<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=49414&amp;fmt=gif">

I’d like to learn more about Campaign Creators!

What it Means for a Video Platform to be HIPAA Compliant?

Here's a list of features a HIPAA compliant video platform should have to stream content and at the same time protect patient health information (PHI).
by Shahan Zafar Updated on February 23, 2022

With businesses going virtual after the COVID-19 pandemic, there has been an explosion in video data, such as recorded Zoom meetings, training videos for virtual on-boarding etc. Within the healthcare sector, a lot of these videos include sensitive patient data and the risk of breaching compliance is greater than ever. Therefore, to keep patient data secure and reduce the risk of a data breach, you need a HIPAA compliant video platform.

If you are a healthcare provider, insurance provider or any organization that handles protected health information, then it mandatory for you to comply with the Health Insurance Portability and Accountability Act (HIPAA) in the US. There has been a temporary notification by HIPAA on the nationwide public health emergency due to COVID-19, and under this notification healthcare providers may be exempted under certain circumstances. However, this doesn’t mean that the protection of sensitive patient data can purposefully be neglected.   

Ignorance of HIPAA rules is no excuse for not complying with HIPAA regulations, and this applies to video platforms as well. Based on our research and expertise in compliant video platforms, we have prepared this guide to help ease the process and to better educate you regarding HIPAA when it comes to video data. 

In this blog, we will discuss what HIPAA is and more importantly, how it applies to video. We then discuss what security and data privacy features you should look for when it comes to evaluating a video platform to ensure it complies with the HIPAA regulations. 

Jump to the Feature Checklist We Have Prepared

HIPAA Compliant Video Platform Infographic

What is the Health Insurance Portability and Accountability Act (HIPAA)? 

The Health Insurance Portability and Accountability Act was formulated in 1996 by the US Department of Health and Human Services (HHS). It is a national standard to protect patient health information and safeguard it from being disclosed without the patients' consent.  

There have been a few major updates to the HIPAA law as technology has progressed and the way patient data is handled has changed. One of these has been the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was brought considering new developments in information technology and increased use of Electronic Health Record systems (EHRs).  

The HIPAA law and its amendments generally cover 5 rules: 

  • HIPAA Security Rule: These are a set of standards applied on 3 levels; technical safeguards (IT systems), administrative safeguards, and physical safeguards. This rule requires handlers of sensitive data to ensure security in terms of access, processing and storage, both at rest and in transit.   
  • HIPAA Privacy Rule: This rule addresses the different instances when patient health information can be used and how it can be used. For instance, it includes standards such as obtaining patient consent and standards for the patient’s right to obtain their data from the healthcare provider on request. 
  • HIPAA Breach Notification Rule: This rule lays down the requirement to notify patients in the event of a breach of their data. It includes notifying concerned parties about what data was leaked, to whom, and how risks are being mitigated.   
  • HIPAA Omnibus Rule: This was an amendment to cover areas not addressed by the initial HIPAA rule. It updated definitions, procedures, and policies. It also introduced rules for business associates that have access to ePHI. 
  • HIPAA Enforcement Rule: This rule is concerned with the penalties and fines that are to be imposed on healthcare providers and concerned bodies for breaching HIPAA.  

How Does HIPAA Apply to Video? 

Under HIPAA, data collected on patients is considered to be Protected Health Information (PHI) and in an electronic form, it is known as ePHI. Examples include their name, place of birth, social security number, photos, and even their medical history. Learn more here. 

Videos filmed of patients or even recorded online meetings (Zoom, MS Teams etc.) with patients, are considered to be ePHI. This is because these videos contain a lot of personally identifiable information such as their faces, names, medical history etc. Videos with such information redacted is not considered ePHI. 

Recorded Zoom/MS Teams Meetings Fall Under HIPAAs  

What is a HIPAA Compliant Video Platform? 

As mentioned previously, the HIPAA Security Rule applies on three levels for the healthcare provider: 

  • Technical Safeguards: This concerns the technology that is being used to access, store and process the sensitive data (video platforms fall here). 
  • Physical Safeguards: This concerns the physical infrastructure and policies where such data exists. This involves safeguards at the datacenter where sensitive data is stored. It also includes safeguards at the place of access such as the policies for using workstations on the healthcare provider’s premise.  
  • Administrative Safeguards: This involves having the right administrative actions to enforce the previous two safeguards. For instance, conducting audits, risk assessments and training your workforce. 

When we talk about having a HIPAA compliant video platform, we are looking at the first of the three safeguards – technical safeguards. This is because any video platform (be it YouTube, Vimeo, VIDIZMO) is an IT system and should be evaluated to ensure utmost security and compliance. Even if you have physical and administrative safeguards in place, having a weak IT system can leave you potentially open to cyberattacks.  

The HIPAA rule requires IT systems to have security features that comply with NIST standards. This means that they should be encrypted both at rest and in-transit. Such encryption renders data unusable to any intercepting attacker by converting it into an unreadable form (ciphertext). And such encryption on video data can’t just be any encryption but should comply with FIPS 140-2 encryption standards.   

Important: When We Mention that a Software is HIPAA Compliant, It Actually Means that it is HIPAA-Ready! Confused as to What That Means? Do Read Our Blog on HIPAA-Ready vs. HIPAA-Compliant.

We have prepared a table of what is required by HIPAA when it comes to a video platform, and how a compliant video platform (like ours) would address them.  

