How does HIPAA apply to virtual consultations?

Virtual consultations and appointments follow the same requirements as in-person ones, so it is extremely important to ensure compliance. There are no differences in your duty to protect patient data and files, and it goes even a bit further by protecting any images or video recordings from patient sessions.

I use Skype and FaceTime at home, are these compliant?

No. You will need to go beyond the consumer-level of video conferencing software and get a platform that is tailored specifically to medical practitioners to make sure you are adhering to HIPAA compliance.

Is Zoom HIPAA Compliant?

As mentioned in the detailed review, the consumer-facing free version of Zoom is not HIPAA compliant, and even the paid version for businesses doesn’t hit the mark. If you choose Zoom, you must choose Zoom for Healthcare.

Are my video sessions stored on the platform I choose?

There is no reason that your platform should be storing video logs of patient calls and chats, as this creates a dangerous risk of exposing patient data and other security breaches. Ensure that the platform you choose does not store any of these files on their own system in any way.

What is a Business Associate Agreement and why is it important?

HIPAA laws require that a business associate performs the activities on behalf of the provider, such as transcription, legal consultation, and accounting. Software platform vendors also fall under this category, so it is required by HIPAA laws that these vendors also sign an agreement similar to your office’s legal team to protect health information. Any pushback from a vendor on this is a red flag, so look elsewhere if the software you choose is unwilling to sign a BAA.

HIPAA-Compliant Video Conferencing Software for Telehealth

Jump to ↓

Healthcare professionals need HIPAA-compliant web conferencing software to provide secure telehealth appointments, integrate with remote patient monitoring devices, and collaborate with other care team members.

As conversations around privacy and security persist in both SaaS and healthcare spaces, many still struggle to understand what to look for in HIPAA-compliant video conferencing tools.

Medical professionals must understand the difference between public-facing and private web conferencing tools to ensure their video conferencing software is truly HIPAA-compliant.

Here, we outline HIPAA compliance standards within video conferencing, best practices, and top providers.

Video conferencing software from top providers

What is HIPAA?
Requirements
Best Practices
Top Software
FAQs

What is HIPAA?

HIPAA (Health Insurance Portability and Accountability Act) is a 1996 federal law implemented by the US Department of Health and Human Services that standardizes the ways in which covered entities and business associates share, use, and store protected health information (PHI).

PHI is defined as individually identifiable health information and includes:

Past/present medical records
Physical and mental health diagnoses
Demographic data (name, address, social security number, phone/fax numbers, email address, etc.)
Health and insurance plan information
Biometric data

HIPAA was established to:

Give patients some control over who can access their protected health information and why
Establish the legal, technical, physical, and organizational requirements covered entities must adhere to when dealing with electronic protected health information (e-PHI)
Allow covered entities to disclose PHI only when developing/coordinating the individual’s treatment plan, collecting payment, and/or managing basic provider operations

“Covered entities” are individuals, organizations, and institutions that electronically transmit health information in connection with standardized HHS transactions like insurance claims/coverage and healthcare billing/payments. Covered entities include healthcare providers, insurers offering healthcare plans, and healthcare clearinghouses. There are some exceptions to HIPAA requirements relating to specific definitions of covered entities.

“Business Associates” are not necessarily healthcare professionals/healthcare staff, but are entities or individuals that perform tasks/services requiring access to PHI. BAs can be IT professionals, legal/consulting service providers, administrators, data transmission service providers, and more.

HIPAA Compliance Requirements for Video Conferencing

HIPAA regulations require compliance with the HIPAA Privacy Rule, the HIPAA Security Rule, and the HIPAA Breach Notification Rule. All covered entities, including healthcare providers offering telehealth services via video conferencing platforms, must meet HIPAA standards and follow HIPAA rules and compliance requirements.

The HIPAA Privacy Rule

The HIPAA Privacy Rule outlines legal disclosure and confidentiality requirements for written, oral, and electronic PHI. It focuses on maintaining patient privacy and allowing the patient to control how their PHI is used and shared. It advocates for the “minimum necessary rule,” which states that covered entities/business associates should disclose the least possible amount of PHI required to complete an action.

