Does your practice leverage the best HIPAA compliant video conferencing solution available to it? With the Centers for Medicare & Medicaid Services (CMS) recently waiving HIPAA privacy laws, clinicians can now select from an array of commercial video conferencing solutions to perform telemedicine services. However, does that mean they should? What could happen to patient data if a non-HIPAA compliant video conferencing solution allowed hackers to infiltrate their application and its data?
Zoom is in-arguably one of the leading video conferencing providers. But is Zoom HIPAA compliant? What’s the difference between Zoom vs. MegaMeeting? And why does HIPAA compliance matter, anyway?
In this blog, we’ll answer these and other questions about HIPAA compliant video conferencing for your healthcare organization.
HIPAA: Keeping Patient Data Safe Since 1996
HIPAA still matters to doctors and patients. HIPAA is the Health Insurance Portability and Accountability Act of 1996. This legislation sets privacy standards for patient information. It was a landmark law that couldn’t have come at a better time.
In 1996, most healthcare providers were well on their way to replacing their paper charting with digital tools like electronic health records (EHRs). Suddenly, much of our health data could be accessed via the Internet. The Department of Health and Human Services (HHS) and Congress decided to determine and set forth privacy regulations for our individual digital health information to protect patients from data breach and identity theft.
Fast forward to 2020, where a global pandemic has a firm hold on America and the world. Due to the Covid-19 pandemic, Telehealth, or virtual clinical visits, has gained widespread popularity as a tool for social distancing. It is estimated that more than one billion telehealth visits will take place in 2020. To open the floodgates to accommodate telehealth demand, CMS announced policy changes that waived HIPAA requirements. Now doctors can select any commercial video conferencing solution, whether it meets HIPAA standards or not.
While easing HIPAA standards lets doctors quickly ramp-up telemedicine services for patients, what happens if the commercial video conferencing solution fails to keep patient data safe?
What Makes a Video Conferencing Solution HIPAA Compliant?
HIPAA set rules to ensure the security of patient protected health information (PHI). Any organization that transmits or stores digital PHI is required to abide by these rules. This could include doctors, hospitals, dentists, clinics, health insurance carriers, pharmacies, and even chiropractors. But it also requires organizations that handle PHI in any form to keep it safe. This includes the video conferencing solutions that healthcare providers use to provide virtual consultation to their patients.
HIPAA is divided into two primary categories:
· The Privacy Rule permits healthcare organizations to share patient data with authorized entities, while still keeping it safe from everyone else. This requires Notice of Privacy Practices that tells the patient how their data is used.
· The Security Rule requires these organizations to set up and maintain administrative, physical, and technical safeguards for the protection of PHI. This includes setting privacy restrictions for the data in transit and at rest. This data could be information from EHRs, test results, X-rays, prescriptions, and general health data.
This rule requires secured connections that are encrypted from end-to-end. It also requires physical safeguards for the equipment that houses the data. It sets training standards for staff handling PHI so they don’t inadvertently violate HIPAA rules. Finally, it requires extensive IT security protocols for networks, hardware, software, authentication, and more.
Complying with HIPAA means that organizations take significant steps to protect PHI. The alternative, however, is unthinkable. Imagine the ramifications to your practice if cybercriminals could steal patient data or their identities. Private test results, health conditions, and more could be shared with others online. Social security and payment information could be stolen. The breach of trust between providers and patients would be severed. These are all reasons why HIPAA still matters to our patients and practices, and why you should be careful to select the best HIPAA compliant video conferencing solution.
Best HIPAA Compliant Video Conferencing
Zoom is now one of the most popular commercial video conferencing solutions. Some reports suggest the provider has seen a 535% increase in traffic since the beginning of 2020.
But is Zoom a HIPAA compliant video conferencing solution? The Zoom website suggests that the carrier:
· Encrypts patient data transmitted across the Internet.
· Has multiple layered controls for accessing the service.
· Offers a business services agreement to healthcare clients.
On the surface, it would appear Zoom is a HIPAA compliant video conferencing service. But the HIPAA Journal has some concerns. In 2018, the journal did indeed report that Zoom was HIPAA compliant. However, a March 2020 update cast serious doubts that Zoom was still — or perhaps ever had been — HIPAA compliant:
“There are now serious concerns about the security of Zoom. This creates doubts about using Zoom for communicating medical information, which needs to be fully protected under HIPAA. Zoom has publicly committed to upgrading its security and fixing all security problems. Until the security issues with Zoom are resolved, alternative telemedicine solutions should be used.”
In April 2020, security concerns began to mount, as "Zoombombing" takeovers showed the commercial video conferencing solution had serious flaws. While many of these issues have been corrected, they cast doubt on the provider’s ability to keep PHI data safe.
Netsec News said, “Taken in isolation, each issue is worrying, but together they add up to a privacy and security disaster. Security researchers have called the platform ‘fundamentally corrupt,’ with others going further and claiming Zoom is ‘essentially malware.’”
Selecting a HIPAA Compliant Telemedicine Provider
Healthcare organizations must lessen their risk by taking steps to ensure the security of their patient’s digital health information. This includes avoiding commercial video conferencing solutions that are simply not appropriate for a healthcare encounter.
The best HIPAA compliant video conferencing should be a direct-to-patient tool that is simple to use on any digital device. MegaMeeting allows healthcare providers to communicate directly with patients safely and securely on an "end-to-end" encrypted platform with message authentication that is fully HIPAA compliant. Commercial video conferencing services do not allow the kind of end-user administrative controls that ensure the security of PHI. MegaMeeting is a 100% browser-based, full-service HIPAA compliant video conferencing solution that can be fully branded (white labeled) for a healthcare practice.
HIPAA was designed to reduce healthcare fraud and abuse and set industry-level standards for the digital transmission of patient data. We believe HIPAA was important legislation and is still necessary today to protect the data integrity of the patients we serve. Contact MegaMeeting for a secure, HIPAA compliant solution for your patients.
MegaMeeting solves the biggest challenges of modern video conferencing. For users, it is an all-in-one platform that delivers both video conferencing and webinars in a single, simplified interface. For attendees, it is 100% browser-based, making it highly accessible; joining a meeting is instantaneous from a single click. For enterprises, it is highly customizable, with white-labeling options for a private branded solution. For developers, it is API-driven and easy to integrate.
Powered by WebRTC, Node.js, React, and GraphQL, it is a cutting-edge platform that is fun and easy to use for users and developers alike.