Educause Security Discussion mailing list archives
Re: HIPAA / HITECH Compliant Video Conferencing Solution
From: Anurag Shankar <ashankar () INDIANA EDU>
Date: Mon, 25 Apr 2016 07:55:12 -0600
Chris, We looked into this last year. While I do not have a specific recommendation, here is what we found. 1. There is no such thing as HIPAA compliant video conferencing. An IT product by itself cannot be HIPAA compliant. Vendors who claim so are woefully ignorant of the HIPAA Security Rule. It is the covered entity (CE) who must make the product mediated workflow compliant by managing risk appropriately. 2. The CE must do due diligence to ensure that the vendor can keep its PHI secure. This means having a HIPAA BAA with the video conferencing vendor if they have access to the data while in transit or at rest, e.g. if video, audio, and/or chats are being stored. This will always be the case unless you have your own, local instance untouched by the vendor. 3. There are cloud video conferencing vendors who claim they don’t need to sign a BAA because (a) they never look at the data as it flows through their system, or (b) they encrypt data in transit. Neither is acceptable because (a) is claiming (incorrectly) the conduit exception which applies only to an ISP, UPS, or USPS, and (b) is not enough, especially if the data is stored unencrypted at rest or, if encrypted, the encryption key is stored separately. 4. If you have a BAA with the vendor and if they have the requisite controls in place, you must supplement them with documented local controls to mitigate risk at your end, e.g. physically securing a remote session, etc. Regards, Anurag ---- Anurag Shankar, Email: ashankar [at] iu.edu, Phone: +1 (812) 856-6978 Center for Applied Cybersecurity Research, Pervasive Technology Institute, Indiana University 2719 E. 10th Street, Suite 231, Bloomington, IN 47408
Current thread:
- HIPAA / HITECH Compliant Video Conferencing Solution Gregg, Christopher S. (Apr 21)
- <Possible follow-ups>
- Re: HIPAA / HITECH Compliant Video Conferencing Solution Anurag Shankar (Apr 25)
- Re: HIPAA / HITECH Compliant Video Conferencing Solution Jeff Choo (Apr 25)
- Re: HIPAA / HITECH Compliant Video Conferencing Solution Lazarus, Carolann (Apr 25)
- Re: HIPAA / HITECH Compliant Video Conferencing Solution Jeff Choo (Apr 25)
- Re: HIPAA / HITECH Compliant Video Conferencing Solution Anurag Shankar (Apr 27)
- Re: HIPAA / HITECH Compliant Video Conferencing Solution Gregg, Christopher S. (May 09)