It also requires covered entities and BAs to:

Give patients a Notice of Privacy Practices (NPP) that outlines an individual’s right to privacy and how PHI is used/disclosed
Provide individuals with written/electronic copies of their health records
Obtain consent to disclose PHI
Allow individuals to make corrections to their PHI
Allow individuals the right to restrict certain PHI data
Provide individuals with an accounting of disclosures outlining the name, data, description, and purpose of external PHI disclosure
Keep PHI and other patient records physically and technically secure
Create and maintain workplace rules for maintaining PHI/patient confidentiality, and appoint a person to manage and monitor the implementation of these rules in the workplace

The HIPAA Security Rule

Specific to electronic protected health information (e-PHI), the HIPAA Security Rule outlines physical, technical, and administrative security standards/practices covered entities must have in place to prevent unauthorized access/disclosure of e-PHI. Because the Security Rule deals exclusively with digital/electronic health data, it is especially relevant to HIPAA-compliant video conferencing.

HIPAA Security Rule requires covered entities and BAs to put the below physical, technical, and administrative security practices and safeguards in place:

Administrative Safeguards:

Conduct risk analysis and apply risk management strategies to protect e-PHI
Create an emergency plan to respond and restore to leaked/lost data
Develop access management strategies to limit who has access to e-PHI data
Train staff to create/maintain uniform e-PHI security standards

Physical Safeguards:

Use physical locks, alarms, privacy screens, and more to prevent unauthorized data access and hardware theft
Limit physical access to buildings housing e-PHI data and relevant servers (security guards, ID, locks, etc.)
Develop an employee acceptable use policy/code of conduct to control workstation access and activities

Technical Safeguards:

Ensure any equipment/software storing e-PHI data has access and integrity controls, auditing and activity monitoring, and secure data transmission

The HIPAA Breach Notification Rule

The HIPAA Breach Notification Rule requires all covered entities to notify affected individuals, the Secretary of HHS, and (in some cases) the media in the event of a data breach.

A HIPAA data breach is defined as the impermissible use or disclosure of unsecured PHI.

Best Practices for HIPAA-Compliant Video Conferencing

All covered entities, including healthcare providers offering telehealth services via video conferencing platforms, must follow HIPAA compliance requirements.

Many video calling platforms come with built-in HIPAA compliance, though often only on higher-tiered plans. However, video chat apps like Facetime and Skype, do not meet HIPAA standards. Even if the software is HIPAA-compliant, the covered entity will still be held responsible for any breaches–so follow these additional best practices:

Business Associate Agreement (BAA): Only work with webinar and video conferencing tools offering a BAA (Business Associate Agreement) in addition to standard HIPAA compliance. A BAA is a legal contract that defines how the video conferencing platform–and any third-party vendors it works with–protects PHI to maintain HIPAA compliance. BAAs establish the liabilities and consequences the web conferencing provider will face if HIPAA compliance is breached, as well as the protocols the provider must follow to properly alert healthcare providers and patients.
Peer-to-Peer Connection: Peer-to-peer routing establishes a direct connection between your device and your client’s, avoiding transmitting data through an additional server that may not provide secure data transmission. Look for providers offering peer-to-peer connection verification for audio and video–especially if employees use personal devices with custom configuration settings.
End-to-End Encryption: SSL/TLS end-to-end encryption (E2EE) encrypts data in transit and at rest, preventing hackers from intercepting audio and video data exchanged during a video conference. E2EE essentially “scrambles” this data, rendering it unreadable to anyone without an enrolled device encryption key. Not all web conferencing software offers E2EE for both audio and video calls, so confirm with your provider.
Access Control and User Authentication: A quality telehealth video conferencing app includes extensive access control and user authentication features like multi-factor authentication, user verification via biometric data, and password-protected video calling. Many providers send out real-time desktop and mobile device alerts for suspicious or unfamiliar login attempts.
Audit Logging and Activity Monitoring: Choose a video conferencing solution offering 24/7/365 activity and network monitoring, which gives covered entities a complete record of all user logins/attempted logins, network activity, data access, session timestamps, and logouts. Having a detailed audit trail is especially essential in the event of an audit or data breach.
Secure Network Access: Instruct employees and patients to use a secure, password-protected Internet connection when attending telehealth appointments–never public WiFi.