Zoom Is Not HIPAA Compliant

zoom hipaa compliant

Zoom, an online web meeting provider, has been marketing as itself as a telehealth solution. However, if you’ve done your HIPAA homework, it’s clear that Zoom isn’t ready for telemedicine. First, Zoom copied its HIPAA faq’s almost directly from VSee’s old HIPAA page. Second, it hasn’t bothered to keep up with discussions of the HIPAA rules since then. This leads to the problem that unlike VSee and Vidyo, Zoom does not sign Business Associate Agreements (BAA) required for HIPAA compliancy.

In a PDF downloaded from their website, it claims that “Zoom never has access to any information, health or otherwise, that you may observe, transmit, or receive by using Zoom, and therefore is not a business associate under HIPAA rules.” Thus, it is saying that signing a BAA is not necessary for it to be compliant with HIPAA.

It’s true that early on when the HIPAA Final Rule (or Omnibus Rule) first went into effect in January of 2013, there was a lot of confusion about whether video calling services — Skype, Vidyo, VSee, WebEx, Zoom, etc.– were exempt from being a Business Associate (BA) under HIPAA’s “conduit exception.” (HIPAA only mentions the post office and telecommunication carriers as specific examples of the conduit exception).  For example, according to Dr. Ofer Zur, author of The HIPAA Compliance Kit:

The Final Rule seems to state that in order to be exempt from serving as a BA, the software must only be transmitting the data (as Skype does) and must have no access to that information. The conduit rule is a rule that exempt a company from being a HIPAA Business Associate only if it:


1) Only transmits the encrypted PHI and
2) Never has access to the encryption key.
According to some experts the fact that Skype can give information to law enforcement (as it has been known to do) means they have access to the encryption key, which means they must serve as a BA. However, Skype neither provides a BA Agreement nor claims to be HIPAA Compliant.

The issue, however, was cleared up by HIPAA’s enforcing agency, the Office of Civil Rights (OCR) at the Department of Health and Human Services, by the end of 2013. In fact, VSee was able to make direct contact with an OCR representative to find out whether the “conduit exception” applied to VSee and other videoconference vendors.

Yip Fong, the OCR representative we talked with confirmed that a BAA would be required for its healthcare customers. She noted that even though patient health information (PHI) isn’t “stored” or “maintained”, it is “transmitted” over the Internet which is always susceptible to a breach despite strong security measures. Therefore providers must enter into a BAA with such vendors.

Would Zoom Take Responsibility for a HIPAA Privacy Breach?

In the end, the question is who is going to take responsibility in case of a personal health information (PHI) leak. Consider, even if you apply Dr. Ofer’s understanding of the HIPAA “conduit rule” Zoom still wouldn’t be exempt from being a BA. While Zoom encrypts the data they transmit, the encrypted video is in fact first transmitted to its servers which have full access to the raw video. In other words, Zoom has access to the encryption key, and this is a major architecture hole for leaking patient confidential information.

Furthermore, HIPAA is also clear that even something as simple as saying patient X had a call with doctor Y is considered PHI.  Leaking such personal health data can mean fines of up to $1.5M per patient. Conducting a telemedicine session with Zoom makes a provider that much more vulnerable to such leaks.

For example, suppose you are a therapist specializing in depression and you use Zoom to make an appointment with me.  Zoom knows that I talked with a depression therapist, and people can infer that I am depressed.  If Zoom accidentally leaks this information out – who is responsible? Clearly, Zoom should be responsible since it is the one that revealed a patient condition. Thus, Zoom should be signing BAAs if it wants to be HIPAA-compliant.

Moral of the story: if you’re looking into telemedicine video, do your homework and make sure you’re working with a HIPAA-compliant video provider who knows the rules.

Vidyo No-Show — Are They Giving up on Telemedicine?

This year’s ATA Fall Forum in Palm Desert, CA was a huge show of strength for telemedicine. All the big names were there, from Global Med to AMD Telemedicine to MedWeb to VSee, even non-HIPAA compliant Zoom was there. The theme was “Managing Chronic Conditions via Telemedicine,” and the VSee team was proud to participate and see our old and new customers.

Notably absent from the exhibition floor was Vidyo, the nemesis of VSee.

Almost all VSee customers are former Vidyo or webRTC (OpenTok, AddLive) users who were dissatisfied with the video quality or customer service of these video providers. Given the explosive growth of telemedicine, is Vidyo giving up the telemedicine space and leaving the field to VSee and Zoom? Exhibiting at ATA’s telemedicine tradeshows show commitment to serving that market segment. It shows a company’s intent to support and focus on telemedicine users. Can you trust a company who doesn’t even bother to show up?

