Working from home and telehealth are becoming increasingly popular. Many businesses and health practices opt to meet with clients and patients virtually. Ebusiness offers many benefits as it lowers cost of operations, and allows businesses to service clients and patients that would previously have been inaccessible. One platform that may be used for virtual meetings is GoToMeeting. However, before a HIPAA business associate (BA) or covered entity (CA) decides which platform to use, they must consider whether the platform is HIPAA compliant. That begs the question, is GoToMeeting HIPAA compliant?
GoToMeeting HIPAA Compliance
The short answer is yes, GoToMeeting is HIPAA compliant – when used properly. However, there are certain measures that must be in place before GoToMeeting can be used in conjunction with protected health information (PHI).Â
- Business associate agreement: a key factor in HIPAA compliance is the willingness to sign a business associate agreement (BAA); GoToMeeting is willing to sign a BAA. A BAA must be signed before a covered entity may use a business associate (BA) to create, maintain, store, receive, or transmit protected health information. A BAA is a legal contract that mandates that the business associate, in this instance GoToMeeting, has the proper safeguards to secure the PHI that is transmitted through their platform. Additionally, a BAA states that each signing party is responsible for maintaining their own compliance. Lastly, it determines which party is responsible for reporting a breach should one occur.
- Audit controls: audit controls monitor access to PHI. HIPAA requires organizations to access PHI only when necessary to perform a job function, the minimum necessary standard. Audit controls ensure that employees within an organization comply with this standard. GoToMeeting enables account managers to monitor PHI access, up to the exact minute, and pull audit logs.
- Integrity of PHI: the HIPAA Security Rule requires the integrity of PHI to be maintained. This means that PHI should not be improperly altered or destroyed. GoToMeeting HIPAA compliance enables integrity controls to prevent such from occurring.
- Integrity mechanism: corroborates that PHI is not altered or destroyed improperly. GoToMeeting uses Amazon Web Services (AWS) to implement integrity mechanisms, allowing session cloud recordings, meeting notes, and transcriptions of meetings.
- Person or entity authentication: verifies that users are permitted to access PHI. GoToMeeting enables this with unique login credentials for each user. Meetings can only be accessed with a unique code, with the ability to further secure meetings by requiring a password.
- Access controls: similar to authentication, access controls ensure that PHI is not accessed by unauthorized users.
- Transmission security: ensures that PHI in transit is secure. GoToMeeting addresses this with encryption. Encryption converts sensitive data into a format that is unreadable without a decryption key, preventing unauthorized access.