Educause Security Discussion mailing list archives
Re: HIPAA / HITECH Compliant Video Conferencing Solution
From: Jeff Choo <jeff_choo () WILLIAMJAMES EDU>
Date: Mon, 25 Apr 2016 14:09:29 +0000
Much appreciated for sharing! This answered a few questions on my end as well. Thanks, Jeff Choo Director, Information Technology Information Security Officer William James College -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Anurag Shankar Sent: Monday, April 25, 2016 9:55 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] HIPAA / HITECH Compliant Video Conferencing Solution Chris, We looked into this last year. While I do not have a specific recommendation, here is what we found. 1. There is no such thing as HIPAA compliant video conferencing. An IT product by itself cannot be HIPAA compliant. Vendors who claim so are woefully ignorant of the HIPAA Security Rule. It is the covered entity (CE) who must make the product mediated workflow compliant by managing risk appropriately. 2. The CE must do due diligence to ensure that the vendor can keep its PHI secure. This means having a HIPAA BAA with the video conferencing vendor if they have access to the data while in transit or at rest, e.g. if video, audio, and/or chats are being stored. This will always be the case unless you have your own, local instance untouched by the vendor. 3. There are cloud video conferencing vendors who claim they don’t need to sign a BAA because (a) they never look at the data as it flows through their system, or (b) they encrypt data in transit. Neither is acceptable because (a) is claiming (incorrectly) the conduit exception which applies only to an ISP, UPS, or USPS, and (b) is not enough, especially if the data is stored unencrypted at rest or, if encrypted, the encryption key is stored separately. 4. If you have a BAA with the vendor and if they have the requisite controls in place, you must supplement them with documented local controls to mitigate risk at your end, e.g. physically securing a remote session, etc. Regards, Anurag ---- Anurag Shankar, Email: ashankar [at] iu.edu, Phone: +1 (812) 856-6978 Center for Applied Cybersecurity Research, Pervasive Technology Institute, Indiana University 2719 E. 10th Street, Suite 231, Bloomington, IN 47408 This message may contain confidential information intended only for the individual named. If you received this message by mistake, please let the sender know by e-mail reply and delete it from your system. If you are not the intended recipient you are hereby notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
Current thread:
- HIPAA / HITECH Compliant Video Conferencing Solution Gregg, Christopher S. (Apr 21)
- <Possible follow-ups>
- Re: HIPAA / HITECH Compliant Video Conferencing Solution Anurag Shankar (Apr 25)
- Re: HIPAA / HITECH Compliant Video Conferencing Solution Jeff Choo (Apr 25)
- Re: HIPAA / HITECH Compliant Video Conferencing Solution Lazarus, Carolann (Apr 25)
- Re: HIPAA / HITECH Compliant Video Conferencing Solution Jeff Choo (Apr 25)
- Re: HIPAA / HITECH Compliant Video Conferencing Solution Anurag Shankar (Apr 27)
- Re: HIPAA / HITECH Compliant Video Conferencing Solution Gregg, Christopher S. (May 09)