be Smart.
be Secure.
Phone: 800-441-6612

What Is HIPAA-Compliant Videoconferencing?

HIPAA-compliant videoconferencing is a form of telecommunication used in health settings, allowing multiple parties (e.g. doctor and patient) to communicate via two-way video and audio transmissions. It provides patients with the same privacy and confidentiality that applies to in-person visits, protecting their information and giving the same care to storage and dissemination of the video as to paper documents under the Health Insurance Portability and Accountability Act (HIPAA).

There are many advantages to videoconferencing with patients, rather than meeting them in-person. Some patients have limited mobility, making it difficult for them to physically visit a healthcare provider. Some patient follow-ups only require a quick conversation and don’t require a physical examination. For many patients, it may also be much more convenient to have a video conversation than to travel to doctor’s office.  An additional benefit is the cost savings; videoconferencing can be much cheaper than in-person visits.

For these reasons, virtual visits to healthcare providers are becoming more popular. Dr. Ateev Mehrotra, a Harvard Medical School researcher, estimates there will be at least a million virtual doctor visits this year alone. That doesn’t include dentists, therapists, and other healthcare professionals who may also use videoconferencing technology.

No matter what health services you provide, here’s how to make sure your videoconferencing complies with HIPAA and protects your patients’ privacy and confidentiality.

Protected Health Information and HIPAA

It’s important to understand protected health information (PHI) and how it’s defined and governed by the Health Insurance Portability and Accountability Act of 1996.

In a nutshell, PHI is demographic information, medical history, test and laboratory results, insurance information, and other data a healthcare professional collects to determine appropriate care for him or her. This includes everything from a patient’s birthdate to their blood type. Importantly, this information is also “identifiable;” i.e., one can tell who this information describes.

When a doctor and a patient discuss a medical issue on a video call, they’re electronically exchanging PHI. As such, videoconferencing must be HIPAA-compliant.

HIPAA is a large and complex piece of legislation, and any organization that needs to be HIPAA-compliant should go through the Act thoroughly. This overview of its four rules is only a starting point for ensuring compliance.

HIPAA’s four rules govern how PHI is stored, transmitted, accessed, and more. Like every other aspect of healthcare, videoconferencing needs to abide by these rules.

Privacy Rule

  • Establishes standards to protect medical records and other PHI
  • Requires appropriate safeguards to protect the privacy of PHI
  • Sets limits and conditions on when and how PHI can be used and disclosed without patient authorization
  • Gives patients rights over their health information, including the right to receive a copy of their health records

Security Rule

  • Establishes standards to safeguard electronic protected health information (ePHI*)
  • Requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of ePHI

*ePHI is any PHI that is produced, saved, transferred, or received in an electronic form, such as when PHI is exchanged during a videoconference.

Enforcement Rule

  • Relates to compliance and investigations
  • Imposes penalties for HIPAA violations and procedures for hearings

Breach Notification Rule

  • Requires HIPAA-covered entities to provide notification following a PHI breach

Make sure your organization understands each of these rules and how to comply with them before implementing any videoconferencing as part of the medical practice.

Best Practices for HIPAA-Compliant Videoconferencing

Because of the many specific rules surrounding PHI and ePHI, FaceTime or Skype just won’t cut it when it comes to videoconferencing for telehealth. For a video service to be HIPAA-compliant, it must:

  • Use encryption. To adequately protect patient data, a video service must use data encryption transmission technology.
  • Not store video transmissions. The video service provider cannot store video transmissions without your explicit approval, as this creates a huge risk for the security of the patient data.
  • Use appropriate security measures such as authentication, access auditing and reporting, well-defined per-user access controls, etc.
  • Be offered by a provider who will sign a business associate agreement (BAA). When a technology provider offers a service to a healthcare organization, it becomes a business associate as defined by HIPAA. HIPAA requires contracts between healthcare providers and business associates so that all PHI and ePHI is safeguarded appropriately. Don’t do business with a video service provider who will not sign a BAA — it’s critical to ensuring everyone understands their obligations under HIPAA.

