Zoom Is Not HIPAA Compliant

Zoom, an online web meeting provider, has been marketing as itself as a telehealth solution. However, if you’ve done your HIPAA homework, it’s clear that Zoom isn’t ready for telemedicine. First, Zoom copied its HIPAA faq’s almost directly from VSee’s old HIPAA page. Second, it hasn’t bothered to keep up with discussions of the HIPAA rules since then. This leads to the problem that unlike VSee and Vidyo, Zoom does not sign Business Associate Agreements (BAA) required for HIPAA compliancy.

In a PDF downloaded from their website, it claims that “Zoom never has access to any information, health or otherwise, that you may observe, transmit, or receive by using Zoom, and therefore is not a business associate under HIPAA rules.” Thus, it is saying that signing a BAA is not necessary for it to be compliant with HIPAA.

It’s true that early on when the HIPAA Final Rule (or Omnibus Rule) first went into effect in January of 2013, there was a lot of confusion about whether video calling services — Skype, Vidyo, VSee, WebEx, Zoom, etc.– were exempt from being a Business Associate (BA) under HIPAA’s “conduit exception.” (HIPAA only mentions the post office and telecommunication carriers as specific examples of the conduit exception).  For example, according to Dr. Ofer Zur, author of The HIPAA Compliance Kit:

The Final Rule seems to state that in order to be exempt from serving as a BA, the software must only be transmitting the data (as Skype does) and must have no access to that information. The conduit rule is a rule that exempt a company from being a HIPAA Business Associate only if it:


1) Only transmits the encrypted PHI and
2) Never has access to the encryption key.
According to some experts the fact that Skype can give information to law enforcement (as it has been known to do) means they have access to the encryption key, which means they must serve as a BA. However, Skype neither provides a BA Agreement nor claims to be HIPAA Compliant.

The issue, however, was cleared up by HIPAA’s enforcing agency, the Office of Civil Rights (OCR) at the Department of Health and Human Services, by the end of 2013. In fact, VSee was able to make direct contact with an OCR representative to find out whether the “conduit exception” applied to VSee and other videoconference vendors.

Yip Fong, the OCR representative we talked with confirmed that a BAA would be required for its healthcare customers. She noted that even though patient health information (PHI) isn’t “stored” or “maintained”, it is “transmitted” over the Internet which is always susceptible to a breach despite strong security measures. Therefore providers must enter into a BAA with such vendors.

Would Zoom Take Responsibility for a HIPAA Privacy Breach?

In the end, the question is who is going to take responsibility in case of a personal health information (PHI) leak. Consider, even if you apply Dr. Ofer’s understanding of the HIPAA “conduit rule” Zoom still wouldn’t be exempt from being a BA. While Zoom encrypts the data they transmit, the encrypted video is in fact first transmitted to its servers which have full access to the raw video. In other words, Zoom has access to the encryption key, and this is a major architecture hole for leaking patient confidential information.

Furthermore, HIPAA is also clear that even something as simple as saying patient X had a call with doctor Y is considered PHI.  Leaking such personal health data can mean fines of up to $1.5M per patient. Conducting a telemedicine session with Zoom makes a provider that much more vulnerable to such leaks.

For example, suppose you are a therapist specializing in depression and you use Zoom to make an appointment with me.  Zoom knows that I talked with a depression therapist, and people can infer that I am depressed.  If Zoom accidentally leaks this information out – who is responsible? Clearly, Zoom should be responsible since it is the one that revealed a patient condition. Thus, Zoom should be signing BAAs if it wants to be HIPAA-compliant.

Moral of the story: if you’re looking into telemedicine video, do your homework and make sure you’re working with a HIPAA-compliant video provider who knows the rules.

Vidyo No-Show — Are They Giving up on Telemedicine?

This year’s ATA Fall Forum in Palm Desert, CA was a huge show of strength for telemedicine. All the big names were there, from Global Med to AMD Telemedicine to MedWeb to VSee, even non-HIPAA compliant Zoom was there. The theme was “Managing Chronic Conditions via Telemedicine,” and the VSee team was proud to participate and see our old and new customers.

Notably absent from the exhibition floor was Vidyo, the nemesis of VSee.

