The Ultimate Guide to HIPAA Compliant Video Conferencing

...

What is HIPAA? 

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 protects patient privacy and provides easy access to their medical records. While medical appointments are typically held in person, the telehealth industry has boomed over the past few years. This has introduced patients' protected health information (PHI) to a new digital environment where their sensitive data, including the following, must be secured during a video conference:

  • Full name, social security number, & date of birth

  • Home address, phone number, & email address

  • Appointment dates, photos, videos, or biometric & vehicle identifiers

  • Medical records, insurance, & account numbers

  • IP address, device serial number, & web URLs

Who is Considered a HIPAA-Covered Entity?

Healthcare providers, health plans, and healthcare clearinghouses are considered to be the primary HIPAA-covered entities because they transmit protected health information (PHI) during virtual appointments, billing, payment, and treatment. However, non-profit organizations, institutions, or even individuals can be regulatory entities depending on their role in care and treatment.

Regulatory Compliance Standards for HIPAA-Covered Entities 

HIPAA-covered entities are required to meet regulatory standards for legal compliance. If your practice plans to add video appointments to its list of offerings, it must meet the three standards below: 

1. HIPAA Privacy Rule: This regulation sets standards for the use of PHI and patients' rights to access their healthcare data and mandates that healthcare institutions and providers must post and share the Notice of Privacy Practices with clients.

2. HIPAA Security Rule: This regulation sets standards for the electronic transmission, storage, computer, and network access to and use of PHI.

3. HIPAA Breach Notification Rule: This rule sets specific standards for procedures and reporting covered entities must complete in the event of a data breach ranging from minor (fewer than 500 affected) to meaningful (more than 500 affected).

5 HIPAA Compliance Requirements for Video Conferencing

The popularization of telemedicine has spotlighted PHI security during virtual appointments and paperwork completion. Video conference is a cornerstone technology used by remote providers and facilitates the transmission of protected health information (PHI) and electronic protected health information (ePHI). This puts the confidentiality, integrity, and availability of the information at risk, but fortunately, HIPAA-compliant video conferencing apps take a proactive approach to data protection.

Telehealth service providers can put administrative, technical, and physical safeguards in place to be confident in their compliance by ensuring their video conference tool meets these five requirements: 

1. BAAs 

Business Associate Agreements (BAAs) are essential to HIPAA compliance by stipulating that all concerned parties take active measures to protect patient PHI. When shopping around for a video streaming solution for your medical practice, pay close attention to whether or not the solution has a signed BAA.

2. End-to-End Encryption

Malicious users and unauthorized third parties might try to gain access to data that is transmitted during your video call. End-to-end encryption (E2EE) is the golden standard for HIPAA compliance, but many popular video services, like Skype and FaceTime, do not meet it. This level of encryption ensures that only the devices used to make the video call can access the encryption key.

3. Peer-to-Peer Connection

Peer-to-peer video streaming contributes to heightened security by routing data directly from one user to another, circumventing servers. HIPAA-compliant video conferencing relies on P2P to ensure that if a secure connection cannot be established, the unsecured video encounter will not take place.

4. Vendor Access and Auditing

It is important to understand the internal data privacy policies of potential video conference vendors. Protecting data from bad actors is one thing, but what about their employees? A HIPAA-compliant video provider must have administrative, physical, and technical safeguards in place to prevent unauthorized users from accessing any information classified as ePHI and robust auditing procedures to generate access report logs to refer back to when investigating violations.

5. Accidental Violations 

While some common video conference tools, like Zoom, might check all the boxes regarding HIPAA compliance, your patient care team could still unintentionally violate regulations by sending a patient a meeting invitation or inadvertently storing their information in your practice's Zoom account. Partnering with a video vendor that understands the HIPAA inside and out can help you to avoid violating compliance inadvertently.

6 Best HIPAA-Compliant Video Conferencing Platforms

Building a video app from scratch is complex enough without taking HIPAA compliance into account. The video conference market is saturated, and it's much easier to find an industry-leading tool specifically designed with compliance in mind that integrates with your existing telemedicine platform

1. Simple Practice Telehealth

Simple Practice Telehealth is a user-friendly, HIPAA video conference software compatible with desktop and mobile devices that was specifically designed for healthcare professionals. It offers more than just virtual appointment technology, it also includes a seamless insurance processing feature for medical and mental health practitioners or anyone who needs to file insurance claims.

Pricing: $29/mo to $99/mo.

Platform Highlights:  

  • Online Scheduling: Free up your team's time and let patients take scheduling into their own hands with an easy-to-navigate online booking system.

  • Insurance Processing: This tool makes it simple to enter the patient's insurance details, the code for your services and let the software take care of the rest for easy processing.

  • Screen Sharing: You can share notes, diagrams, charts, scan results, and more with patients during virtual appointments.

  • Autopay Billing: Your clients can set up auto payments to ensure they never skip a bill.

2. Google Meet

Google Meet can be configured to meet HIPAA compliance requirements by signing a business

associate agreement (BAA) with Google, ensuring you are in administrator mode when entering the call, making the calendar invite private, and randomizing meeting identifiers, like the URL or dial-in number.

Pricing: $0/mo to $18/mo and an Enterprise plan with custom pricing.

