HIPAA and HIPAA Complaint Telehealth Services for Healthcare Customers
The Health Insurance Portability and Accountability Act (HIPAA) provides standards to protect the confidentiality, integrity and availability of protected health information (PHI), including electronic protected health information (ePHI). HIPAA provides guidance for an acceptable level of protection for ePHI while giving healthcare providers access to information necessary to perform their daily business functions.
There are many considerations that a healthcare provider, or other Covered Entity (as defined in HIPAA), must meet in order to satisfy HIPAA guidelines. The HIPAA complaint telehealth platforms, including VidyoCloud and Vidyo.io for healthcare, have been designed such that healthcare providers and other Covered Entities may use our services for video communication in a manner that is consistent with their HIPAA obligations.
VidyoHealth does not store or access PHI of users of our Healthcare cloud services. However, recognizing the compliance needs of Covered Entities, VidyoHealth will sign HIPAA-compliant Business Associate Agreements for our Healthcare cloud offering customers.
VidyoHealth’s HIPAA Compliant Video Conferencing Services
There are two main rules under HIPAA relating to ePHI – the Privacy Rule and the Security Rule. The Privacy Rule establishes national standards for the protection of PHI. The Security Rule requires Covered Entities and Business Associates to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting ePHI.
With HIPAA in mind, VidyoHealth’s HIPAA complaint telehealth platform offers encryption that is designed to protect the video streams during transmission to ensure that no unauthorized parties could access a video conference while in session. Further, our cloud offerings for our healthcare customers do not include the ability for either the customer or VidyoHealth to record the videoconferencing sessions in the Vidyo Healthcare Cloud (recording functionality is available to customers who wish to manage the recordings themselves, including complying with all HIPAA requirements). VidyoHealth does not store or access any PHI while providing our healthcare cloud services offerings, but rather facilitates transmission of communications over encrypted channels.
Safeguards to Enable Communications
Vidyo Healthcare Cloud services employ the following additional safeguards to help Covered Entities meet applicable HIPAA technical standards:
Access Controls, Authentication and Security
The following controls are present in VidyoCloud and can be implemented by the Customer’s developers in Vidyo.io
- All registered users in the VidyoHealth system (who should only be authorized employees or other representatives of the Covered Entity and not patients) have a unique username and extension and must authenticate with a password in order to schedule and join calls.All meetings may be terminated by the meeting owner, a designated moderator, or a system administrator.
- Administrator access is terminated after 15 minutes of inactivity.
- In addition, VidyoHealth provides several features to help customers restrict access to the call rooms:
- Limited-time availability meetings with unique keys may be generated.
- Meetings may be configured to put participants into a waiting room until the owner has joined.
- Meetings may also be protected with PIN codes.
- Meetings in progress may be locked to prevent additional participants from joining.
Audit Controls – monitoring systems activity
- Failed authentication attempts to the system are recorded and monitored for signs of attempted unauthorized access.
- Configuration changes to VidyoHealth’s cloud systems are monitored and recorded to minimize the risk that unauthorized changes are made to the environment.
Transmission Security – integrity controls and encryption
- Utilizing industry standard and proven technologies, VidyoHealth employs a variety of security measures at both the application level and the network level.
- At the application level, Vidyo Healthcare Cloud meets enterprise security standards with the use of TLS, SRTP, H.235 (where interoperability with legacy videoconferencing is supported), and AES 128-bit encryption for signaling and media.
- At the network level, our hosting facilities are SOC 2 compliant, with 24/7 protection to meet regulatory and best practice requirements.
- Firewalls are regularly assessed, configured, and updated to remain effective against intrusion.
- Leading edge filtering and advanced routing techniques help protect against Distributed Denial of Service (DDoS) attacks.
Compliance with all aspects of HIPAA is ultimately the responsibility of the Covered Entity. VidyoHealth partners with our healthcare customers to help them implement our HIPAA complaint telehealth solutions in a manner that will assist Covered Entities in meeting their compliance obligations, including by applying industry standard encryption to the communications channels among endpoint clients and VidyoHealth infrastructure. VidyoHealth does not store or access Protected Health Information for a Covered Entity. These aspects, together with the power and flexibility of VidyoHealth’s APIs, will allow healthcare customers to implement VidyoHealth’s best-of-breed video communications offerings in a HIPAA-compliant manner.