Re: HIPAA / HITECH Compliant Video Conferencing Solution

[Anurag Shankar <ashankar () INDIANA EDU>]

Chris,

We looked into this last year.  While I do not have a specific recommendation, here is what we found.

1.  There is no such thing as HIPAA compliant video conferencing.   An IT product by itself cannot be HIPAA compliant.  
Vendors who claim so are woefully ignorant of the HIPAA Security Rule.  It is the covered entity (CE) who must make the 
product mediated workflow compliant by managing risk appropriately.

2.  The CE must do due diligence to ensure that the vendor can keep its PHI secure.  This means having a HIPAA BAA with 
the video conferencing vendor if they have access to the data while in transit or at rest, e.g. if video, audio, and/or 
chats are being stored.  This will always be the case unless you have your own, local instance untouched by the vendor.

3.  There are cloud video conferencing vendors who claim they don’t need to sign a BAA because (a) they never look at 
the data as it flows through their system, or (b) they encrypt data in transit.  Neither is acceptable because (a) is 
claiming (incorrectly) the conduit exception which applies only to an ISP, UPS, or USPS, and (b) is not enough, 
especially if the data is stored unencrypted at rest or, if encrypted, the encryption key is stored separately.

4.  If you have a BAA with the vendor and if they have the requisite controls in place, you must supplement them with 
documented local controls to mitigate risk at your end, e.g. physically securing a remote session, etc.

Regards,

Anurag

----
Anurag Shankar,  Email: ashankar [at] iu.edu,  Phone: +1 (812) 856-6978
Center for Applied Cybersecurity Research, Pervasive Technology Institute, Indiana University
2719 E. 10th Street, Suite 231, Bloomington, IN 47408