Almost all VSee customers are former Vidyo or webRTC (OpenTok, AddLive) users who were dissatisfied with the video quality or customer service of these video providers. Given the explosive growth of telemedicine, is Vidyo giving up the telemedicine space and leaving the field to VSee and Zoom? Exhibiting at ATA’s telemedicine tradeshows show commitment to serving that market segment. It shows a company’s intent to support and focus on telemedicine users. Can you trust a company who doesn’t even bother to show up?

Perhaps this absence signals a shift in Vidyo’s strategy? Maybe they’re spreading themselves too thin with their new injection of venture funding. Perhaps they’ve realised their solution is less competitive, so they’re moving away from the healthcare industry. We would not be surprised if they give up on telemedicine to focus exclusively on video games.

HealthTap Taps Doctors for Virtual Video Visits

HealthTap doctor

photo credit: HealthTap

HealthTap, best known for its online health question and answer knowledge base curated by real doctors, is looking to join the ranks of real-time virtual doctor visit platforms such as MDLIVE, American Well, Teladoc, and Doctor on Demand. Actually, it’s looking to outrank these virtual health platforms to become the Amazon of virtual health care. It already offers physician-reviewed health news and health/wellness app recommendations, as well as creates a snapshot of your health profile based on your HealthTap use. Last week HealthTap announced a new Prime service that gives subscribers unlimited access to live videoconferences with doctors for $99 a month, plus $10 for every additional family member. HealthTap Prime could be great for some patients, especially those suffering from chronic conditions. But is HealthTap Prime good for doctors?

Should You Become a HealthTap Virtual Doctor?

If you’re a physician licensed to practice in two or more states, HealthTap wants to recruit you. But it’s not clear whether they expect you to close your practice and go completely online with them. Photos on their website’s homepage show doctors skydiving and playing with their children, presumably because they’re now liberated from having to keep office hours.

Like most employers, HealthTap doesn’t advertise how much they pay, except that it depends on the number of patients you see and how well you rate.  But in order to enjoy that kind of lifestyle, HealthTap doctors must be compensated very well. Otherwise, you would need to spend many long hours consulting patients by video before you could begin to earn nearly as much as a typical doctor’s income.

Before you rush to enlist in HealthTap’s army, consider what the job entails. You’ll be doing more than just consulting with patients online.The job description on HealthTap’s website calls for doctors who are willing to:

  • Identify and engage licensed, board certified physicians to join the Prime network (read: recruit your fellow physicians for HealthTap)
  • Partner with the Community and Social teams to drive enthusiastic word-of-mouth advocacy among our Prime and Network Experts (read: do some marketing for HealthTap)
  • Act as a resource for new Prime physicians (read: training new hires)

So in addition to working as a consulting physician, you will also be responsible for marketing, recruiting, and training.

Given what HealthTap has to offer, why would any doctor sign up with them?

HealthTap Alternatives

You might be better off working with Doctor on Demand, which charges patients only $40 for a 15-minute consultation. You would get to keep $30 of that, which adds up to $120 per hour.

Even better, consider working with AskMD, an online consultation service of ShareCare health and wellness social platform co-founded by Dr. Oz.  AskMD provides you with an online presence that you control. And rather than replace your practice, AskMD improves it by giving you a way to “meet” your patients before they arrive at your door.

Vidyo Gets Another $20M Investment to Explore the Wild West of Video Conferencing

Vidyo, VSee competitor, just raised another $20M to bring their total funding to $139M — well ahead of the typical $40M needed to reach IPO stage.  With 300 employees and a monthly burn rate of probably ~$4M, Vidyo’s $20M fundraising at this stage of the game is rather unconventional – companies positioning for IPO normally raise huge rounds. It’s highly likely that Vidyo’s current revenue can cover its expenses, but it needs extra cash to explore new markets.

An expansion into new markets isn’t too surprising considering that video conference companies valuations have been poor cousins to Instant Messaging companies, e.g. Instagram and WhatsApp.  It’s likely that Facebook’s acquisition of WhatsApp for $19B earlier this year has jolted Vidyo investors, pushing Vidyo to explore new markets.  According to Vidyo CEO Ofer Shapiro, Vidyo has its sight set on more than the enterprise video conferencing space – it’s going after consumer markets, and it wants to go big.

