HIPAA-compliant video conferencing implementation guide

What is HIPAA-compliant video conferencing?

Video-conferencing software like Zoom has been getting a lot of attention of late as more and more people turn to digital tools to communicate remotely, whether to stay connected with loved ones, keep work flowing, or communicate with clients. 

Healthcare is certainly no exception. A global FICO study found that around 80% of people want to use their mobile phones to interact with doctors and other healthcare providers. 

Digital healthcare solutions were already on the rise before the global outbreak COVID-19, but given the high risk of transmission and the enormous pressure healthcare providers are under, there is a greater need than ever for remote healthcare solutions that reduce interpersonal contact while allowing doctors to continue to deliver a high standard of care. 

The challenge? Many popular video-conferencing tools simply aren’t HIPAA-compliant, which means they can’t legally be used to provide the remote care that’s called for. For instance, grave concerns have been raised around Zoom’s security. 

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) aims to protect patient privacy and ensure that patients have easy access to their medical records. 

So what makes a video-conferencing tool HIPAA-compliant? When it comes to video conferencing, both the HIPAA Privacy Rule and the Security Rule apply. 

In a nutshell, HIPAA-compliance means that any software used to store or communicate data pertaining to patients’ personal health information needs to adhere to stringent security and privacy standards. Let’s take a closer look at what that entails.

The basics of HIPAA-compliant video conferencing

With the growth of telehealth, video conferencing commonly involves the transmission of protected health information (PHI) including the following:

Name or social security number Home or business address Dates (of appointments, payments, etc.) Telephone number, email address or fax number Medical record number Health plan or insurance number Payment information (e.g. account number) Device identifiers such as serial numbers  Internet Protocol (IP) address or web URLs Biometric identifiers (fingerprint, retina scan or voice recording) Photographic images or video material Vehicle identifiers such as license or registration number Any other characteristics that may be used to identify an individual HIPAA implementation essentials

There are a number of measures that healthcare industry stakeholders that deal with the transmission of ePHI can take to ensure that they remain HIPAA-compliant, particularly in the crowded video-conferencing landscape where non-compliance is running rife.

Let’s take a look at some of the key considerations.

End-to-end encryption

One of the critical considerations when it comes to video conferencing is ensuring that bad actors and unauthorized third parties cannot gain access to the video call or the data generated in the course of the call.

This raises the question of encryption. Does your video-conferencing software use encryption? How easy is it to access the encryption key? End-to-end encryption is the golden standard for HIPAA compliance because it means that only the devices used to make the video call have access to the encryption key.

Peer-to-peer connection

Another important question to consider is routing. Does the video connect your computer or handheld device directly to your patient’s device, or does it get routed through a server? Direct peer-to-peer routing makes for much faster and better quality video conferencing and offers security benefits. However, for true HIPAA-compliance, your video-conferencing tool should also be encrypted

Continue reading

This post was originally published on this site