Re: HIPAA / HITECH Compliant Video Conferencing Solution

["Lazarus, Carolann" <lazarus () BUFFALO EDU>]

Our HIPAA Officer sent this addition....

Sound advice.

I would nuance 3b) a bit.

A BA is needed if a service is being provided that uses, discloses, or maintains PHI.

If the only access the vendor has to the data is while it is in motion, and that's encrypted so the vendor can't access 
it, then a BA wouldn't be required.

If, however, the vendor comes on site to maintain the equipment, and the equipment has PHI on it, the BA would again be 
needed.

Also, if the vendor isn't doing anything different than what an ISP does (transiting the data), then I think the 
conduit can apply because, in fact, they're just acting like an ISP.  HIPAA gives examples for the conduit exception, 
but doesn't say the exception is limited to those examples.  This is an area where lawyers go yes or no.

Carolann G Lazarus, CISA, CCEP
Internal Audit
University @ Buffalo, SUNY
716-829-6947
lazarus () buffalo edu 

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jeff Choo
Sent: Monday, April 25, 2016 10:09 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] HIPAA / HITECH Compliant Video Conferencing Solution

Much appreciated for sharing!  This answered a few questions on my end as well.

Thanks,


Jeff Choo
Director, Information Technology
Information Security Officer
William James College


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Anurag 
Shankar
Sent: Monday, April 25, 2016 9:55 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] HIPAA / HITECH Compliant Video Conferencing Solution

Chris,

We looked into this last year.  While I do not have a specific recommendation, here is what we found.

1.  There is no such thing as HIPAA compliant video conferencing.   An IT product by itself cannot be HIPAA compliant.  
Vendors who claim so are woefully ignorant of the HIPAA Security Rule.  It is the covered entity (CE) who must make the 
product mediated workflow compliant by managing risk appropriately.

2.  The CE must do due diligence to ensure that the vendor can keep its PHI secure.  This means having a HIPAA BAA with 
the video conferencing vendor if they have access to the data while in transit or at rest, e.g. if video, audio, and/or 
chats are being stored.  This will always be the case unless you have your own, local instance untouched by the vendor.

3.  There are cloud video conferencing vendors who claim they don’t need to sign a BAA because (a) they never look at 
the data as it flows through their system, or (b) they encrypt data in transit.  Neither is acceptable because (a) is 
claiming (incorrectly) the conduit exception which applies only to an ISP, UPS, or USPS, and (b) is not enough, 
especially if the data is stored unencrypted at rest or, if encrypted, the encryption key is stored separately.

4.  If you have a BAA with the vendor and if they have the requisite controls in place, you must supplement them with 
documented local controls to mitigate risk at your end, e.g. physically securing a remote session, etc.

Regards,

Anurag

----
Anurag Shankar,  Email: ashankar [at] iu.edu,  Phone: +1 (812) 856-6978 Center for Applied Cybersecurity Research, 
Pervasive Technology Institute, Indiana University
2719 E. 10th Street, Suite 231, Bloomington, IN 47408 This message may contain confidential information intended only 
for the individual named. If you received this message by mistake, please let the sender know by e-mail reply and 
delete it from your system. If you are not the intended recipient you are hereby notified that disclosing, copying, 
distributing or taking any action in reliance on the contents of this information is strictly prohibited.