This includes going after the booming healthcare space to bring video chats to hospital beds or patients in their homes as well as to the online banking space. But even beyond that, it means taking video conferencing into the “Internet of Things.” We’re not talking smartphones but everyday technology from wearable devices to gaming consoles to household appliances — with the end goal of putting Vidyo technology directly into the hands of consumers.

Vidyo has already gotten a head start on this with Google+ Hangouts video chat which used a Vidyo plugin until recently.  Even now with Google Hangouts moved onto the VP8 video codec and getting ever closer to a completely WebRTC implementation, the Vidyo and Google partnership continues with deals such as Vidyo’s work to add its scalable video codec (SVC) into VP9 (which will eventually be used by Hangouts and all WebRTC platforms) and the VidyoH2O video conferencing bridge for Google Hangouts.

VSee, on the other hand, has taken the strategy of focusing exclusively on healthcare and developing workflows to make healthcare customers happy. The question is: Will VSee’s strategy will knock Vidyo out of healthcare market.  Is Vidyo spreading itself too thin to make you happy?

In any case, congratulations to Vidyo on the another round of successful fundraising!

Google Helpouts Review – Google Hangouts for Health Providers

Google Helpouts health

Video chat visits with your doctor are no longer a thing of the future. A growing number of telehealth platforms like MDLIVE, American Well, Teladoc, and Doctor on Demand are offering online video consultations with a doctor anytime. As a health provider wanting to get a start on telehealth in your own practice, you may be considering video options such as Vidyo, American Well, VSee, and more recently, Google Helpouts–think “Google Hangout HIPAA compliant.” Hope you find this Google Helpouts review helpful.

Google Helpouts is yet another new Google product experiment. Based on Google’s popular Hangouts video chat tool, Helpouts is a way for experts to offer their services via live video consultation. (You may want to check out this general Helpouts review.) Healthcare Helpouts, in particular,  allow health providers meet specific HIPAA regulations for connecting to consumers over real-time video. Whether you’re a nutritionist, a midwife, speech therapist, or a physician, you can now provide your expertise online with Google Helpouts.

Unlike Skype and Google Hangouts, which have security issues, Healthcare Helpouts is a bit more conscious of HIPAA privacy concerns and requirements. Helpouts offers you a Business Associate Agreement (BAA) with Google, email and text notifications cleaned of personal information. It also automatically records video chat sessions and sends the recording to both you and your patient for any required record-keeping (which you also have the option to disable).

Google Helpouts also fits well into a clinical workflow. It includes patient scheduling, provider calendar, email and text notifications, and online payment all in one package. Of course, all these features have to be enabled through a Google account, and require using Google’s Calendar and Wallet products. However, this may not be a big deal, since most of us are already part of the Google mafia in some way. The bigger problem you’ll face is whether this Google service will stick around.

Google Helpouts healthcare

Google Helpouts scheduling

You should also know that Helpouts comes with a few limitations. First, you’re out of luck if you need to do a group call – Helpouts is strictly for one-on-one video calls. Compare that to VSee OneClick, which allows you to add multiple users into a video call and also for a user to leave the video call at will.

It’s also good to know that while Google is willing to sign a HIPAA BAA with you, it does store and retain rights to access to your data including recorded video chat sessions. VSee video chat sessions, on the other hand, are just between you and your patient. VSee does not store or have access to any data passed during your video chat.

On the up side, probably the biggest draw of Helpouts for health providers at the moment is the pricing. While other Helpouts users are charged a 20% commission fee from each of their Helpouts sessions, healthcare providers currently get to use Helpouts for free. (Apparently it’s against the law to charge a percent commission from healthcare services.) But don’t be fooled. Google is out there to make some money, and it will either come up with a profitable pricing model or the Helpouts product may fold as with the failed Google Health portal and many other promising Google products.

In short, Helpouts could be a great way to test the video telehealth and telemedicine waters, but make sure to keep your other options open.  Helpouts is most definitely a work in progress, and it’s still very much up in the air whether it will survive the wilds of virtual care.