HIPAA-compliant video conferencing implementation guide

What is HIPAA-compliant video conferencing?

Video-conferencing software like Zoom has been getting a lot of attention of late as more and more people turn to digital tools to communicate remotely, whether to stay connected with loved ones, keep work flowing, or communicate with clients.

Healthcare is certainly no exception. A global FICO study found that around 80% of people want to use their mobile phones to interact with doctors and other healthcare providers.

Digital healthcare solutions were already on the rise before the global outbreak COVID-19, but given the high risk of transmission and the enormous pressure healthcare providers are under, there is a greater need than ever for remote healthcare solutions that reduce interpersonal contact while allowing doctors to continue to deliver a high standard of care.

The challenge? Many popular video-conferencing tools simply aren’t HIPAA-compliant, which means they can’t legally be used to provide the remote care that’s called for. For instance, grave concerns have been raised around Zoom’s security.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) aims to protect patient privacy and ensure that patients have easy access to their medical records.

So what makes a video-conferencing tool HIPAA-compliant? When it comes to video conferencing, both the HIPAA Privacy Rule and the Security Rule apply.

In a nutshell, HIPAA-compliance means that any software used to store or communicate data pertaining to patients’ personal health information needs to adhere to stringent security and privacy standards. Let’s take a closer look at what that entails.

The basics of HIPAA-compliant video conferencing

With the growth of telehealth, video conferencing commonly involves the transmission of protected health information (PHI) including the following:

• Name or social security number
• Home or business address
• Dates (of appointments, payments, etc.)
• Telephone number, email address or fax number
• Medical record number
• Health plan or insurance number
• Payment information (e.g. account number)
• Device identifiers such as serial numbers
• Internet Protocol (IP) address or web URLs
• Biometric identifiers (fingerprint, retina scan or voice recording)
• Photographic images or video material
• Vehicle identifiers such as license or registration number
• Any other characteristics that may be used to identify an individual

HIPAA implementation essentials

There are a number of measures that healthcare industry stakeholders that deal with the transmission of ePHI can take to ensure that they remain HIPAA-compliant, particularly in the crowded video-conferencing landscape where non-compliance is running rife.

Let’s take a look at some of the key considerations.

End-to-end encryption

One of the critical considerations when it comes to video conferencing is ensuring that bad actors and unauthorized third parties cannot gain access to the video call or the data generated in the course of the call.

This raises the question of encryption. Does your video-conferencing software use encryption? How easy is it to access the encryption key? End-to-end encryption is the golden standard for HIPAA compliance because it means that only the devices used to make the video call have access to the encryption key.

Peer-to-peer connection

Another important question to consider is routing. Does the video connect your computer or handheld device directly to your patient’s device, or does it get routed through a server? Direct peer-to-peer routing makes for much faster and better quality video conferencing and offers security benefits. However, for true HIPAA-compliance, your video-conferencing tool should also be encrypted end-to-end.

BAAs

Business Associate Agreements (BAAs) are another essential aspect of HIPAA-compliance. This agreement stipulates that all concerned parties will take active measures to ensure that protected health information is appropriately safeguarded.

Vendor access and auditing

Another crucial consideration for HIPAA compliance is who has access to sensitive personal data. Video conferencing providers may protect patient data from outside eyes, but what about their own employees?

It’s crucial that vendors have administrative, physical, and technical safeguards in place to prevent unauthorized users from accessing any information classified as ePHI. For instance, only a select few authorized individuals should have sign-in credentials, all devices including smartphones and tablets should be password protected (preferably 2FA), and the video conferencing software itself should feature user authentication and be password protected.

Ideally, vendors should have robust auditing measures in place and be able to generate reports containing logs of who accessed each file containing ePHI, and when. This can be invaluable in protecting healthcare practitioners when isolated intentional violations occur, as well as in identifying and addressing vulnerabilities such as employees not being sufficiently familiar with compliance best practice.

Accidental violations

While tools like Zoom might technically qualify as HIPAA-compliant if they turn off certain features for healthcare users, you could still violate HIPAA regulations simply by sending your patient a meeting invitation or inadvertently storing their information in your Zoom account. This is why it’s important to partner with a vendor that understands the HIPAA regulations inside and out and help you to avoid violating them inadvertently.

How to choose HIPAA-compliant video conferencing

Building any video conferencing software from scratch is enormously complex and takes a lot of time and resources. With the added complication of needing to be HIPAA-compliant, this task becomes even more challenging.

It’s much, much easier to simply use an industry-leading video conferencing tool that’s HIPAA-compliant right out of the box and integrate that into your own telehealth app or platform. However, it’s vital that you select a video API that was built with HIPAA-compliance in mind from the start, instead of choosing one where it was merely added as an afterthought.

Here are some tips for choosing a HIPAA-compliant video-conferencing vendor:

• Make sure they offer a BAA
• Check whether they offer end-to-end encryption and which encryption standard they use
• Ask whether the calls are routed through a server or peer-to-peer
• Inquire as to their access control as well as audit control standards
• Find out what safeguards they have in place
• Read reviews and testimonials from other healthcare industry professionals that have used their software

Why choose Sendbird?

Sendbird’s high-quality 1-to-1 video call API is fully HIPAA-compliant, which means that healthcare providers including telemedicine and virtual healthcare service providers, healthcare clearinghouses, health plans, and health communities can safely send protected health information using the Sendbird API.

Sendbird’s SDK and API comply with the Health and Human Services guidelines established by HITECH and has organizational, administrative, technical, and physical safeguards in place to ensure the protection of sensitive PHI.

That’s why digital health providers including United Healthcare, Grand Rounds, Accolade, and Docplanner place their trust in Sendbird for in-app chat and video-conferencing capabilities.

As a guarantee of its dedication to HIPAA compliance, Sendbird will sign a Business Associate Agreement to demonstrate its commitment to protecting healthcare businesses’ electronic PHI and HIPAA privacy rules compliance. Sendbird will help you to make sure that you meet your compliance obligations.

With this knowledge, you can rest assured that your doctor-to-patient video calls as well as discussions between colleagues and consultations with specialists will remain securely encrypted and 100% HIPAA-compliant.

Ready to implement Sendbird’s HIPAA-compliant video calls into your healthcare app? Read this blog for a detailed walkthrough to help you roll out secure in-app video conferencing in under 15 minutes.

You can also read more about why Sendbird is the perfect in-app messaging, voice calling, and video call solution for digital healthcare providers or download our comprehensive guide to HIPAA compliance.