Zoom, an online web meeting provider, has been marketing as itself as a telehealth solution. However, if you’ve done your HIPAA homework, it’s clear that Zoom isn’t ready for telemedicine. First, Zoom copied its HIPAA faq’s almost directly from VSee’s old HIPAA page. Second, it hasn’t bothered to keep up with discussions of the HIPAA rules since then. This leads to the problem that unlike VSee and Vidyo, Zoom does not sign Business Associate Agreements (BAA) required for HIPAA compliancy.
In a PDF downloaded from their website, it claims that “Zoom never has access to any information, health or otherwise, that you may observe, transmit, or receive by using Zoom, and therefore is not a business associate under HIPAA rules.” Thus, it is saying that signing a BAA is not necessary for it to be compliant with HIPAA.
It’s true that early on when the HIPAA Final Rule (or Omnibus Rule) first went into effect in January of 2013, there was a lot of confusion about whether video calling services — Skype, Vidyo, VSee, WebEx, Zoom, etc.– were exempt from being a Business Associate (BA) under HIPAA’s “conduit exception.” (HIPAA only mentions the post office and telecommunication carriers as specific examples of the conduit exception). For example, according to Dr. Ofer Zur, author of The HIPAA Compliance Kit:
The Final Rule seems to state that in order to be exempt from serving as a BA, the software must only be transmitting the data (as Skype does) and must have no access to that information. The conduit rule is a rule that exempt a company from being a HIPAA Business Associate only if it:
1) Only transmits the encrypted PHI and
2) Never has access to the encryption key.
According to some experts the fact that Skype can give information to law enforcement (as it has been known to do) means they have access to the encryption key, which means they must serve as a BA. However, Skype neither provides a BA Agreement nor claims to be HIPAA Compliant.
The issue, however, was cleared up by HIPAA’s enforcing agency, the Office of Civil Rights (OCR) at the Department of Health and Human Services, by the end of 2013. In fact, VSee was able to make direct contact with an OCR representative to find out whether the “conduit exception” applied to VSee and other videoconference vendors.
Yip Fong, the OCR representative we talked with confirmed that a BAA would be required for its healthcare customers. She noted that even though patient health information (PHI) isn’t “stored” or “maintained”, it is “transmitted” over the Internet which is always susceptible to a breach despite strong security measures. Therefore providers must enter into a BAA with such vendors.
Would Zoom Take Responsibility for a HIPAA Privacy Breach?
In the end, the question is who is going to take responsibility in case of a personal health information (PHI) leak. Consider, even if you apply Dr. Ofer’s understanding of the HIPAA “conduit rule” Zoom still wouldn’t be exempt from being a BA. While Zoom encrypts the data they transmit, the encrypted video is in fact first transmitted to its servers which have full access to the raw video. In other words, Zoom has access to the encryption key, and this is a major architecture hole for leaking patient confidential information.
Furthermore, HIPAA is also clear that even something as simple as saying patient X had a call with doctor Y is considered PHI. Leaking such personal health data can mean fines of up to $1.5M per patient. Conducting a telemedicine session with Zoom makes a provider that much more vulnerable to such leaks.
For example, suppose you are a therapist specializing in depression and you use Zoom to make an appointment with me. Zoom knows that I talked with a depression therapist, and people can infer that I am depressed. If Zoom accidentally leaks this information out – who is responsible? Clearly, Zoom should be responsible since it is the one that revealed a patient condition. Thus, Zoom should be signing BAAs if it wants to be HIPAA-compliant.
Moral of the story: if you’re looking into telemedicine video, do your homework and make sure you’re working with a HIPAA-compliant video provider who knows the rules.