As working from home and telehealth are becoming increasingly popular, it is important to consider telehealth and HIPAA compliance. Many businesses and health practices opt to meet with clients and patients virtually. Ebusiness offers many benefits as it lowers cost of operations, and allows businesses to virtually service clients and patients that would previously have been inaccessible.
However, before a HIPAA business associate (BA) or covered entity (CA) decides which platform to use, they must consider whether the platform is HIPAA compliant. The following will discuss which teleconferencing tools are HIPAA compliant.
Telehealth and HIPAA Compliant Software Usage
Under HIPAA, software companies that “touch” PHI are considered business associates. For HIPAA compliant use, software must have technical and administrative safeguards securing the protected health information (PHI) that is transmitted, stored, received, maintained, or created through it.
Additionally, there must be a signed business associate agreement (BAA) before the platform can be utilized in conjunction with PHI. A BAA is a legal contract that mandates that the business associate has the proper safeguards to secure the PHI that is transmitted through their platform. Additionally, a BAA states that each signing party, both the covered entity and the business associate, is responsible for maintaining its own compliance. Lastly, it determines which party is responsible for reporting a breach should one occur.
However, no software is fully HIPAA compliant straight out of the box, so it is up to the end user to ensure that they are using the platform in a HIPAA compliant manner, with HIPAA compliant configurations enabled.
- Access controls. Provide users with unique login credentials to ensure that PHI is only accessible to authorized users.
- User authentication. Ensures that users are who they appear to be. This may be accomplished through the use of multi-factor authentication (MFA). MFA requires users to enter multiple credentials to gain access to sensitive information (i.e. username and password, biometrics, security questions, etc.).
- Audit controls. Monitors access to PHI, ensuring that PHI access is in accordance with the minimum necessary standard.
- Automatic log-off. User access is automatically terminated after a set period of time (i.e., 5 minutes, 10 minutes).
- Encryption. Prevents unauthorized access to PHI by converting data into a format that can only be read with a decryption key.
Telehealth and HIPAA: Is Zoom HIPAA Compliant?
Yes, since Zoom has adequate security measures and is willing to sign a BAA, Zoom is HIPAA compliant when it is used and configured properly.
For more information on Zoom and HIPAA please click here.
Telehealth and HIPAA: Is GoToMeeting HIPAA Compliant?
Yes, since GoToMeeting has adequate security measures and is willing to sign a BAA, GoToMeeting is HIPAA compliant when it is used and configured properly.
For more information on GoToMeeting and HIPAA please click here.
Telehealth and HIPAA: Is Microsoft Teams HIPAA Compliant?
Yes, since Microsoft Teams has adequate security measures and is willing to sign a BAA, Microsoft Teams is HIPAA compliant when it is used and configured properly.
For more information on Microsoft Teams and HIPAA please click here.
Telehealth and HIPAA: Is Skype HIPAA Compliant?
No, Skype is not HIPAA compliant. However, Skype for Business is HIPAA compliant, provided the Enterprise E3 or E5 package is purchased.
For more information on Skype and HIPAA please click here.
Telehealth and HIPAA: Is FaceTime HIPAA Compliant?
No, FaceTime is not HIPAA compliant. Although it has the proper security measures, Apple is NOT willing to sign a BAA. Therefore, FaceTime cannot be used in conjunction with PHI.
For more information on FaceTime and HIPAA please click here.