VSee Video Conferencing and HIPAA

HIPAA and Health IT

HIPAA is a federal law that protects the privacy of your personal health information. At the same time it allows health care providers and certain related operations enough access to the information they need to do their jobs effectively. HIPAA includes several rules and provisions that set guidelines and requirements for the administration and enforcement of HIPAA. The relevant ones for the implementation of health information technology and the exchange of protected health information in an electronic environment are the Privacy Rule and the Security Rule, as well as the HITECH Act which further enforced the two in 2009.

*State laws may have more stringent requirements than federal laws, however, in cases of conflict, federal law supersedes state law.

Highlights Of The Privacy Rule, The Security Rule, and the HITECH Act

1. The Privacy Rule, applies to protected health information (PHI) in any form whether paper, oral, electronic, etc. While it requires covered entities to put in place "administrative, physical, and technical safeguards" for protecting PHI, it differs from the Security Rule in that it mainly "sets standards for how protected health information should be controlled by setting forth what uses and disclosures are authorized or required and what rights patients have with respect to their health information." (Page 8335 of the final Security Rule)

Summary of Privacy Rule

2. The Security Rule applies specifically to protected health information (PHI) in electronic form and builds on the Privacy Rule requirements of "administrative, physical, and technical safeguards." Unlike the Privacy Rule which is more concerned about patients' rights and how health information is used and released, the Security Rule sets standards on security measures that should be taken to keep PHI private. In short, it requires "covered entities to implement basic safeguards to protect electronic protected health information from unauthorized access, alteration, deletion, and transmission." (Page 8335 of the final Security Rule)

   In particular, it calls for attention to

   • risk analysis and management
   • administrative, technical, and physical safeguards
   • organizational requirements
   • policies, procedures, and documentation requirements

   The Security Rule 101 Overview

   Security Rule Guidance Material

   The figure below gives you an idea of the security measures covered by the Security Rule. (from paper "Reassessing Your Security Practices in a Health IT Environment: A Guide for Small Health Care Practices")

   

3. The HITECH Act essentially added teeth to the HIPAA Privacy and Security Rules by specifying levels of violations and penalties for violations. It also requires periodic audits to ensure that covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification.

   HITECH modifications to privacy and security

Who Is Required To Comply With HIPAA?

Not all operations that handle health-related information must follow HIPAA law (such as many schools, state agencies, law enforcement agencies, or municipal offices). Under HIPAA the 2 groups that must follow HIPAA rules are

• covered entities - health care providers, health plans, and health clearinghouses
• business associates - basically a person or group providing certain functions or services for a covered entity which require access to identifiable health information, such as a CPA firm, an attorney, or an independent medical transcriptionist; More business associate FAQs here

VSee does not fall under either group that the HIPAA laws apply to.

Is A Software Vendor Considered a Business Associate Under HIPAA?

Not necessarily. If a vendor does not have access to protected health information (PHI) when providing its services to a covered entity then it is not considered a business associate. However if a vendor does have access to protected health information, such as when it hosts the software containing patient information on its own server or accesses patient information when troubleshooting the software, then it is considered a business associate and must have a business associate agreement with the covered entity as specified under the HIPAA Privacy Rule 45 C.F.R. § 164.504(e).

VSee never has access to any information, health or otherwise, that you may observe, transmit, or receive by using VSee, and is therefore not considered a Business Associate under HIPAA rules.

U.S. Department of Health on Software Vendors

U.S. Department of Health on Health Information Organizations

How is HIPAA involved in your use of videoconferencing?

Videoconferencing may involve the electronic exchange of health information which is protected under HIPAA law. Security considerations with videoconferencing may involve making sure unauthorized third parties cannot to record or "listen in" on a videoconferencing session, making sure recorded videoconferencing sessions are stored and identified in a secure and proper manner, or having a procedure for initiating and receiving video calls. Other video collaboration features affecting security may include text chat, screen-sharing, and file-transfer.

Videoconferencing would only be one small piece to consider when establishing and maintaining HIPAA-compliant IT security standards as described by the Privacy Rule and the Security Rule.

How does VSee allow you to comply with the HIPAA Privacy and Security Rules?

VSee has several characteristics that make it easy to protect the confidentiality of protected health information:

1. Peer-to-Peer sessions

VSee uses a managed peer-to-peer architecture, where video (and other media) are streamed directly from endpoint to endpoint. Information is never stored on any VSee servers or intercepted by VSee in any way. The VSee management server is only used for address look up, connection brokering, and system/user administration. This prevents information leakage between point A and point B.

2. Encryption

Encryption adds another layer of security of VSee. All VSee traffic is encrypted with FIPS 140-2 certified 256 bit Advanced Encryption Standard. No servers, including VSee's, have access to the decryption keys. This keeps keeps your videoconference absolutely confidential.

3. Local File Storage (of non-streaming media)

VSee allows users to record videoconferences and keeps chat history that could be regarded as electronic protected health information (e-PHI). These files are always stored on a user's computer and is never stored on VSee servers or accessible to VSee . Covered entities may securely save recorded conferences or chat histories to their own HIPAA compliant electronic health record (EHR) system.

Is VSee HIPAA compliant?

VSee is neither a covered entity nor a business associate. Furthermore, we do not have access to any identifiable health information of a covered entity that may use our services. Therefore, we do not fall under HIPAA compliance rules. Our desire is to help your program or organization be HIPAA compliant. (Please see section "How does VSee allow you to comply with HIPAA")

Is VSee certified for use under HIPAA?

Certification of health technology is regulated under the HITECH Act by the Office of the National Coordinator for Health Information Technology (ONC) in collaboration with the National Institute of Standards and Technology (NIST). HIPAA rules do "not assume the task of certifying software and off-the-shelf products" (p. 8352 of the Final Security Rule) neither do they set criteria for or accredit independent agencies that do HIPAA certifications. In short, this means that the third-party HIPAA certification groups you may use are not regulated by any federal accreditation agency.

Currently HITECH only provides for the testing and certification of Electronic Health Records (EHR) programs and modules. The certification is generally used to qualify health operations for Medicare and Medicaid EHR Incentive Programs.

The permanent certification program fact sheet

Authorized EHR testing and certification bodies

VSee is not an EHR software or module.

Does VSee Offer A HIPAA Business Associate Contract?

No. VSee does not have any access to the identifiable health information of a covered entity that may use its services. Therefore, VSee is not considered a business associate under HIPAA rules and does not need to enter into a business associate agreement with a covered entity to be used. (See "Is a software vendor considered a business associate under HIPAA?")

Official Documentation For HIPAA

HIPAA - Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, the complete suite of HIPAA Administrative Simplification Regulations can be found at 45 C.F.R. Part 160, Part 162, and Part 164

The Privacy Rule - "Standards for Privacy of Individually Identifiable Health Information" and is found at 45 CFR Part 160 and Subparts A and E of Part 164.

The Security Rule - "Security Standards for the Protection of Electronic Protected Health Information" and is found at 45 CFR Part 160 and Subparts A and C of Part 164.

HITECH - Health Information Technology for Economic and Clinical Health Act

Other references

Nefsis Videoconferencing and HIPAA Summary

©2012