As the world is shifting towards more virtual communications, healthcare providers are constantly searching for secure and reliable ways to communicate with their patients through competent video platforms.
Not only that, but they require video platforms to manage huge amounts of medical training videos, recorded zoom meetings, virtual onboarding sessions etc.
However, in order to ensure the privacy and security of patients’ information, it is important for them to use a HIPAA-Compliant Video Platform.
If you are a healthcare provider, insurance provider or any organization that handles protected health information (PHI), then it is mandatory for you to comply with the rules and regulations of HIPAA compliance. Contrary to that, you will be subjected to heavy HIPAA violation penalties.
So, what is HIPAA, how it applies to videos, and what exactly does it mean for a video platform to be HIPAA compliant? Let’s find out in this blog!
What is the Health Insurance Portability and Accountability Act (HIPAA)?
HIPAA stands for the Health Insurance Portability and Accountability Act, which is a federal law in the United States that sets standards for the privacy and security of personal health information.
HIPAA was enacted in 1996 by the U.S. Department of Health and Human Services (HHS) to protect the privacy and security of sensitive medical information and provide guidelines for healthcare providers to ensure the protection of PHI.
There have been a few major updates to the HIPAA law as technology has progressed, and how patient data is handled has changed.
One of these has been the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was brought considering new developments in information technology and increased use of Electronic Health Record systems (EHRs).
HIPAA applies to all healthcare providers, including doctors, hospitals, clinics, and insurance companies, as well as any other entity that handles personal health information, such as business associates, clearinghouses, and healthcare information technology companies.
There are four main rules that provide the framework and critical aspects for compliance requirements are as follows:
HIPAA Security Rule: This is a set of standards applied on 3 levels; technical safeguards (IT systems), administrative safeguards, and physical safeguards. This rule requires handlers of sensitive data to ensure security in terms of access, processing and storage, both at rest and in transit.
HIPAA Privacy Rule: This rule addresses the different instances when patient health information can be used and how it can be used. For instance, it includes standards such as obtaining patient consent and standards for the patient’s right to obtain their data from the healthcare provider on request.
HIPAA Breach Notification Rule: This rule lays down the requirement to notify patients in the event of a breach of their data. It includes notifying concerned parties about what data was leaked, to whom, and how risks are being mitigated.
HIPAA Omnibus Rule: This was an amendment to cover areas not addressed by the initial HIPAA rule. It updated definitions, procedures, and policies. It also introduced rules for business associates that have access to ePHI.
The HIPAA Security Rule applies on three levels for the healthcare provider:
Technical Safeguards: This concerns the technology that is being used to access, store and process sensitive data (video platforms fall here).
Physical Safeguards: This concerns the physical infrastructure and policies where such data exists. This involves safeguards at the data center where sensitive data is stored. It also includes safeguards at the place of access, such as policies for using workstations on the healthcare provider’s premises.
Administrative Safeguards: This involves administrative actions to enforce the previous two safeguards. For instance, conducting audits, risk assessments and training your workforce.
How Does HIPAA Apply to Video Content?
Under HIPAA, all video content that contains PHI (patient’s name, social security numbers, medical records etc.) must be secured to prevent unauthorized access or disclosure.
This includes both live and recorded video sessions, as well as any related transcriptions or notes.
For certain purposes, such as research or medical training, you might want to share videos with third parties. When doing so, the HIPAA law for de-identification of PHI requires you to redact any personally identifiable information PII or PHI before disclosure.
Therefore, to meet the HIPAA compliance rules, redaction is required to hide a person's name, social security number, and email address appearing in videos. It also involves redacting faces and license plates wherever they appear in a video.
Click for more details on HIPAA Redaction Rules.
What to Look for in a HIPAA-Compliant Video Platform?
If you desire to have a video platform that fulfills HIPAA compliance requirements, you need to look at the first of the three safeguards – technical safeguards, as mentioned above.
This is because any video platform (be it YouTube, Vimeo, or VIDIZMO) is an IT system and should be evaluated to ensure the utmost security and compliance. Even if you have physical and administrative safeguards in place, having a weak IT system can leave you potentially open to cyberattacks.
The HIPAA rule requires IT systems to have security features that comply with NIST standards.
This means that they should be encrypted both at rest and in transit. Such encryption renders data unusable to any intercepting attacker by converting it into an unreadable form (ciphertext). And such encryption on video data can’t just be any encryption but should comply with FIPS 140-2 encryption standards.
