Educause Security Discussion mailing list archives
Re: HIPAA / HITECH Compliant Video Conferencing Solution
From: "Lazarus, Carolann" <lazarus () BUFFALO EDU>
Date: Mon, 25 Apr 2016 16:31:46 +0000
Our HIPAA Officer sent this addition.... Sound advice. I would nuance 3b) a bit. A BA is needed if a service is being provided that uses, discloses, or maintains PHI. If the only access the vendor has to the data is while it is in motion, and that's encrypted so the vendor can't access it, then a BA wouldn't be required. If, however, the vendor comes on site to maintain the equipment, and the equipment has PHI on it, the BA would again be needed. Also, if the vendor isn't doing anything different than what an ISP does (transiting the data), then I think the conduit can apply because, in fact, they're just acting like an ISP. HIPAA gives examples for the conduit exception, but doesn't say the exception is limited to those examples. This is an area where lawyers go yes or no. Carolann G Lazarus, CISA, CCEP Internal Audit University @ Buffalo, SUNY 716-829-6947 lazarus () buffalo edu -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jeff Choo Sent: Monday, April 25, 2016 10:09 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] HIPAA / HITECH Compliant Video Conferencing Solution Much appreciated for sharing! This answered a few questions on my end as well. Thanks, Jeff Choo Director, Information Technology Information Security Officer William James College -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Anurag Shankar Sent: Monday, April 25, 2016 9:55 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] HIPAA / HITECH Compliant Video Conferencing Solution Chris, We looked into this last year. While I do not have a specific recommendation, here is what we found. 1. There is no such thing as HIPAA compliant video conferencing. An IT product by itself cannot be HIPAA compliant. Vendors who claim so are woefully ignorant of the HIPAA Security Rule. It is the covered entity (CE) who must make the product mediated workflow compliant by managing risk appropriately. 2. The CE must do due diligence to ensure that the vendor can keep its PHI secure. This means having a HIPAA BAA with the video conferencing vendor if they have access to the data while in transit or at rest, e.g. if video, audio, and/or chats are being stored. This will always be the case unless you have your own, local instance untouched by the vendor. 3. There are cloud video conferencing vendors who claim they don’t need to sign a BAA because (a) they never look at the data as it flows through their system, or (b) they encrypt data in transit. Neither is acceptable because (a) is claiming (incorrectly) the conduit exception which applies only to an ISP, UPS, or USPS, and (b) is not enough, especially if the data is stored unencrypted at rest or, if encrypted, the encryption key is stored separately. 4. If you have a BAA with the vendor and if they have the requisite controls in place, you must supplement them with documented local controls to mitigate risk at your end, e.g. physically securing a remote session, etc. Regards, Anurag ---- Anurag Shankar, Email: ashankar [at] iu.edu, Phone: +1 (812) 856-6978 Center for Applied Cybersecurity Research, Pervasive Technology Institute, Indiana University 2719 E. 10th Street, Suite 231, Bloomington, IN 47408 This message may contain confidential information intended only for the individual named. If you received this message by mistake, please let the sender know by e-mail reply and delete it from your system. If you are not the intended recipient you are hereby notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
Current thread:
- HIPAA / HITECH Compliant Video Conferencing Solution Gregg, Christopher S. (Apr 21)
- <Possible follow-ups>
- Re: HIPAA / HITECH Compliant Video Conferencing Solution Anurag Shankar (Apr 25)
- Re: HIPAA / HITECH Compliant Video Conferencing Solution Jeff Choo (Apr 25)
- Re: HIPAA / HITECH Compliant Video Conferencing Solution Lazarus, Carolann (Apr 25)
- Re: HIPAA / HITECH Compliant Video Conferencing Solution Jeff Choo (Apr 25)
- Re: HIPAA / HITECH Compliant Video Conferencing Solution Anurag Shankar (Apr 27)
- Re: HIPAA / HITECH Compliant Video Conferencing Solution Gregg, Christopher S. (May 09)