<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=49414&amp;fmt=gif">

I’d like to learn more about Campaign Creators!

5 min read

What it Means for a Video Platform to be HIPAA Compliant?

By Shahan Zafar
A doctor using a video platform

With businesses going virtual after the COVID-19 pandemic, there has been an explosion in video data, such as recorded Zoom meetings, training videos for virtual on-boarding etc. Within the healthcare sector, a lot of these videos include sensitive patient data and the risk of breaching compliance is greater than ever. Therefore, to keep patient data secure and reduce the risk of a data breach, you need a HIPAA compliant video platform.

If you are a healthcare provider, insurance provider or any organization that handles protected health information, then it mandatory for you to comply with the Health Insurance Portability and Accountability Act (HIPAA) in the US. There has been a temporary notification by HIPAA on the nationwide public health emergency due to COVID-19, and under this notification healthcare providers may be exempted under certain circumstances. However, this doesn’t mean that the protection of sensitive patient data can purposefully be neglected.   

Ignorance of HIPAA rules is no excuse for not complying with HIPAA regulations, and this applies to video platforms as well. Based on our research and expertise in compliant video platforms, we have prepared this guide to help ease the process and to better educate you regarding HIPAA when it comes to video data. 

In this blog, we will discuss what HIPAA is and more importantly, how it applies to video. We then discuss what security and data privacy features you should look for when it comes to evaluating a video platform to ensure it complies with the HIPAA regulations. 

Jump to the Feature Checklist We Have Prepared

HIPAA Compliant Video Platform Infographic

What is the Health Insurance Portability and Accountability Act (HIPAA)? 

The Health Insurance Portability and Accountability Act was formulated in 1996 by the US Department of Health and Human Services (HHS). It is a national standard to protect patient health information and safeguard it from being disclosed without the patients' consent.  

There have been a few major updates to the HIPAA law as technology has progressed and the way patient data is handled has changed. One of these has been the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was brought considering new developments in information technology and increased use of Electronic Health Record systems (EHRs).  

The HIPAA law and its amendments generally cover 5 rules: 

  • HIPAA Security Rule: These are a set of standards applied on 3 levels; technical safeguards (IT systems), administrative safeguards, and physical safeguards. This rule requires handlers of sensitive data to ensure security in terms of access, processing and storage, both at rest and in transit.   
  • HIPAA Privacy Rule: This rule addresses the different instances when patient health information can be used and how it can be used. For instance, it includes standards such as obtaining patient consent and standards for the patient’s right to obtain their data from the healthcare provider on request. 
  • HIPAA Breach Notification Rule: This rule lays down the requirement to notify patients in the event of a breach of their data. It includes notifying concerned parties about what data was leaked, to whom, and how risks are being mitigated.   
  • HIPAA Omnibus Rule: This was an amendment to cover areas not addressed by the initial HIPAA rule. It updated definitions, procedures, and policies. It also introduced rules for business associates that have access to ePHI. 
  • HIPAA Enforcement Rule: This rule is concerned with the penalties and fines that are to be imposed on healthcare providers and concerned bodies for breaching HIPAA.  

How Does HIPAA Apply to Video? 

Under HIPAA, data collected on patients is considered to be Protected Health Information (PHI) and in an electronic form, it is known as ePHI. Examples include their name, place of birth, social security number, photos, and even their medical history. Learn more here. 

Videos filmed of patients or even recorded online meetings (Zoom, MS Teams etc.) with patients, are considered to be ePHI. This is because these videos contain a lot of personally identifiable information such as their faces, names, medical history etc. Videos with such information redacted is not considered ePHI. 

Recorded Zoom/MS Teams Meetings Fall Under HIPAAs  

What is a HIPAA Compliant Video Platform? 

As mentioned previously, the HIPAA Security Rule applies on three levels for the healthcare provider: 

  • Technical Safeguards: This concerns the technology that is being used to access, store and process the sensitive data (video platforms fall here). 
  • Physical Safeguards: This concerns the physical infrastructure and policies where such data exists. This involves safeguards at the datacenter where sensitive data is stored. It also includes safeguards at the place of access such as the policies for using workstations on the healthcare provider’s premise.  
  • Administrative Safeguards: This involves having the right administrative actions to enforce the previous two safeguards. For instance, conducting audits, risk assessments and training your workforce. 

When we talk about having a HIPAA compliant video platform, we are looking at the first of the three safeguards – technical safeguards. This is because any video platform (be it YouTube, Vimeo, VIDIZMO) is an IT system and should be evaluated to ensure utmost security and compliance. Even if you have physical and administrative safeguards in place, having a weak IT system can leave you potentially open to cyberattacks.  

