What Is HIPAA-Compliant Videoconferencing?

October 10th, 2016

HIPAA-compliant videoconferencing is a form of telecommunication used in health settings, allowing multiple parties (e.g. doctor and patient) to communicate via two-way video and audio transmissions. It provides patients with the same privacy and confidentiality that applies to in-person visits, protecting their information and giving the same care to storage and dissemination of the video as to paper documents under the Health Insurance Portability and Accountability Act (HIPAA).

There are many advantages to videoconferencing with patients, rather than meeting them in-person. Some patients have limited mobility, making it difficult for them to physically visit a healthcare provider. Some patient follow-ups only require a quick conversation and don’t require a physical examination. For many patients, it may also be much more convenient to have a video conversation than to travel to doctor’s office.  An additional benefit is the cost savings; videoconferencing can be much cheaper than in-person visits.

For these reasons, virtual visits to healthcare providers are becoming more popular. Dr. Ateev Mehrotra, a Harvard Medical School researcher, estimates there will be at least a million virtual doctor visits this year alone. That doesn’t include dentists, therapists, and other healthcare professionals who may also use videoconferencing technology.

No matter what health services you provide, here’s how to make sure your videoconferencing complies with HIPAA and protects your patients’ privacy and confidentiality.

Protected Health Information and HIPAA

It’s important to understand protected health information (PHI) and how it’s defined and governed by the Health Insurance Portability and Accountability Act of 1996.

In a nutshell, PHI is demographic information, medical history, test and laboratory results, insurance information, and other data a healthcare professional collects to determine appropriate care for him or her. This includes everything from a patient’s birthdate to their blood type. Importantly, this information is also “identifiable;” i.e., one can tell who this information describes.

When a doctor and a patient discuss a medical issue on a video call, they’re electronically exchanging PHI. As such, videoconferencing must be HIPAA-compliant.

HIPAA is a large and complex piece of legislation, and any organization that needs to be HIPAA-compliant should go through the Act thoroughly. This overview of its four rules is only a starting point for ensuring compliance.

HIPAA’s four rules govern how PHI is stored, transmitted, accessed, and more. Like every other aspect of healthcare, videoconferencing needs to abide by these rules.

Privacy Rule

  • Establishes standards to protect medical records and other PHI
  • Requires appropriate safeguards to protect the privacy of PHI
  • Sets limits and conditions on when and how PHI can be used and disclosed without patient authorization
  • Gives patients rights over their health information, including the right to receive a copy of their health records

Security Rule

  • Establishes standards to safeguard electronic protected health information (ePHI*)
  • Requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of ePHI

*ePHI is any PHI that is produced, saved, transferred, or received in an electronic form, such as when PHI is exchanged during a videoconference.

Enforcement Rule

  • Relates to compliance and investigations
  • Imposes penalties for HIPAA violations and procedures for hearings

Breach Notification Rule

  • Requires HIPAA-covered entities to provide notification following a PHI breach

Make sure your organization understands each of these rules and how to comply with them before implementing any videoconferencing as part of the medical practice.

Best Practices for HIPAA-Compliant Videoconferencing

Because of the many specific rules surrounding PHI and ePHI, FaceTime or Skype just won’t cut it when it comes to videoconferencing for telehealth. For a video service to be HIPAA-compliant, it must:

  • Use encryption. To adequately protect patient data, a video service must use data encryption transmission technology.
  • Not store video transmissions. The video service provider cannot store video transmissions without your explicit approval, as this creates a huge risk for the security of the patient data.
  • Use appropriate security measures such as authentication, access auditing and reporting, well-defined per-user access controls, etc.
  • Be offered by a provider who will sign a business associate agreement (BAA). When a technology provider offers a service to a healthcare organization, it becomes a business associate as defined by HIPAA. HIPAA requires contracts between healthcare providers and business associates so that all PHI and ePHI is safeguarded appropriately. Don’t do business with a video service provider who will not sign a BAA — it’s critical to ensuring everyone understands their obligations under HIPAA.

When a video service meets these criteria, it’s considered as an option for videoconferencing for healthcare organizations. But once healthcare providers choose and implement a particular service, they need to do the following:

  • Consider how the organization will define its legal health record. If the legal health record includes the video recording, consider how your organization will respond to patient requests for copies of the information.
  • Educate patients on videoconferencing. Make sure patients understand the precautions taken to protect their health information. Advise them to be in a private place during the videoconference where no one else can see or hear the conversation. Recommend they use a secure, password-protected Wi-Fi network rather than a public connection at a coffee shop or public library.

Whether you are a dentist, a physician, a therapist, or any other kind of healthcare professional, videoconferencing offers many benefits. It also raises many privacy and security issues that must be addressed before using any video service. If you’re considering offering videoconferencing at your medical practice, take the time to carefully consider your obligations under HIPAA. Work with a video service provider who understands the HIPAA rules. Offer your patients the secure, protected videoconferencing experience they deserve.