Perhaps this absence signals a shift in Vidyo’s strategy? Maybe they’re spreading themselves too thin with their new injection of venture funding. Perhaps they’ve realised their solution is less competitive, so they’re moving away from the healthcare industry. We would not be surprised if they give up on telemedicine to focus exclusively on video games.

VSee for Ebola Contagious Disease Units

Emergency health care workers –- such as those on the front lines combating Ebola in Nigeria –- are already using VSee for Ebola treatment. This week, a number of VSee customers contacted us to set up Ebola isolation units inside their hospital.

The setup is simple: just load the free VSee software onto a medical grade Onyx Healthcare all-in-one PC or load the free VSee onto the computer already in the isolation unit.

VSee auto accept calls

VSee for Windows auto call accept

Change your settings to automatically accept calls

VSee for Mac auto call accept

From the VSee address book, select Settings –> Preferences –> Automatically Accept Calls, and set up auto answer with your list of allowed users, so that any emergency worker on the list can connect automatically by video without having to make a request. This makes communications between multiple remote users faster and easier, streamlining the emergency workflow.

For an advanced setup, install a pan-tilt-zoom HD camera to allow the remote staff to control the camera.

For an even more advanced setup, deploy a VSee Telemedicine Kit which contains medical scopes and sensors. VSee allows doctors to do remote readings from these sensors, including EKG monitor, digital stethoscope, pulse oximeter, and numerous other devices.

Many contagious disease units are already using VSee. If you are applying to the USAID Ebola Grant, we would love to partner with you.

Employers Save Big on Telemedicine

Telemedicine goes to work.

Telemedicine could save US companies $6 billion a year in health care costs, according to a survey by Towers Watson.

Writing about workplace telemedicine, Dan Verel of MedCity News says it means that “employees will no longer have to leave the office to go to the doctor for non-emergencies.” Fewer in-person doctor appointments improves productivity and reduces downtime. No wonder corporate leaders view this solution “as a low-cost alternative to emergency room or physician office visits for non-emergency health issues.”

$6 billion is a lot of money, but it won’t appear overnight. Verel quotes Dr. Allan Khoury of Towers Watson as saying, “Achieving this savings requires a shift in patient and physician mindsets, health plan willingness to integrate and reimburse such services, and regulatory support in all states.” To be sure, the healthcare industry needs to educate the public about the advantages of telemedicine, and the laws in many states still need to catch up to the technology.

Telemedicine’s arrival in the workplace “makes sense given the fact that employers are interested in cutting down on unnecessary healthcare costs and fewer physicians will be able to serve a growing number of people entering the healthcare system,” according to MedCity News.

Office telehealth is just one fact of a larger trend toward technology-enabled health consultations. The outlook for telemedicine is upbeat. In fact, revenues from video consultations are expected to hit $13.7 billion by 2017. That’s up from only $100 million in 2013 – truly explosive growth.

What does telemedicine look like in an office setting? It may not be limited to your desktop computer. Several companies are experimenting with different solutions. In the Mayo Clinic’s campus in Austin, TX, employees can step into a private kiosk and have a remote nurse practitioner check their vital signs. Visit this article in the Austin StarTribune to see photos and read more about these innovations.

Graphic courtesy of Towers Watson

VSee at ACEP14 in Chicago

Regsiter for ACEP14

VSee will be exhibiting at the ACEP14 conference in Chicago, IL this year in booth #1911. ACEP is the American College of Emergency Practitioners, and their members include many health care providers who could benefit from using VSee technology. And many of them already do. VSee will be showcasing our new product — Concierge Waiting Room, a complete medical office in the cloud, which includes scheduling, in-take forms, call routing/triage, online payment, and of course, video consultations.

Join the thousands of emergency medicine professionals from around the globe that gather annually to attend the American College of Emergency Physicians’ flagship event — one of the premier events in the specialty. ACEP14 is an immersive experience that goes beyond what typical medical conferences offer. It is the single most comprehensive consortium that brings together education, networking, and new technology to one convenient and exciting location. Moreover, ACEP14 is the place to gain the knowledge and tools that you can immediately put to practice.

Monday, October 27 – Thursday, October 30

Booth #1911
at McCormick Place
2201 Fort Dearborn Drive
Chicago, IL

If you’re in the area, please stop by booth #1911 and say hello!