With businesses going virtual after the COVID-19 pandemic, there has been an explosion in video data, such as recorded Zoom meetings, training videos for virtual on-boarding etc. Within the healthcare sector, a lot of these videos include sensitive patient data and the risk of breaching compliance is greater than ever. Therefore, to keep patient data secure and reduce the risk of a data breach, you need a HIPAA compliant video platform.
If you are a healthcare provider, insurance provider or any organization that handles protected health information, then it mandatory for you to comply with the Health Insurance Portability and Accountability Act (HIPAA) in the US. There has been a temporary notification by HIPAA on the nationwide public health emergency due to COVID-19, and under this notification healthcare providers may be exempted under certain circumstances. However, this doesn’t mean that the protection of sensitive patient data can purposefully be neglected.
Ignorance of HIPAA rules is no excuse for not complying with HIPAA regulations, and this applies to video platforms as well. Based on our research and expertise in compliant video platforms, we have prepared this guide to help ease the process and to better educate you regarding HIPAA when it comes to video data.
In this blog, we will discuss what HIPAA is and more importantly, how it applies to video. We then discuss what security and data privacy features you should look for when it comes to evaluating a video platform to ensure it complies with the HIPAA regulations.
What is the Health Insurance Portability and Accountability Act (HIPAA)?
The Health Insurance Portability and Accountability Act was formulated in 1996 by the US Department of Health and Human Services (HHS). It is a national standard to protect patient health information and safeguard it from being disclosed without the patients' consent.
There have been a few major updates to the HIPAA law as technology has progressed and the way patient data is handled has changed. One of these has been the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was brought considering new developments in information technology and increased use of Electronic Health Record systems (EHRs).
The HIPAA law and its amendments generally cover 5 rules:
- HIPAA Security Rule: These are a set of standards applied on 3 levels; technical safeguards (IT systems), administrative safeguards, and physical safeguards. This rule requires handlers of sensitive data to ensure security in terms of access, processing and storage, both at rest and in transit.
- HIPAA Privacy Rule: This rule addresses the different instances when patient health information can be used and how it can be used. For instance, it includes standards such as obtaining patient consent and standards for the patient’s right to obtain their data from the healthcare provider on request.
- HIPAA Breach Notification Rule: This rule lays down the requirement to notify patients in the event of a breach of their data. It includes notifying concerned parties about what data was leaked, to whom, and how risks are being mitigated.
- HIPAA Omnibus Rule: This was an amendment to cover areas not addressed by the initial HIPAA rule. It updated definitions, procedures, and policies. It also introduced rules for business associates that have access to ePHI.
- HIPAA Enforcement Rule: This rule is concerned with the penalties and fines that are to be imposed on healthcare providers and concerned bodies for breaching HIPAA.
How Does HIPAA Apply to Video?
Under HIPAA, data collected on patients is considered to be Protected Health Information (PHI) and in an electronic form, it is known as ePHI. Examples include their name, place of birth, social security number, photos, and even their medical history. Learn more here.
Videos filmed of patients or even recorded online meetings (Zoom, MS Teams etc.) with patients, are considered to be ePHI. This is because these videos contain a lot of personally identifiable information such as their faces, names, medical history etc. Videos with such information redacted is not considered ePHI.
What is a HIPAA Compliant Video Platform?
As mentioned previously, the HIPAA Security Rule applies on three levels for the healthcare provider:
- Technical Safeguards: This concerns the technology that is being used to access, store and process the sensitive data (video platforms fall here).
- Physical Safeguards: This concerns the physical infrastructure and policies where such data exists. This involves safeguards at the datacenter where sensitive data is stored. It also includes safeguards at the place of access such as the policies for using workstations on the healthcare provider’s premise.
- Administrative Safeguards: This involves having the right administrative actions to enforce the previous two safeguards. For instance, conducting audits, risk assessments and training your workforce.
When we talk about having a HIPAA compliant video platform, we are looking at the first of the three safeguards – technical safeguards. This is because any video platform (be it YouTube, Vimeo, VIDIZMO) is an IT system and should be evaluated to ensure utmost security and compliance. Even if you have physical and administrative safeguards in place, having a weak IT system can leave you potentially open to cyberattacks.
The HIPAA rule requires IT systems to have security features that comply with NIST standards. This means that they should be encrypted both at rest and in-transit. Such encryption renders data unusable to any intercepting attacker by converting it into an unreadable form (ciphertext). And such encryption on video data can’t just be any encryption but should comply with FIPS 140-2 encryption standards.
Important: When We Mention that a Software is HIPAA Compliant, It Actually Means that it is HIPAA-Ready! Confused as to What That Means? Do Read Our Blog on HIPAA-Ready vs. HIPAA-Compliant.
We have prepared a table of what is required by HIPAA when it comes to a video platform, and how a compliant video platform (like ours) would address them.
Feature to Look For in a Video Platform That Would Address These
Means of Access Control
Mechanisms to Authenticate ePHI
Encryption and Decryption
Activity logs and Audit Controls
Another important aspect to evaluate the platform is data storage at rest. This is usually at a datacenter of a cloud provider (CSP) such as Azure, AWS, Google etc. or in your datacenter.
It's important to use a video platform that allows you to choose your datacenter, one that allows you to implement HIPAA Compliance in your tenant. Or choose a platform that can be deployed on premise.
Here's a diagram that clarifies your role, the CSPs role and the video platform provider's role in HIPAA.
VIDIZMO – HIPAA Compliant Video Platform
If you are looking for a video platform that adheres to HIPAA standards, then VIDIZMO EnterpriseTube is one such platform. EnterpriseTube is a Gartner-recognized enterprise video platform that allows you to manage and stream your healthcare videos with features such as AI, auto-ingestion of recorded Zoom or MS Teams meetings, detailed content categorization, sharing and access management features.
It allows you to create your own secure internal YouTube-like platform for healthcare streaming. Users can upload and share videos, optimized for ready playback through the browser.
VIDIZMO addresses security measures at storage by allowing you to store data in Azure or AWS’s HIPAA-compliant datacenters. The VIDIZMO application has all of the features mentioned above in our checklist:
- SSO Integration (25+ Types of SSO Providers).
- Detailed Access Controls and Permissions.
- Tamper Detection Checks.
- FIPS Compliant End-to-end Encryption.
- Audit Logs for System and Individual Files.
- Custom Login Timeout.
- Custom Security Policies (For Instance, You Can Restrict External Sharing for the Entire Organization).
- Store data in your own Azure or AWS cloud datacenter, or on-premise.
- A video content moderation workflow to double-check access settings for all content uploaded.
The Costa Rican Social Security Fund uses VIDIZMO EnterpriseTube for Public Health Awarness and Secure Internal Sharing of Videos - Read More on This Story
HIPAA Compliance and Video Redaction
For certain purposes such as research or medical training, you might want to share videos with third parties. When doing so, the HIPAA law for de-identification of PHI requires you to remove any personally identifiable information before sending it.
In videos, this involves redacting the audio wherever a person's name, social security numbers, email addresses etc. are spoken. It also involves redacting faces and license plates wherever they appear in a video.
To effectively do this, the HIPAA Compliant video platform like VIDIZMO offers a PII redaction tool that uses AI to redact audio and video files. You can easily redact spoken words, objects, on-screen text and faces.
We did a whole blog on HIPAA redaction rules, so do check it out.
HIPAA Compliance is one aspect of evaluation for a video platform, and there is more such as security, AI, integrations etc. We have prepared a detailed guide on online video platforms that we’d recommend going through.
Read More | HIPAA Compliant File Sharing