HIPAA Requirements 

Feature to Look For in a Video Platform That Would Address These 

Means of Access Control 

  • SSO and IAM Integration: An important thing here to look for is a centrally controlled unique username and password for every user of the video platform. This means that it’s highly important for the platform to be able to integrate with your organization’s SSO and be in sync with it.  
  • Define Permissions and Access: You want to make sure that only those who are authorized to access content are only able to access it. You don’t want one doctor to be able to access the data of a patient of another doctor. You should also be able to define permissions and restrict use after access. For instance, you don’t want doctors to be able to download patient data and then share it ahead. This is required under clause 164.312(a)(1).


Mechanisms to Authenticate ePHI 

  • Tamper Detection: You should be able to verify at any point, if a video file is the same as it was uploaded or whether it has been altered. The video platform should have hashing mechanisms in place to ensure no changes have been made by unauthorized parties. This is required under clause 164.312(c)(2). 


Encryption and Decryption 

  • FIPS Compliant End-to-end Encryption: You want to make sure from video upload, to storage, to use, videos are encrypted at all stages and can only be decrypted by the video player at the end. You also want to make sure that the platform uses FIPS (as recommended by NIST) compliant encryption techniques (e.g., AES) and not just any proprietary encryption standard.  


Activity logs and Audit Controls 

  • Audit Logs for System: The video platform should be able to provide a list of all actions performed on the platform, where it reports what content was accessed, when it was accessed, from where, how, and what was done once accessed.  
  • Activity Logs for Each Video: The video platform should be able to provide a chronological history of all actions performed on a specific video; who viewed them, when and what they did after accessing it.  

Login Timeout 

  • Custom Login Timeout: The system should automatically log out an inactive user after a certain time period, which could be custom set by the admin. The time should usually be very narrow; about 15 to 30 seconds.    


This checklist was developed by consulting the HIPAA Journal Compliance List and the Summary of the HIPAA Security Rule as Provided by the U.S. Department of Health and Human Services.  

Learn More About VIDIZMO Enterprise Video Platform

Another important aspect to evaluate the platform is data storage at rest. This is usually at a datacenter of a cloud provider (CSP) such as Azure, AWS, Google etc. or in your datacenter.

It's important to use a video platform that allows you to choose your datacenter, one that allows you to implement HIPAA Compliance in your tenant. Or choose a platform that can be deployed on premise.

Here's a diagram that clarifies your role, the CSPs role and the video platform provider's role in HIPAA.

HIPAA Compliance and Meeting Its Requirements For Software Infographic

VIDIZMO – HIPAA Compliant Video Platform 

If you are looking for a video platform that adheres to HIPAA standards, then VIDIZMO EnterpriseTube is one such platform. EnterpriseTube is a Gartner-recognized enterprise video platform that allows you to manage and stream your healthcare videos with features such as AI, auto-ingestion of recorded Zoom or MS Teams meetings, detailed content categorization, sharing and access management features.

It allows you to create your own secure internal YouTube-like platform for healthcare streaming. Users can upload and share videos, optimized for ready playback through the browser.

A screenshot of VIDIZMO HIPAA Compliant Platform

VIDIZMO addresses security measures at storage by allowing you to store data in Azure or AWS’s HIPAA-compliant datacenters. The VIDIZMO application has all of the features mentioned above in our checklist: 

  • SSO Integration (25+ Types of SSO Providers). 
  • Detailed Access Controls and Permissions.
  • Tamper Detection Checks.
  • FIPS Compliant End-to-end Encryption.
  • Audit Logs for System and Individual Files. 
  • Custom Login Timeout.
  • Custom Security Policies (For Instance, You Can Restrict External Sharing for the Entire Organization).
  • Store data in your own Azure or AWS cloud datacenter, or on-premise.
  • A video content moderation workflow to double-check access settings for all content uploaded. 

We Offer Much More!  Learn About All Features



The Costa Rican Social Security Fund uses VIDIZMO EnterpriseTube for Public Health Awarness and Secure Internal Sharing of Videos - Read More on This Story


HIPAA Compliance and Video Redaction

For certain purposes such as research or medical training, you might want to share videos with third parties. When doing so, the HIPAA law for de-identification of PHI requires you to remove any personally identifiable information before sending it.

In videos, this involves redacting the audio wherever a person's name, social security numbers, email addresses etc. are spoken. It also involves redacting faces and license plates wherever they appear in a video. 

To effectively do this, the HIPAA Compliant video platform like VIDIZMO offers a PII redaction tool that uses AI to redact audio and video files. You can easily redact spoken words, objects, on-screen text and faces.

We did a whole blog on HIPAA redaction rules, so do check it out.

VIDIZMO Redaction Tool for HIPAA


HIPAA Compliance is one aspect of evaluation for a video platform, and there is more such as security, AI, integrations etc. We have prepared a detailed guide on online video platforms that we’d recommend going through. 

Read More | HIPAA Compliant File Sharing

Posted by Shahan Zafar

Shahan is the Product Marketing Manager at VIDIZMO - An expert in video streaming, sharing and management platforms. Shahan is actively involved in researching and consolidating information regarding innovative features, customer challenges and emerging trends in this domain. You can email at shahan.zafar@vidizmo.com for any queries.

VIDIZMO Whitepapers

Post a comment