With businesses going virtual after the COVID-19 pandemic, there has been an explosion in video data, such as recorded Zoom meetings, training videos for virtual on-boarding etc. Within the healthcare sector, a lot of these videos include sensitive patient data and the risk of breaching compliance is greater than ever. Therefore, to keep patient data secure and reduce the risk of a data breach, you need a HIPAA compliant video platform.
If you are a healthcare provider, insurance provider or any organization that handles protected health information, then it mandatory for you to comply with the Health Insurance Portability and Accountability Act (HIPAA) in the US. There has been a temporary notification by HIPAA on the nationwide public health emergency due to COVID-19, and under this notification healthcare providers may be exempted under certain circumstances. However, this doesn’t mean that the protection of sensitive patient data can purposefully be neglected.
Ignorance of HIPAA rules is no excuse for not complying with HIPAA regulations, and this applies to video platforms as well. Based on our research and expertise in compliant video platforms, we have prepared this guide to help ease the process and to better educate you regarding HIPAA when it comes to video data.
In this blog, we will discuss what HIPAA is and more importantly, how it applies to video. We then discuss what security and data privacy features you should look for when it comes to evaluating a video platform to ensure it complies with the HIPAA regulations.
Jump to the Feature Checklist We Have Prepared
What is the Health Insurance Portability and Accountability Act (HIPAA)?
The Health Insurance Portability and Accountability Act was formulated in 1996 by the US Department of Health and Human Services (HHS). It is a national standard to protect patient health information and safeguard it from being disclosed without the patients' consent.
There have been a few major updates to the HIPAA law as technology has progressed and the way patient data is handled has changed. One of these has been the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was brought considering new developments in information technology and increased use of Electronic Health Record systems (EHRs).
The HIPAA law and its amendments generally cover 5 rules:
- HIPAA Security Rule: These are a set of standards applied on 3 levels; technical safeguards (IT systems), administrative safeguards, and physical safeguards. This rule requires handlers of sensitive data to ensure security in terms of access, processing and storage, both at rest and in transit.
- HIPAA Privacy Rule: This rule addresses the different instances when patient health information can be used and how it can be used. For instance, it includes standards such as obtaining patient consent and standards for the patient’s right to obtain their data from the healthcare provider on request.
- HIPAA Breach Notification Rule: This rule lays down the requirement to notify patients in the event of a breach of their data. It includes notifying concerned parties about what data was leaked, to whom, and how risks are being mitigated.
- HIPAA Omnibus Rule: This was an amendment to cover areas not addressed by the initial HIPAA rule. It updated definitions, procedures, and policies. It also introduced rules for business associates that have access to ePHI.
- HIPAA Enforcement Rule: This rule is concerned with the penalties and fines that are to be imposed on healthcare providers and concerned bodies for breaching HIPAA.
How Does HIPAA Apply to Video?
Under HIPAA, data collected on patients is considered to be Protected Health Information (PHI) and in an electronic form, it is known as ePHI. Examples include their name, place of birth, social security number, photos, and even their medical history. Learn more here.
Videos filmed of patients or even recorded online meetings (Zoom, MS Teams etc.) with patients, are considered to be ePHI. This is because these videos contain a lot of personally identifiable information such as their faces, names, medical history etc. Videos with such information redacted is not considered ePHI.
What is a HIPAA Compliant Video Platform?
As mentioned previously, the HIPAA Security Rule applies on three levels for the healthcare provider:
- Technical Safeguards: This concerns the technology that is being used to access, store and process the sensitive data (video platforms fall here).
- Physical Safeguards: This concerns the physical infrastructure and policies where such data exists. This involves safeguards at the datacenter where sensitive data is stored. It also includes safeguards at the place of access such as the policies for using workstations on the healthcare provider’s premise.
- Administrative Safeguards: This involves having the right administrative actions to enforce the previous two safeguards. For instance, conducting audits, risk assessments and training your workforce.
When we talk about having a HIPAA compliant video platform, we are looking at the first of the three safeguards – technical safeguards. This is because any video platform (be it YouTube, Vimeo, VIDIZMO) is an IT system and should be evaluated to ensure utmost security and compliance. Even if you have physical and administrative safeguards in place, having a weak IT system can leave you potentially open to cyberattacks.
The HIPAA rule requires IT systems to have security features that comply with NIST standards. This means that they should be encrypted both at rest and in-transit. Such encryption renders data unusable to any intercepting attacker by converting it into an unreadable form (ciphertext). And such encryption on video data can’t just be any encryption but should comply with FIPS 140-2 encryption standards.
We have prepared a table of what is required by HIPAA when it comes to a video platform, and how a compliant video platform would address them.
|
HIPAA Requirements |
Feature to Look For in a Video Platform That Would Address These |
|
Means of Access Control |
|
|
Mechanisms to Authenticate ePHI |
|
|
Encryption and Decryption |
|
|
Activity logs and Audit Controls |
|
|
Login Timeout |
|
This checklist was developed by consulting the HIPAA Journal Compliance List and the Summary of the HIPAA Security Rule as Provided by the U.S. Department of Health and Human Services.
Another important aspect to evaluate the platform is data storage at rest. This is usually at a datacenter of the platform provider or at datacenters of a cloud provider such as Azure, AWS, Google etc. It's important to use a video platform that allows you to choose your datacenter, one that is HIPAA Compliant datacenter such as Azure or AWS.
VIDIZMO – HIPAA Compliant Video Platform
If you are looking for a video platform that adheres to HIPAA standards, then VIDIZMO EnterpriseTube is one such platform. EnterpriseTube is an enterprise video platform that allows you to manage and stream your healthcare videos with features such as AI, auto-ingestion of recorded Zoom or MS Teams meetings, detailled content categorization, sharing and access management features.
VIDIZMO addresses security measures at storage by allowing you to store data in Azure or AWS’s HIPAA-compliant datacenters. The VIDIZMO application has all of the features mentioned above:
- SSO Integration (25+ Types of SSO Providers).
- Detailed Access Controls and Permissions.
- Tamper Detection Checks.
- FIPS Compliant End-to-end Encryption.
- Audit Logs for System and Individual Files.
- Custom Login Timeout.
- Custom Security Policies (For Instance, You Can Restrict External Sharing for the Entire Organization).
- Store data in your Azure or AWS cloud datacenter - both of which are HIPAA Compliant.
HIPAA Compliance is one aspect of evaluation for a video platform, and there is more such as security, AI, integrations etc. We have prepared a detailed guide on online video platforms that we’d recommend going through.
