mind from the start, instead of choosing one where it was merely added as an afterthought.
Here are some tips for choosing a HIPAA-compliant video-conferencing vendor:
- Make sure they offer a BAA
- Check whether they offer end-to-end encryption and which encryption standard they use
- Ask whether the calls are routed through a server or peer-to-peer
- Inquire as to their access control as well as audit control standards
- Find out what safeguards they have in place
- Read reviews and testimonials from other healthcare industry professionals that have used their software
With this knowledge, you can rest assured that your doctor-to-patient video calls as well as discussions between colleagues and consultations with specialists will remain securely encrypted and 100% HIPAA-compliant.
About John Kim
John S. Kim is the Cofounder and CEO of SendBird (Y Combinator W16), a B2B startup providing a messaging solution for enterprises. The platform currently serves tens of millions of monthly active users and many of the best-known logos around the world, like Yahoo! Sports, GO-JEK, Hinge and one of the most active websites in the world. John is a serial entrepreneur and an expert in the messaging space.
