First, The Health Insurance Portability and Accountability Act (HIPAA) was established in 1996 to protect a person’s private health information and inaugurate a specific set of security standards around electronic health records and health plans.
Zoom is a video conferencing platform and web conferencing platform that helps businesses and individuals connect with coworkers, employers, patients, other providers, and clients remotely from any internet-connected device that has video access. Zoom isn’t the only software program that supports video communication however, in this article we will just be covering Zoom due to the high volume of users.
Many healthcare organizations use Zoom to primarily host online appointments for patients or to simply connect with other providers for web-based conferences and meetings. Any provider who uses a Zoom account must make it HIPAA compliant, meaning that the organization or provider will need to implement a set of specific security standards that will allow Zoom to comply with the necessary rules regarding HIPAA and HIPAA compliance.
The HIPAA Privacy Rule
When using Zoom, any healthcare providers, or medical professionals, covered entities, who share protected health information (PHI), including electronically protected health information (ePHI), or any other electronic health records that are created, stored, transmitted, or received in any electronic format or medium, under the HIPAA Privacy Rule, must establish a written contract between the covered entity and business associate – in this case, Zoom, for patient privacy. To outline the appropriate safeguards needed for the protection of ePHI and HIPAA compliance.
The written contract that must be obtained between a covered entity and a business associate for HIPAA compliance is called a business associate agreement BAA. The functionality of a BAA will encompass the specific expectations and security assurances required to protect sensitive patient data, specifically relating to the safeguards a business associate must set in place to prevent the use or disclosure of protected health information other than as provided for by the contract.
Does Zoom comply with these requirements?
Zoom has stated that they are willing to sign a BAA with any legitimate healthcare businesses that request it and has also taken specific measures to ensure its platform holds all of the required security requirements to comply with the HIPAA Security Rule.
Does Zoom meet all of the necessary measures set forth by the HIPAA Security and Privacy Rules?
In short, yes Zoom does meet all of the required measures regarding the HIPAA Security and Privacy Rules. These Rules require that any business associate who has access to ePHI must be able to provide three specific security measures to ensure compliance requirements.
1. End-to-end encryption.
- Data encryption is required so that any sensitive data is protected in both transit and in storage. Failing to comply with these security measures will result in a fine in the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR).
2. Appropriate Authentication Security Measures.
- Implementing the necessary steps to verify one’s identity when gaining access to ePHI is required to meet all requirements that fall under the HIPAA Security Rule. Zoom is well aware of this requirement and provides two types of authentication measures – OAuth 2.0, for verifying a user context: and JSON Web Tokens (JWT) for verifying server-to-server apps. JWT authentication is a common authentication method used for sending data to and from Zoom between the users and servers that are being used to transmit information.
- Security Controlled Access.
- Setting specific security controls that allow only required personnel to access sensitive information and records in an online environment falls under the HIPAA Security Rule. Access control measures are needed so that ePHI can remain safe from unwanted parties gaining unauthorized access.
Zoom takes online security seriously.
Security features Zoom has implemented into their video software program include deactivating Zoom Cloud Recording, enabling both encrypted messaging and chat, and using a cryptographic key exchange both parties must use to access patient information offline. Be aware that it is still possible for HIPAA Rules to be violated when using this platform, so individuals and business owners must be fully aware of the necessary steps needed to make Zoom HIPAA compliant. Always remember to never share ePHI with individuals who do not have access to the information, and as a covered entity, it is your responsibility to make sure Zoom is following HIPAA Rules on their end.
Understand HIPAA guidelines and avoid fines HHS.
While Zoom is a great platform to use for video web conferencing and ensures all the requirements for HIPAA, so long as you sign a BAA with them… be aware of the most up-to-date state and federal level laws surrounding HIPAA, before signing a BAA, do your research current compliance requirements to HIPAA/HITECH violation laws that may have recently been applied. If you do not have the staff to do your research, you can always hire a HIPAA/HITECH third-party consultant. Know that not one single policy, procedure, or product can ensure 100% compliance. So, make sure that everyone in your organization understands the laws and regulations surrounding HIPAA. To comply with HIPAA guidelines, you will need to read the full text of HIPAA (45 CFR Parts 160 and 164); the Department of Health and Human Services’ Office for Civil Rights has summarized this section into 50 pages.