HIPAA and Vidyo’s Cloud Services for Healthcare Customers
The Health Insurance Portability and Accountability Act (HIPAA) provides standards to protect the confidentiality, integrity and availability of protected health information (PHI), including electronic protected health information (ePHI). HIPAA provides guidance for an acceptable level of protection for ePHI while giving healthcare providers access to information necessary to perform their daily business functions.
There are many considerations that a healthcare provider, or other Covered Entity (as defined in HIPAA), must meet in order to satisfy HIPAA guidelines. The Vidyo Healthcare Cloud offerings, including VidyoCloud and Vidyo.io for healthcare, have been designed such that healthcare providers and other Covered Entities may use our services for video communication in a manner that is consistent with their HIPAA obligations.
Vidyo does not store or access PHI of users of our Healthcare cloud services. However, recognizing the compliance needs of Covered Entities, Vidyo will sign HIPAA-compliant Business Associate Agreements for our Healthcare cloud offering customers.
Vidyo’s Cloud-Based Video Communications Services:
There are two main rules under HIPAA relating to ePHI – the Privacy Rule and the Security Rule. The Privacy Rule establishes national standards for the protection of PHI. The Security Rule requires Covered Entities and Business Associates to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting ePHI.
With HIPAA in mind, Vidyo’s Healthcare Cloud offerings offer encryption that is designed to protect the video streams during transmission to ensure that no unauthorized parties could access a video conference while in session. Further, our cloud offerings for our healthcare customers do not include the ability for either the customer or Vidyo to record the videoconferencing sessions in the Vidyo Healthcare Cloud (recording functionality is available to customers who wish to manage the recordings themselves, including complying with all HIPAA requirements). Vidyo does not store or access any PHI while providing our healthcare cloud services offerings, but rather facilitates transmission of communications over encrypted channels.
Safeguards to Enable Communications
Vidyo Healthcare Cloud services employ the following additional safeguards to help Covered Entities meet applicable HIPAA technical standards:
Access Controls, Authentication and Security
The following controls are present in VidyoCloud and can be implemented by the Customer’s developers in Vidyo.io
- All registered users in the Vidyo system (who should only be authorized employees or other representatives of the Covered Entity and not patients) have a unique username and extension and must authenticate with a password in order to schedule and join calls.All meetings may be terminated by the meeting owner, a designated moderator, or a system administrator.
- Administrator access is terminated after 15 minutes of inactivity.
- In addition, Vidyo provides several features to help customers restrict access to the call rooms:
- Limited-time availability meetings with unique keys may be generated.
- Meetings may be configured to put participants into a waiting room until the owner has joined.
- Meetings may also be protected with PIN codes.
- Meetings in progress may be locked to prevent additional participants from joining.
Audit Controls – monitoring systems activity
- Failed authentication attempts to the system are recorded and monitored for signs of attempted unauthorized access.
- Configuration changes to Vidyo’s cloud systems are monitored and recorded to minimize the risk that unauthorized changes are made to the environment.
Transmission Security – integrity controls and encryption
- Utilizing industry standard and proven technologies, Vidyo employs a variety of security measures at both the application level and the network level.
- At the application level, Vidyo Healthcare Cloud meets enterprise security standards with the use of TLS, SRTP, H.235 (where interoperability with legacy videoconferencing is supported), and AES 128-bit encryption for signaling and media.
- At the network level, our hosting facilities are SOC 2 compliant, with 24/7 protection to meet regulatory and best practice requirements.
- Firewalls are regularly assessed, configured, and updated to remain effective against intrusion.
- Leading edge filtering and advanced routing techniques help protect against Distributed Denial of Service (DDoS) attacks.
Compliance with all aspects of HIPAA is ultimately the responsibility of the Covered Entity. Vidyo partners with our healthcare customers to help them implement our solutions in a manner that will assist Covered Entities in meeting their compliance obligations, including by applying industry standard encryption to the communications channels among endpoint clients and Vidyo infrastructure. Vidyo does not store or access Protected Health Information for a Covered Entity. These aspects, together with the power and flexibility of Vidyo’s APIs, will allow healthcare customers to implement Vidyo’s best-of-breed video communications offerings in a HIPAA-compliant manner.