Platform Highlights:

  • Live Captions: Virtual appointments can become more inclusive with advanced speech recognition technology to assist hard-of-hearing patients and providers. 

  • Recording: Healthcare practices can maintain an audit trail of virtual conversations where appropriate and authorized while staying HIPAA compliant.

  • Private Consultations: Google Meet enables patients to join their appointment from a private conference room, a laptop, or a mobile device, with a "waiting room" to ensure maximum privacy.

3. Zoom for Healthcare

Zoom is one of the most popular video conference tools on the market. However, the free version of Zoom is not HIPAA-compliant. Healthcare providers must look into the Zoom for Healthcare plan, which offers a wide range of HIPAA-compliant features.

Pricing: $149.99/mo to $199.90/mo.

Platform Highlights:  

  • Waiting Room: Patients can notify their doctor when they arrive in the virtual waiting room.

  • High-Definition Streaming: HD video and audio are always available.

  • Whiteboard: Perfect for writing down health plan recommendations or spelling out prescription names.

  • Recording: This plan allows for recording and transcription, which is helpful for further consultations.

  • Chat: Anything you or your client types into the Zoom chat box will be protected by HIPAA regulations, thanks to an AES 256-bit encryption for all meeting data.

4. VSee

VSee is more than just video conferencing software for healthcare providers. It is an all-in-one tool for scheduling appointments, engaging in high-quality video calls, and managing patient forms.

Pricing: $0/mo to $49/mo and an Enterprise plan with custom pricing.

Platform Highlights:  

  • Easy Integration: VSee offers advanced integration capabilities that can connect to a patient's blood pressure cuff, a wireless scale, or even data from a Fitbit. Patients can share photos during their sessions, and providers can screen-share results from recent scans.

  • Walk-In Appointments: Patients can enter a virtual waiting room on VSee and see the estimated wait time for their appointment. Patients can watch videos and chat with members of your team while they wait as well.

  • Admin Management: In addition to HIPAA-compliant video, you can seamlessly combine intake forms, credit card payments, SMS reminders, and bookings in VSee.

5. doxy.me

doxy.me is a telemedicine video solution that meets HIPAA compliance standards and is also reliable, confidential, and user-friendly. The software offers a variety of plans and pricing options, including a free version. Its interface was designed with users of all ages in mind, making it the perfect solution for your general physician practice.

Pricing: $0/mo to $50/mo and an Enterprise plan with custom pricing.

Platform Highlights:  

  • No Downloads: doxy.me is a browser-based tool, so while there is no mobile access, there is also no need for your patients to download anything in advance, which is helpful for more mature patients who aren't as tech-savvy.

  • Worldwide Usage & Compliance: No matter where in the world your patients are located, doxy.me is HIPAA, GDPR, PHIPA/PIPEDA, and HITECH compliant.

  • Custom Waiting Room: You can personalize your waiting room with your image or logo so clients can rest assured they're in the correct location. You can also rearrange the queue if you see a client check in late.

6. GoToMeeting

GoToMeeting is a video conference solution with everything doctors and healthcare organizations need to stay connected. It is HIPAA compliant with a BAA, AES 256 encryption, and security features like one-time passwords and meeting locks, disabled recordings, and in-session chat.

Pricing: $12/mo to $16/mo and an Enterprise plan with custom pricing.

Platform Highlights:  

  • High-Definition Video: HD video and audio are always available.

  • Locked Meetings: You can lock your "office" and keep other patients who arrive early out of your current confidential call.

  • No Time Limits: GoToMeetings do not implement meeting limits, so providers can spend as much time as they need to to give top-quality care to each patient.

  • Screen Sharing: Patients and providers can share documents during their call and after.

  • Chat: HIPAA-compliant chat allows patients to talk with and send attachments to their doctor with confidence.

How to Build A HIPAA-Compliant Video Solution

If your practice's needs are unique and none of the services above seem like the right fit, consider building your own solution. Your telehealth app can easily integrate a video API to make the development process quicker and more feature-rich than if you were to engineer complex functionalities in-house. Customize your virtual waiting room by implementing an in-app chat API and enhance your digital appointment experience with high-quality live video streaming.

Frequently Asked Questions

1. Is Zoom video conferencing HIPAA compliant?
No, the basic Zoom video conferencing plan is not HIPAA compliant. However, Zoom has a healthcare-specific plan that does meet regulatory standards.

2. Is FaceTime HIPAA compliant?
No, while FaceTime does have a signed BAA, it is still not HIPAA compliant and should not be used in a telehealth capacity.

3. What makes a video platform HIPAA compliant?
End-to-end encryption is the key to earning HIPAA compliance. The video solution should also offer a direct P2P connection, vendor auditing, BAAs, and accidental violation protocol.

4. What free video conferencing is HIPAA compliant?
Several video solutions offer free plans and meet HIPAA standards, including doxy.me and VSee. 

Final Thoughts

If your medical practice would like to incorporate video into its patient care offerings, it's crucial that the video conference service you choose meets HIPAA standards and is dedicated to staying up to date on any compliance changes.

The most important things are to protect your patients and their data and make them feel comfortable engaging with your practice. By integrating a HIPAA-compliant video solution, like one of the five options listed above, you can deliver a safe and trustworthy experience to your patients.