The HIPAA rule requires IT systems to have security features that comply with NIST standards. This means that they should be encrypted both at rest and in-transit. Such encryption renders data unusable to any intercepting attacker by converting it into an unreadable form (ciphertext). And such encryption on video data can’t just be any encryption but should comply with FIPS 140-2 encryption standards.   

We have prepared a table of what is required by HIPAA when it comes to a video platform, and how a compliant video platform would address them.  

HIPAA Requirements 

Feature to Look For in a Video Platform That Would Address These 

Means of Access Control 

  • SSO Integration: An important thing here to look for is a centrally controlled unique username and password for every user of the video platform. This means that it’s highly important for the platform to be able to integrate with your organization’s SSO and be in sync with it.  
  • Define Permissions and Access: You want to make sure that only those who are authorized to access content are only able to access it. You don’t want one doctor to be able to access the data of a patient of another doctor. You should also be able to define permissions and restrict use after access. For instance, you don’t want doctors to be able to download patient data and then share it ahead. This is required under clause 164.312(a)(1).

 

Mechanisms to Authenticate ePHI 

  • Tamper Detection: You should be able to verify at any point, if a video file is the same as it was uploaded or whether it has been altered. The video platform should have hashing mechanisms in place to ensure no changes have been made by unauthorized parties. This is required under clause 164.312(c)(2). 

 

Encryption and Decryption 

  • FIPS Compliant End-to-end Encryption: You want to make sure from video upload, to storage, to use, videos are encrypted at all stages and can only be decrypted by the video player at the end. You also want to make sure that the platform uses FIPS (as recommended by NIST) compliant encryption techniques (e.g., AES) and not just any proprietary encryption standard.  

 

Activity logs and Audit Controls 

  • Audit Logs for System: The video platform should be able to provide a list of all actions performed on the platform, where it reports what content was accessed, when it was accessed, from where, how, and what was done once accessed.  
  • Activity Logs for Each Video: The video platform should be able to provide a chronological history of all actions performed on a specific video; who viewed them, when and what they did after accessing it.  

Login Timeout 

  • Custom Login Timeout: The system should automatically log out an inactive user after a certain time period, which could be custom set by the admin. The time should usually be very narrow; about 15 to 30 seconds.    

 

This checklist was developed by consulting the HIPAA Journal Compliance List and the Summary of the HIPAA Security Rule as Provided by the U.S. Department of Health and Human Services.  

Learn More About VIDIZMO Enterprise Video Platform

Another important aspect to evaluate the platform is data storage at rest. This is usually at a datacenter of the platform provider or at datacenters of a cloud provider such as Azure, AWS, Google etc. It's important to use a video platform that allows you to choose your datacenter, one that is HIPAA Compliant datacenter such as Azure or AWS.

VIDIZMO – HIPAA Compliant Video Platform 

If you are looking for a video platform that adheres to HIPAA standards, then VIDIZMO EnterpriseTube is one such platform. EnterpriseTube is an enterprise video platform that allows you to manage and stream your healthcare videos with features such as AI, auto-ingestion of recorded Zoom or MS Teams meetings, detailled content categorization, sharing and access management features.

A screenshot of VIDIZMO EnterpriseTube

VIDIZMO addresses security measures at storage by allowing you to store data in Azure or AWS’s HIPAA-compliant datacenters. The VIDIZMO application has all of the features mentioned above: 

  • SSO Integration (25+ Types of SSO Providers). 
  • Detailed Access Controls and Permissions.
  • Tamper Detection Checks.
  • FIPS Compliant End-to-end Encryption.
  • Audit Logs for System and Individual Files. 
  • Custom Login Timeout.
  • Custom Security Policies (For Instance, You Can Restrict External Sharing for the Entire Organization).
  • Store data in your Azure or AWS cloud datacenter - both of which are HIPAA Compliant.
  • AI-assisted redaction of PII in audio and video files.
    Automated Redaction of PHI in Videos

We Offer Much More!  Learn About All Features

HIPAA Compliance is one aspect of evaluation for a video platform, and there is more such as security, AI, integrations etc. We have prepared a detailed guide on online video platforms that we’d recommend going through. 

Tags: Video Platform Compliance

By signing up you agree to receive our offers, promotions & other commercial messages. You may unsubscribe any time.
Check-1-2

Sign up for our monthly blog updates to receive great content