The use of sensitive patient data is strictly regulated by the Health Insurance Portability and Accountability Act (HIPAA) of 1996 and Health Information Technology for Economic and Clinical Health (HITECH) Act. Third parties have to comply with the rules and seek patient consent to disclose patient data. New technology solutions such as video calling and hipaa compliant video conferencing platforms have to be HIPAA-compliant and ensure patient data is secure, confidential and privacy is protected.
In the following sections top-ranking HIPAA-compliant solutions are reviewed…
Health Insurance Portability and Accountability Act (HIPAA):Overview
Protection of patient information from unauthorized use emerged from a strong global demand for protection of digital rights of consumers.
With the healthcare industry using electronic Patient health information (ePHI) regulatory control became a necessity. In 1996, the Health Insurance Portability and Accountability Act (HIPAA) was enacted to prevent unauthorized disclosure of sensitive patient data, by those who had access to it, like insurance providers, staff, doctors and nurses. Patient consent was mad compulsory for third parties to disclose patient data.
Additional rules were introduced later under the Health Information Technology for economic and clinical health (HITECH) Act such that security protocols were strictly implemented by solution providers.
Primarily, HIPAA specifies that these five safeguards are implemente for compliance:
1.HIPAA Security rule:
providers have to ensure security of patient data at the time of access, processing, storage during rest or in transmission. Technical, Administrative and physical safeguards have to be implemented
2.HIPAA privacy rule :
- Obtaining patient consent
- Patient right to obtain their data from healthcare provider
3.Breach Notification Rule :
notify patient, parties about data leak and methods to mitigate leak
4.Omnibus Rule :
Business Associate compliance to access ePHI
Fines and penalties on providers for breach
Why Should HIPAA be Applied to Video Platforms?
As seen in the above sections, the laws regulating the use of patient data, its storage and access have always changed whenever the technologies have changed. With the onset of virtualization platforms the technology has changed, requiring regulation of video data generated from solutions such video conferencing, video calling and similar platforms.
Already video platforms such as YouTube and Vimeo are HIPAA-compliant as they are categorized as Information Technology systems under HIPAA guidelines. Since video conferencing solutions too are part of the larger video-technologies platform, they are treated as IT Systems and have to be similarly compliant with HIPAA rules.
How can a Video Platform become HIPAA Compliant?
As video calling solutions can be defined as Information Technology systems because of the technology it uses, HIPAA Technical Safeguards (Rule 1 of HIPAA Act) is applicable. According to this rule, Information Technology systems have to implement security features that align with NIST standards. Such compliance needs encryption during data transition or when data is at rest, since encryption changes the data into ciphertext and unreadable form. Thus encryption renders the data useless to hackers.
In the case of Video Data, encryption has to comply with FIPS 140-2 Encryption standards.
HIPAA compliant video platform security features are:
1. Means of Access Control
- SSO and IAM integration – unique username and password for every user and is centrally controlled
- Defined Permissions and Access- Authorization to access content and permission, restrictions to use such as clause 164.312(a)(1) which prevents doctors from downloading patient information and sharing it ahead.
2. Techniques to Authenticate ePHI
- Detect tampering – Be able to identify if a video file is the same as when uploaded or has been altere. For this feature it should use hashing mechanisms to prevent unauthorized parties from making changes Clause 164.312(c)(2)
3. Encryption and Decryption
- FIPS compliance – use AES for NIST compliance for end-to-end encryption for video uploading, storing, and decryption only by the video player
4. Auditing and control
- Auditing systems log – to identify when a report was accesses, how, what was done after it was accesses
- Activity logs- Time-based history of actions with the HIPAA video call platforms like who viewed them, and what action followed accessing the data
Login Time Out
- This feature will automatically log out users who are inactive after a fixed time period set by the admin. Standard timeout should be fixe at 15 to 30 seconds
- Hence, the above features protect privacy, confidentiality of video data of a patient on a video calling platform.
- In the following sections the top 5 HIPAA-compliant video platforms are reviewed…
Top-5 HIPAA-Compliant Video Conferencing Solutions of 2022
This video conferencing solution is primarily used for its branding customization feature. It offers a patient dashboard for custom branding, browser-based compliance with HIPAA, and accepts online payment. But, as a solution it is price very high at $49 per month for basic services like unlimited group video calls and intake forms.
This video conferencing solution is define as the best HIPAA-compliant provider for mobile-based use. Its strong points are automate patient on-boarding, telehealth calls, texts and affordable plans. Free plan is exclusive of video conferencing, and does not have a desktop app. Charges are levied on a per month basis for video conferencing, e-prescriptions, consultations.
We found this to be a popular HIPAA compliant solution, as it uses high-end TLS and AES256 encryption for communication protection. It does not support inbound open ports and is hence compliant with GDPR, SOC2 Type 2 and CCPA. It is a white label solution and allows you to use your own brand, custom features and colors for on-premise hosting and on-cloud hosting choice.
Contus Mirrorfly platform is massively scalable and can support up to one billion patients and doctors on a single video chat solution. It also has voice calling features SIP, VoIP for powerful functionalities. Other key features are in-app chat, video and voice for easier, faster and accurate exchange of patient data and related information.
This solution offers several products and services for programmable videos, small group rooms and group rooms, network transversal service, encrypted communication, signed webhook requests, Http authentication, static proxy, public key client validation. HTTP basic auth feature supports HIPAA-compliance workflow using media recordings. Twilio does not enforce authentication on returned URLs to access recording URLs for secure unauthorized access.
This video conferencing software is use mainly for its overall HIPAA compliance – data privacy, affordable and easy to use solution matrix. It has a free to use plan and professional plan priced at $29 per month, for clinics it charges $42 per month and customized plans for enterprise level usage. It is compliant with GDPR, HIPAA, PHIPA and PIPEDA, Free Business Associate Agreement (BAA) for US providers. But it is not for integration of medical devices and HD audio nor can it be use for patient surveys.
HIPAA can only be a layer of security to protect patient data – be it files, text messages, phone calls or newer formats like video conferencing, video calls or telehealth. When solution providers become negligent about data protection, the damages are expensive and extensive. Therefore, implementing security protocols is the primary necessity. HIPAA rules are only the means to ensure these protocols are implemente and there is no compromise by the solution providers. Hence, video calls and video conferencing solutions will have to be HIPAA-compliant to be relevant.