Icon Rounded Closed - BRIX Templates

HIPAA and VSee Video Conferencing

Check out VSee HIPAA Compliant
Telemedicine Solutions
VSee Product Solutions

HIPAA and VSee Video Conferencing

Is VSee video conferencing HIPAA compliant?

VSee video chat helps you to be HIPAA compliant in two ways:
  • It protects data privacy in that all audio/video communication is securely encrypted.
  • VSee offers the HIPAA-required Business Associate Agreement where VSee agrees to be responsible for keeping all patient information secure and to immediately report any breach of personal health information.

Wondering how HIPAA and BAAs fit in with Canada health privacy laws?

Check out this blog post summarizing the important differences.

What You Need To Know About HIPAA

HIPAA and Health IT

HIPAA is a federal law that protects the privacy of your personal health information. At the same time, it allows health care providers and certain related operations enough access to the information they need to do their jobs effectively. HIPAA includes several rules and provisions that set guidelines and requirements for the administration and enforcement of HIPAA.

The relevant ones for the implementation of health information technology and the exchange of protected health information in an electronic environment are the Privacy Rule and the Security Rule, as well as the HITECH Act which further enforced the two in 2009.

*State laws may have more stringent requirements than federal laws, however, in cases of conflict, federal
law supersedes state law.

Highlights Of The Privacy Rule, The Security Rule, and the HITECH Act

Who Is Required To Comply With HIPAA?

Not all operations that handle health-related information must follow HIPAA law (such as many schools, state agencies, law enforcement agencies, or municipal offices). Under HIPAA the 2 groups that must follow HIPAA rules are
VSee would be considered the business associate of a covered entity that uses VSee to communicate private health information with a client.

Is A Software Vendor Considered a Business Associate Under HIPAA?

It depends. If a vendor or subcontractor transmits, maintains, or has routine access to protected health information (PHI) when providing its services to a covered entity then it is considered a business associate. For example, a vendor that hosts the software containing patient information on its own server or accesses patient information when troubleshooting the software, then it is considered a business associate and must have a business associate agreement with the covered entity as specified under the HIPAA Privacy Rule 45 C.F.R. § 164.504(e).

The only exception under HITECH section 13408 is in the case of a data transmission organization that acts as a conduit, in that it only transports information but does not access it, such as the US Postal Service or its electronic equivalent — Internet Service Providers (ISPs), a telecommunication company, etc.

While these may have access to PHI, they only access PHI on a random or infrequent basis as necessary for the performance of the transportation service or as required by law: “[D]ata transmission organizations that do not require access to protected health information on a routine basis would not be treated as business associates” (p. 22)

While VSee never has access to any information, health or otherwise, that you may observe, transmit, or receive by using VSee, it is still considered a business associate because it is used to transmit private health information over the Internet. To be HIPAA-compliant, a covered entity using VSee for this purpose must have a Business Associate agreement with VSee.

U.S. Department of Health on Software Vendors

How is HIPAA involved in your use of video conferencing?

Videoconferencing may involve the electronic exchange of health information which is protected under HIPAA law. Security considerations with video conferencing may involve making sure unauthorized third parties cannot record or “listen in” on a video conferencing session, making sure recorded video conferencing sessions are stored and identified in a secure and proper manner, or having a procedure for initiating and receiving video calls. Other video collaboration features affecting security may include text chat, screen-sharing, and file transfer.

Videoconferencing would only be one small piece to consider when establishing and maintaining HIPAA-compliant IT security standards as described by the Privacy Rule and the Security Rule.

How does VSee allow you to comply with the HIPAA Privacy and Security Rules?

Encryption

Encryption adds another layer of security of VSee. All VSee traffic is encrypted with FIPS 140-2 compliant 256-bit Advanced Encryption Standard. This keeps your videoconference absolutely confidential.

Is VSee certified for use under HIPAA?

Certification of health technology is regulated under the HITECH Act by the Office of the National Coordinator for Health Information Technology (ONC)in collaboration with the National Institute of Standards and Technology (NIST). HIPAA rules do “not assume the task of certifying software and off-the-shelf products” (p. 8352 of the Final Security Rule) neither do they set criteria for or accredit independent agencies that do HIPAA certifications.

In short, this means that the third-party HIPAA certification groups you may use are not regulated by any federal accreditation agency.

Currently, HITECH only provides for the testing and certification of Electronic Health Records (EHR) programs
and modules. The certification is generally used to qualify health operations for Medicare and Medicaid EHR
Incentive Programs.

VSee is not an EHR software or module.

VSee’s covered HIPAA services.

Does VSee Offer A HIPAA Business Associate Contract?

VSee signs HIPAA Business Associate Agreements with our new Free Version VSee Clinic minimum purchase of a VSee Annual Waiting Room subscription (Pro subscription available for solo practitioners).

U.S. Department of Health on Business Associate Agreements

Does data have to be encrypted to be HIPAA compliant?

The Security Rule does not require encryption if an entity can prove it is not reasonable or appropriate to do so. However, it is a good idea to encrypt data whenever possible because in the case that there is a data breach, proper encryption exempts HIPAA-covered entities from the Breach Rule (section 13402 of the HITECH Act), which requires notification of PHI that has not been secured (i.e. encrypted) according to the security guidance publication (74 FR 19006 on April 27, 2009):

“While covered entities and business associates are not required to follow the guidance, the specified technologies and methodologies, if used, create the functional equivalent of a safe harbor, and thus, result in covered entities and business associates not being required to provide the notification otherwise required by section 13402 in the event of a breach.” (p. 19008)

Encryption processes that have been tested and meet the guidance standard:
See here for what data VSee store. All VSee traffic is encrypted with FIPS 140-2 compliant 256-bit Advanced Encryption Standard.

Official Documentation For HIPAA

HIPAA – Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, the complete suite of HIPAA Administrative Simplification Regulations can be found at 45 C.F.R.Part 160, Part 162, and Part 164

The Privacy Rule – “Standards for Privacy of Individually Identifiable Health Information” and is found at 45 CFR Part 160 and Subparts A and E of Part 164.

The Security Rule – “Security Standards for the Protection of Electronic Protected Health Information” and is found at 45 CFR Part 160 and Subparts A and C of Part 164.

Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules – 45 C.F.R. Parts 160 and 164

Other references

About VSee

Since 2008, VSee has been a leading company in the field of telemedicine. Doctors and hospitals rely on VSee for HIPAA-compliant video as well as several workflow solutions. VSee has designed and implemented telemedicine solutions for NASA, Walmart Clinics, Trinity Hospitals, and many more. Write to [email protected] to schedule your demonstration.