When a video service meets these criteria, it’s considered as an option for videoconferencing for healthcare organizations. But once healthcare providers choose and implement a particular service, they need to do the following:

  • Consider how the organization will define its legal health record. If the legal health record includes the video recording, consider how your organization will respond to patient requests for copies of the information.
  • Educate patients on videoconferencing. Make sure patients understand the precautions taken to protect their health information. Advise them to be in a private place during the videoconference where no one else can see or hear the conversation. Recommend they use a secure, password-protected Wi-Fi network rather than a public connection at a coffee shop or public library.

Whether you are a dentist, a physician, a therapist, or any other kind of healthcare professional, videoconferencing offers many benefits. It also raises many privacy and security issues that must be addressed before using any video service. If you’re considering offering videoconferencing at your medical practice, take the time to carefully consider your obligations under HIPAA. Work with a video service provider who understands the HIPAA rules. Offer your patients the secure, protected videoconferencing experience they deserve.

Comments are closed.

• Access Anywhere
• Fast and Robust
• Super Secure
• Tons of Features
• Customizable
• Mobile Friendly

Send and receive email from your favorite programs, including:

 Microsoft Outlook
 Mozilla Thunderbird
 Apple Mail
 Windows Mail

... Virtually any program that supports POP, IMAP, or SMTP

Keep your email, contacts, and calendars in sync:

 Apple iPhone and iPad
 Android Devices
 Windows Phone

... Any device with Exchange ActiveSync (EAS) support

Relay your server's mail through LuxSci via smarthost:

• Resolve issues with ISP sending limits and restrictions
• Improve deliverability with better IP reputation and IP masking
• Take advantage of Email Archival and HIPAA Compliance
• Even setup smarthosting from Google Apps!

Free web site hosting with any email account:

• Start with up to 10 web sites and MySQL databases
• DNS services for one domain included
• Tons of features and fully HIPAA capable

LuxSci's focus on security and privacy:

• Read The Case for Email Security
• Read Mitigating Security & Privacy Threats
• Review our Privacy Policy

The most accurate, flexible, and trusted filters in the business:

• Premium protection with Intel Security Saas
• Realtime virus database guards against the latest threats
• Seven-day quarantine lets you put eyes on every filtered email
• Supplement with our Basic Spam Filter for even more features

End-to-end secure email encryption — to anyone, from anyone:

• No setup required — encryption is automatic and easy to use
• Secure outbound email with TLS, PGP, S/MIME, or Escrow
• Free inbound encryption via our SecureSend portal
• Independent of your recipient's level of email security
• Widely compatible and fully HIPAA Compliant

Add an extra layer of security with an SSL Certificate:

• Secure your web site
• Debrand LuxSci WebMail with your own secure domain
• Access secure email services via your own secure domain

Encrypt your service traffic via secure tunnel:

• Add another layer of security to your SSL connections
• WebMail, POP, IMAP, SMTP, web/database access
• SecureForm posts, SecureLine Escrow, SecureSend access
• Restrict your account to VPN access only

Secure long-term message archival:

• Immutable, tamperproof email retention with audit trails
• No system requirements — minimal setup, even less upkeep
• Realtime archival of all inbound and outbound messages
• Works anywhere — even with non-LuxSci email hosting

Free data backups included with all email hosting accounts:

• Automatic backups of all email, WebAides, web/database data
• Seven daily backups and up to four weekly backups
• Unlimited restores included at no additional cost
• Custom backup schedules for dedicated servers

Automate your email management:

• Save messages to specific folders or to LuxSci WebAides
• Advanced text scanning with regular expressions
• Tag messages, alter subject lines, or add custom headers
• Filter by message charset, type, TLS status, DKIM status
• Chain filters together for even more complex actions

• Bulk add and edit users, aliases and more
• Control sharing and access globally or on a granular level
• Delegate user roles through permissions
• Configure account-wide taglines, sending restrictions, and more
• Remotely administer account via SOAP API

Share, collaborate, organize, synchronize:

• Calendars, Contacts, Documents, Notes, Widgets, Workspaces
• Fine-grained access control and security
• Access anywhere via secure web portal or smartphone
• Save over solutions like Microsoft Exchange

Free folder sharing for all email hosting accounts:

• Share mail folders with other users in your account
• Subscribe to only the folders you want to see
• Set read-only or read-write access control
• View all personal and shared folders via unified web interface

Color code and label your email messages:

• Define and assign multiple IMAP keywords to each message
• Filter, search, and sort by tags
• Compatible and synchronizes with any IMAP email client
• Also usable with WebAide entries