Healthcare professionals need HIPAA-compliant web conferencing software to provide secure telehealth appointments, integrate with remote patient monitoring devices, and collaborate with other care team members.
As conversations around privacy and security persist in both SaaS and healthcare spaces, many still struggle to understand what to look for in HIPAA-compliant video conferencing tools.
Medical professionals must understand the difference between public-facing and private web conferencing tools to ensure their video conferencing software is truly HIPAA-compliant.
Here, we outline HIPAA compliance standards within video conferencing, best practices, and top providers.
What is HIPAA?
HIPAA (Health Insurance Portability and Accountability Act) is a 1996 federal law implemented by the US Department of Health and Human Services that standardizes the ways in which covered entities and business associates share, use, and store protected health information (PHI).
PHI is defined as individually identifiable health information and includes:
- Past/present medical records
- Physical and mental health diagnoses
- Demographic data (name, address, social security number, phone/fax numbers, email address, etc.)
- Health and insurance plan information
- Biometric data
HIPAA was established to:
- Give patients some control over who can access their protected health information and why
- Establish the legal, technical, physical, and organizational requirements covered entities must adhere to when dealing with electronic protected health information (e-PHI)
- Allow covered entities to disclose PHI only when developing/coordinating the individual’s treatment plan, collecting payment, and/or managing basic provider operations
“Covered entities” are individuals, organizations, and institutions that electronically transmit health information in connection with standardized HHS transactions like insurance claims/coverage and healthcare billing/payments. Covered entities include healthcare providers, insurers offering healthcare plans, and healthcare clearinghouses. There are some exceptions to HIPAA requirements relating to specific definitions of covered entities.
“Business Associates” are not necessarily healthcare professionals/healthcare staff, but are entities or individuals that perform tasks/services requiring access to PHI. BAs can be IT professionals, legal/consulting service providers, administrators, data transmission service providers, and more.
HIPAA Compliance Requirements for Video Conferencing
HIPAA regulations require compliance with the HIPAA Privacy Rule, the HIPAA Security Rule, and the HIPAA Breach Notification Rule. All covered entities, including healthcare providers offering telehealth services via video conferencing platforms, must meet HIPAA standards and follow HIPAA rules and compliance requirements.
The HIPAA Privacy Rule
The HIPAA Privacy Rule outlines legal disclosure and confidentiality requirements for written, oral, and electronic PHI. It focuses on maintaining patient privacy and allowing the patient to control how their PHI is used and shared. It advocates for the “minimum necessary rule,” which states that covered entities/business associates should disclose the least possible amount of PHI required to complete an action.
It also requires covered entities and BAs to:
- Give patients a Notice of Privacy Practices (NPP) that outlines an individual’s right to privacy and how PHI is used/disclosed
- Provide individuals with written/electronic copies of their health records
- Obtain consent to disclose PHI
- Allow individuals to make corrections to their PHI
- Allow individuals the right to restrict certain PHI data
- Provide individuals with an accounting of disclosures outlining the name, data, description, and purpose of external PHI disclosure
- Keep PHI and other patient records physically and technically secure
- Create and maintain workplace rules for maintaining PHI/patient confidentiality, and appoint a person to manage and monitor the implementation of these rules in the workplace
The HIPAA Security Rule
Specific to electronic protected health information (e-PHI), the HIPAA Security Rule outlines physical, technical, and administrative security standards/practices covered entities must have in place to prevent unauthorized access/disclosure of e-PHI. Because the Security Rule deals exclusively with digital/electronic health data, it is especially relevant to HIPAA-compliant video conferencing.
HIPAA Security Rule requires covered entities and BAs to put the below physical, technical, and administrative security practices and safeguards in place:
Administrative Safeguards:
- Conduct risk analysis and apply risk management strategies to protect e-PHI
- Create an emergency plan to respond and restore to leaked/lost data
- Develop access management strategies to limit who has access to e-PHI data
- Train staff to create/maintain uniform e-PHI security standards
Physical Safeguards:
- Use physical locks, alarms, privacy screens, and more to prevent unauthorized data access and hardware theft
- Limit physical access to buildings housing e-PHI data and relevant servers (security guards, ID, locks, etc.)
- Develop an employee acceptable use policy/code of conduct to control workstation access and activities
Technical Safeguards:
- Ensure any equipment/software storing e-PHI data has access and integrity controls, auditing and activity monitoring, and secure data transmission
The HIPAA Breach Notification Rule
The HIPAA Breach Notification Rule requires all covered entities to notify affected individuals, the Secretary of HHS, and (in some cases) the media in the event of a data breach.
