HIPAA Compliant Video Conferencing: What to Look For

Choosing a HIPAA Compliant Video Conferencing Tool

When choosing which vendor to choose for your practice, the questions you should ask are as follows:

◈ Will they sign a BAA?

◈ Do they have HIPAA compliant safeguards in place?

◈ Do they offer end-to-end encryption (E2EE)? Is E2EE available for free accounts, or just for paid?

◈ Are calls routed through a server or do they offer peer-to-peer connections?

◈ Do they have a means for user authentication? Do they keep audit logs?

◈ Have other healthcare industry professionals used their software? Have they left positive or negative reviews?

HIPAA Compliant Video Conferencing: Business Associate Agreements

Arguably one of the most important aspects of determining a software’s HIPAA compliance is their willingness to sign a business associate agreement (BAA). Even if the software has all of the required security measures to be HIPAA compliant, they cannot be considered HIPAA compliant if they won’t sign a BAA. A BAA must be signed with a business associate before it is permitted to share protected health information (PHI) with them. A BAA mandates what protections the business associate is required to have in place. A BAA also requires each signing party to be responsible for maintaining their HIPAA compliance.

HIPAA Compliant Video Conferencing: HIPAA Safeguards

Organizations working with PHI have an obligation to secure the sensitive information with administrative, physical, and technical safeguards. 

◈ Administrative. HIPAA requires PHI to be used and disclosed in accordance to the minimum necessary standard. This is accomplished through measures such as user authentication and audit logs.

◈ Physical. Physical safeguards refer to securing PHI at an organization’s physical location. This includes installing an alarm system and locking areas in which PHI is stored.

◈ Technical. To ensure that electronic protected health information (ePHI) – PHI stored in an electronic format – is secure, organizations must implement technical safeguards. This includes measures such as data encryption.

HIPAA Compliant Video Conferencing: User Authentication and Auditing

To enable HIPAA compliant video conferencing, the tools must have a means to authenticate users and audit access to PHI. User authentication prevents unauthorized access to PHI. User authentication is enabled through unique login credentials. Ideally, video conferencing tools should implement multi-factor authentication (MFA). MFA utilizes multiple login credentials to prevent unauthorized access, such as a username and password in combination with security questions, one-time PIN, or biometrics.

In addition, users should be able to track access to PHI with audit logs. Audit logs keep a list of who accesses what data, how long they accessed it for, and how frequently they access it. HIPAA requires the use of audit logs as PHI access must be tracked to ensure adherence to the minimum necessary standard.

HIPAA Compliant Video Conferencing: End-to-End Encryption

End-to-end encryption (E2EE) is a security feature that masks sensitive data to prevent unauthorized access. E2EE converts PHI to a format that can only be read with a decryption key. In the past, some video conferencing tools have falsely claimed that they were offering E2EE, when the service provider was able to access the data. However, they have since remedied this by adding true E2EE to their service.

HIPAA Compliant Video Conferencing: Peer-to-Peer Connection

Some video conferencing tools allow providers to connect directly to their patient’s device, while others pass through a third-party server. Although not mandated by HIPAA, using a peer-to-peer service offers more security, while increasing the video quality.