Important: When We Mention that a Software is HIPAA Compliant, It Actually Means that it is HIPAA-Ready! Confused as to What That Means? Do Read Our Blog on HIPAA-Ready vs. HIPAA-Compliant.
Every video platform must have the following features:
Means of Access Control
SSO and IAM Integration: An important thing here to look for is a centrally controlled unique username and password for every user of the video platform.
This means that it’s highly important for the platform to be able to integrate with your organization’s SSO and be in sync with it.
Define Permissions and Access: You want to make sure that only those who are authorized to access content are only able to access it. You don’t want one doctor to be able to access the data of a patient of another doctor.
You should also be able to define permissions and restrict use after access. For instance, you don’t want doctors to be able to download patient data and then share it ahead. This is required under clause 164.312(a)(1).
Mechanisms to Authenticate ePHI
Tamper Detection: You should be able to verify at any point if a video file is the same as it was uploaded or whether it has been altered.
The video platform should have hashing mechanisms in place to ensure unauthorized parties have made no changes. This is required under clause 164.312(c)(2).
Encryption and Decryption
FIPS Compliant End-to-end Encryption: You want to make sure from video upload to storage to use, videos are encrypted at all stages and can only be decrypted by the video player at the end.
You also want to make sure that the platform uses FIPS (as recommended by NIST) Compliant encryption techniques (e.g., AES) and not just any proprietary encryption standard.
Activity logs and Audit Controls
Audit Logs for System: The video platform should be able to provide a list of all actions performed on the platform, where it reports what content was accessed, when it was accessed, from where, how, and what was done once accessed.
Activity Logs for Each Video: The video platform should be able to provide a chronological history of all actions performed on a specific video, who viewed them, when and what they did after accessing it.
Login Timeout
Custom Login Timeout: The system should automatically log out an inactive user after a certain time period, which could be custom set by the admin. The time should usually be very narrow, about 15 to 30 seconds.
Another important aspect to evaluate the platform is data storage at rest. This is usually at a data center of a cloud provider (CSP) such as Azure, AWS, Google etc. or in your data center.
It's important to use a video platform that allows you to choose your data center, one that allows you to implement HIPAA Compliance in your tenant. Or choose a platform that can be deployed on-premise.
Here's a diagram that clarifies your role, the CSPs role and the video platform provider's role in HIPAA.
VIDIZMO – A HIPAA Compliant Video Platform
If you are looking for a video platform that adheres to HIPAA standards, then VIDIZMO EnterpriseTube is one such platform. EnterpriseTube is a Gartner-recognized enterprise video platform that allows you to manage and stream your healthcare videos with features such as AI, auto-ingestion of recorded Zoom or MS Teams meetings, detailed content categorization, sharing and access management features.
It allows you to create your own secure internal YouTube-like platform for healthcare streaming. Users can upload and share videos optimized for ready playback through the browser.
VIDIZMO addresses security measures at storage by allowing you to store data in Azure or AWS’s HIPAA-compliant data centers. The VIDIZMO application has all of the features mentioned above in our checklist:
-
SSO Integration (25+ Types of SSO Providers).
-
Tamper Detection Checks.
-
FIPS Compliant End-to-end Encryption.
-
Audit Logs for System and Individual Files.
-
Custom Login Timeout.
-
Custom Security Policies (For Instance, You Can Restrict External Sharing for the Entire Organization).
-
Store data in your own Azure or AWS cloud data center, or on-premise.
-
A video content moderation workflow to double-check access settings for all content uploaded.
Contact us to learn more about VIDIZMO EnterpriseTube.
The Costa Rican Social Security Fund uses VIDIZMO EnterpriseTube for Public Health awareness and Secure Internal Sharing of Videos - Read More on This Story
Posted by Co-Author: Sidra Jabeen & Shahan Zafar
This article has been written by Sidra Jabeen & Shahan Zafar for VIDIZMO which provides a Gartner recognized enterprise video content management system and an IDC MarketScape recognized digital evidence management system, to stream live/on-demand media to both internal and external audiences, on-premise, Azure or AWS cloud. VIDIZMO solutions are used by enterprises, government, local, state government, healthcare, law enforcement agencies, justice, public safety, manufacturing, financial & banking industry.