A HIPAA data breach is defined as the impermissible use or disclosure of unsecured PHI.
Best Practices for HIPAA-Compliant Video Conferencing
All covered entities, including healthcare providers offering telehealth services via video conferencing platforms, must follow HIPAA compliance requirements.
Many video calling platforms come with built-in HIPAA compliance, though often only on higher-tiered plans. However, video chat apps like Facetime and Skype, do not meet HIPAA standards. Even if the software is HIPAA-compliant, the covered entity will still be held responsible for any breaches–so follow these additional best practices:
- Business Associate Agreement (BAA): Only work with webinar and video conferencing tools offering a BAA (Business Associate Agreement) in addition to standard HIPAA compliance. A BAA is a legal contract that defines how the video conferencing platform–and any third-party vendors it works with–protects PHI to maintain HIPAA compliance. BAAs establish the liabilities and consequences the web conferencing provider will face if HIPAA compliance is breached, as well as the protocols the provider must follow to properly alert healthcare providers and patients.
- Peer-to-Peer Connection: Peer-to-peer routing establishes a direct connection between your device and your client’s, avoiding transmitting data through an additional server that may not provide secure data transmission. Look for providers offering peer-to-peer connection verification for audio and video–especially if employees use personal devices with custom configuration settings.
- End-to-End Encryption: SSL/TLS end-to-end encryption (E2EE) encrypts data in transit and at rest, preventing hackers from intercepting audio and video data exchanged during a video conference. E2EE essentially “scrambles” this data, rendering it unreadable to anyone without an enrolled device encryption key. Not all web conferencing software offers E2EE for both audio and video calls, so confirm with your provider.
- Access Control and User Authentication: A quality telehealth video conferencing app includes extensive access control and user authentication features like multi-factor authentication, user verification via biometric data, and password-protected video calling. Many providers send out real-time desktop and mobile device alerts for suspicious or unfamiliar login attempts.
- Audit Logging and Activity Monitoring: Choose a video conferencing solution offering 24/7/365 activity and network monitoring, which gives covered entities a complete record of all user logins/attempted logins, network activity, data access, session timestamps, and logouts. Having a detailed audit trail is especially essential in the event of an audit or data breach.
- Secure Network Access: Instruct employees and patients to use a secure, password-protected Internet connection when attending telehealth appointments–never public WiFi.
Top HIPAA-Compliant Video Conferencing Software
The following video conferencing software is HIPAA compliant:
- Zoom for Healthcare
- SimplePractice
- RingCentral for HealthCare
- doxy.me
- GoTo Meeting for Healthcare
- VSee
Zoom for Healthcare
Zoom for Healthcare is a cloud-based HIPAA, HITECH, and PIPEDA-compliant web conferencing platform with in-meeting whiteboarding, chat, screen and file sharing, and real-time captioning. Medical professionals can opt to add a VoIP phone system to streamline business communications to one platform.
Key features include:
- Medical device integration for remote patient monitoring (integrates with exam cameras, digital stethoscopes, electronic health records (EHR), etc.
- Zoom Rooms hardware (Kiosk Mode for patient check-ins, digital signage for in-room alerts
- In-meeting access to third-party integrations
- Local on-demand/automatic video call recording and transcription, recordings can be shared with other clinicians
- Integrations with healthcare software/apps like Epix, Medicare PRO, TherapyAppointment, IntakeQ
Zoom for Healthcare is best for medium-sized healthcare practices needing a BAA, scalability, a familiar interface, and integration with Zoom Rooms hardware for blended telehealth services between patients and in-house/remote care teams. Pricing is quote-based.
SimplePractice
SimplePractice is an all-in-one EHR solution offering HIPAA-compliant telehealth sessions alongside appointment management, insurance claims filing assistance, a client communication portal, and billing assistance.
Key features include:
- Desktop/mobile client portal functionality for appointment scheduling, bill payment, form completion, secure chat messaging, and notifications
- Pre-built templates for consultation intake forms, patient information collection, treatment plans, client assessments, note-taking, etc.
- Instant video calls via link sharing, in-call features like whiteboarding, chat, recording, telehealth timer to track elapsed session time and enforce time limits
- Meeting waiting rooms, HIPAA/HITRUST certification, E2EE, 24/7 network monitoring, penetration testing
SimplePractice is best for enterprise or more established healthcare professionals needing complete EHR software with advanced video calling features like high-quality screen sharing and co-annotation for in-session patient engagement. Both solo and group practice plans are available, ranging from $29-$158/month and up.
