What Is HIPAA-Compliant Videoconferencing?

HIPAA-compliant videoconferencing is a form of telecommunication used in health settings, allowing multiple parties (e.g., doctor and patient) to communicate via two-way video and audio transmissions. It provides patients with the same privacy and confidentiality that applies to in-person visits, protecting their information and giving the same care to storage and dissemination of the video as to paper documents under the Health Insurance Portability and Accountability Act (HIPAA).

There are many advantages to videoconferencing with patients rather than meeting them in person. Some patients have limited mobility, making it difficult to visit a healthcare provider physically. Some patient follow-ups only require a quick conversation and don’t require a physical examination. It may also be much more convenient for many patients to have a video conversation than to travel to a doctor’s office. Another benefit is the cost savings; videoconferencing can be much cheaper than in-person visits.

No matter what health services you provide, here’s how to make sure your videoconferencing complies with HIPAA and protects your patients’ privacy and confidentiality.

Protected Health Information and HIPAA

It is essential to understand protected health information (PHI) and how it is defined and governed by the Health Insurance Portability and Accountability Act of 1996.

In a nutshell, PHI is demographic information, medical history, test and laboratory results, insurance information, and other data a healthcare professional collects to determine appropriate care. This includes everything from a patient’s birthdate to their blood type. Importantly, this information is also “identifiable,” i.e., one can tell who this information describes.

When a doctor and a patient discuss a medical issue on a video call, they exchange PHI electronically. As such, videoconferencing must be HIPAA-compliant.

HIPAA is a large and complex piece of legislation, and any organization that needs to be HIPAA-compliant should go through the act thoroughly. This overview of its four rules is only a starting point for ensuring compliance.

HIPAA’s four rules govern how PHI is stored, transmitted, accessed, and more. Like every other aspect of healthcare, videoconferencing must abide by these rules.

Privacy Rule

• Establishes standards to protect medical records and other PHI
• Requires appropriate safeguards to protect the privacy of PHI
• Sets limits and conditions on when and how PHI can be used and disclosed without patient authorization
• Gives patients rights over their health information, including the right to receive a copy of their health records

Security Rule

• Establishes standards to safeguard electronic protected health information (ePHI*)
• Requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of ePHI

*ePHI is any PHI produced, saved, transferred, or received in an electronic form, such as when PHI is exchanged during a videoconference.

Enforcement Rule

• Relates to compliance and investigations
• Imposes penalties for HIPAA violations and procedures for hearings

Breach Notification Rule

• Requires HIPAA-covered entities to provide notification following a PHI breach

Ensure your organization understands the rules and how to comply with them before implementing any videoconferencing technology.

Best Practices for HIPAA-Compliant Videoconferencing

Because of the many specific rules surrounding PHI and ePHI, FaceTime or free versions of Zoom won’t cut it when it comes to HIPAA-compliant videoconferencing. For a video service to be HIPAA-compliant, it must:

• Use encryption. A video service must use data encryption transmission technology to protect patient data adequately.
• Not store video transmissions. The video service provider cannot store video transmissions without explicit approval, as this creates a considerable risk to the security of the patient data.
• Use appropriate security measures such as authentication, access auditing and reporting, well-defined per-user access controls, etc.
• Be offered by a provider who will sign a business associate agreement (BAA). When a technology provider offers a service to a healthcare organization, it becomes a business associate as defined by HIPAA. HIPAA requires contracts between healthcare providers and business associates so that all PHI and ePHI are safeguarded appropriately. Don’t do business with a video service provider who will not sign a BAA — it’s critical to ensure everyone understands their obligations under HIPAA.

When a video service meets these criteria, it may be considered an option for videoconferencing for healthcare organizations. But once healthcare providers choose and implement a particular service, they need to do the following:

• Consider how the organization will define its legal health record. If the legal health record includes the video recording, consider how your organization will respond to patient requests for copies of the information.
• Educate patients on videoconferencing. Make sure patients understand the precautions taken to protect their health information. Advise them to be in a private place during the videoconference where no one else can see or hear the conversation. Recommend they use a secure, password-protected Wi-Fi network rather than a public connection at a coffee shop or public library.

Conclusion

Whether you are a physician, a therapist, or any other kind of healthcare professional, videoconferencing offers many benefits. It also raises many privacy and security issues that must be addressed before using any video service. If you’re considering offering videoconferencing at your medical practice, carefully consider your obligations under HIPAA. Work with a video service provider who understands the HIPAA rules. Offer your patients the secure, protected videoconferencing experience they deserve.