What is HIPAA Compliant Video Conferencing?
Healthcare providers use video conferencing to provide telehealth services to patients. HIPAA compliant video conferencing is video conferencing that meets the requirements of the HIPAA regulations. In particular, HIPAA compliant video conferencing must meet the requirements of the HIPAA Security Rule.
What are the Basics of HIPAA Compliant Video Conferencing?
Telehealth services, which consist of providing healthcare by telecommunications technology such as video conferencing, are becoming commonplace in the healthcare services market. Almost all states reimburse Medicaid patients for telehealth services, and a majority of states have private insurance parity laws for telehealth reimbursement.
The growing popularity of telehealth services makes the need for protecting the security of the information exchanged in a telehealth session that much more important. Telehealth services, such as video conferencing, involve transmission of protected health information (PHI) and electronic protected health information (ePHI). Whenever such information is transmitted, there is a risk that the confidentiality, integrity, or availability of the information will be compromised. HIPAA compliant video conferencing protects against this risk. By being compliant with the administrative, technical, and physical safeguards of the HIPAA Security Rule, a telehealth services provider is ensuring the confidentiality, integrity, and availability of PHI.
The basic components of this compliance include:
End-to-end Encryption
End-to-end encryption of electronic ePHI protects the security of ePHI that is exchanged during a telehealth session. HIPAA compliant telehealth video conferencing should offer SSL/TLS encryption that can provide proxy and firewall traversal for a secured platform.
Secure Connection Verification
A secure conference connection established during a videoconferencing session protects PHI and other confidential information. Verification technology verifies that a genuine connection has been made to the correct server, and not to an imposter server. HIPAA compliant video conferencing employs this technology to ensure that if a secure connection cannot be established, the unsecured video encounter will not take place. Verification technology provides a significant advantage over traditional, hardware-based video conferencing installation. In these older installations, remote employees can change configuration settings without system monitoring. This allows sensitive information, including ePHI, to be sent unprotected over the Internet.
Private Cloud Web Conferencing
A private cloud web conferencing option is another component of HIPAA compliant video conferencing. While the HIPAA Security Rule does not require HIPAA compliant video conferencing to be cloud-based, a private-cloud option nevertheless offers a heightened level of security. This is because in a private cloud, information is stored behind the provider organization’s firewall. A private cloud option also contains features allowing a provider to control the location of stored documents and recordings. A private cloud also allows a provider to select “no content storage.” This means that, at the conclusion of a telehealth session, any shared content or files are deleted from the system. A private cloud option is particularly useful for encounters consisting of patient care, meetings, or consultations – in other words, encounters where ePHI is commonly exchanged and disclosed.
Password Controls
HIPAA compliant video conferencing should contain password controls. These controls provide for the password to be changed after a set number of days, and ensure that passwords be of a minimum length and contain certain alpha-numeric content (e.g., upper-case or lower-case letters, numbers, and/or symbols). Additional password controls include time-limited password entry for users, meaning that if a user cannot input the correct password within a set period of time, the user will be locked out. Another type of password control is one that locks a user out after a predetermined number of unsuccessful logins. Password controls can provide even greater security; an organization can require password input to (among other things) download shared documents and meeting recordings.
Provider/Host Security Controls
Provider/host security controls allow a healthcare organization to lock out a videoconference or telehealth session until the host arrives. These controls also provide the option to require separate passwords for the various attendees to a videoconference: the host, the presenters (if any), and the participants. Requiring separate passwords is especially useful for meetings with a higher degree of formality, such as webinars, where the number of participants and/or presenters may be high.
Securing the Operating System
Many people who have watched a PowerPoint presentation or attended a live video conference have probably observed the presentation or video conference failing to start on time. Often, the delay can be attributed to an operating system issue. Essentially all videoconferencing systems run on an operating system, whether general-purpose, such as Windows, or mobile, such as iOS or Android. For videoconferencing, the OS must be properly configured and administrators must identify and remedy software vulnerabilities. To minimize the vulnerability of video systems to security issues, administrators should use properly configured firewalls and strong administrator credentials. Operating systems should be run with the latest versions of relevant service packs and security updates. For mobile devices, firmware should be updated to the most recent version.