RingCentral for HealthCare
RingCentral for Healthcare is a user-friendly HIPAA-compliant cloud UCaaS platform offering telehealth video calling with in-session chat, live meeting transcriptions, breakout rooms, screen/file sharing, and delegate scheduling for easier appointment management.
Key features include:
- File sharing and co-annotation (ideal for updating patient charts, enabling care team coordination and in-appointment collaborative note-taking)
- Compliance exports activity log
- AI noise cancellation, virtual background, HD video call quality
- Omnichannel appointment scheduling via (phone, website chat, etc.) with automated appointment reminders and customizable follow-ups
- 24/7 customer support, 99.999% SLA, SOC 3, and HITRUST certification, end-to-end encryption for video and messaging
RingCentral has a robust and secure mobile app with in-call flip ideal for health professionals and patients on the go, as well as advanced AI analytics providing greater insight into the patient experience. Pricing is quote-based.
doxy.me
doxy.me is a browser-based, HIPAA-compliant telehealth solution offering advanced real-time patient management, teleconsent, SMS text and email patient/provider notifications, file sharing, whiteboarding, and real-time interpreters.
Key features include:
- HIPAA/GDPR/PHIPA/PIPEDA compliance, custom BAA, E2EE, SOC 2 compliance, breach insurance, custom security review, virtual waiting room, meeting passcode
- Shared room and shared room access for coordination between medical care teams and family members, etc.
- Transfer Patient feature lets users digitally transfer patients between waiting rooms and assign patients to specific providers
- Patient Queue lets users see which patients have checked in, where patients are in the check-in process, who is in the secure video chat waiting room, etc.
- Custom branding, custom waiting room with video/text/pictures, dedicated landing page for telemedicine appointments
doxy.me is best for healthcare providers who see a high volume of patients every day, need to coordinate patient information between multiple providers, and need workflow automation for more routine tasks like payment and appointment reminders and data/form collection. doxy.me has one free plan and 3 paid plans from $30-$50/provider/month and up.
GoTo Meeting for Healthcare
GoTo Meeting is a HIPAA-compliant web conferencing solution with unlimited meetings, chat messaging, personal custom meeting room links, and screen sharing/co-annotation. It can be used as a standalone tool or as a part of the larger GoTo business communications system.
Key features include:
- AES 256-bit encryption, signed BAA, risk-based authentication, one-time passwords, meeting locks, disable meeting recordings, 24/7 customer support, SSO
- APIs Integrations with third-party apps like Epic, Curve Dental, MacPractice, Calendly, Slack, Microsoft Teams, etc.
- Smart Assistant for automated in-meeting note-taking
- Meeting recording/transcription
- Commuter Mode for on-the-go telehealth with color-coded, distraction-free buttons, reduced bandwidth usage, and data savings
GoTo Meeting for Healthcare is best for smaller medical practices and healthcare organizations that need affordable and basic HIPAA-compliant video conferencing solutions. Pricing is quote-based.
VSee
VSee is a patient-focused HIPAA and Business Associate Agreement-certified video communications and practice management platform.
VSee’s Everyday Health feature directly engages patients outside of a single telemedicine appointment by allowing providers to both set and monitor patient wellness goals. It integrates with devices like Fitbit, blood pressure monitors, wireless scales, and more. Through the VSee mobile app, patients can also send photographs to their healthcare provider, create and share mood charts, and even upload food diaries.
Key features include:
- Waiting room for scheduled patient video calls and virtual walk-in patients with wait time monitoring, live chat support, and waiting room entertainment
- PTZ camera control with peripheral streaming for remote examinations (shows ultrasound, EKG, and otoscope images alongside patient video stream)
- Electronic prescriptions and virtual custom intake forms
- Live annotation and screen sharing for lab test result sharing, CT scans, patient photographs, etc.
- Patient self-scheduling and post-visit patient surveys
- Auto-confirmations via SMS and email
- VSee compatible medical equipment
Vsee offers 1 free plan and 3 paid plans from $29-$49/provider/month and up. VSee is best for walk-in clinics and businesses seeking Zoom alternatives for telemedicine.
FAQs
Below, we've answered top FAQs about HIPAA-compliant video conferencing software.