Are you a health care provider who is interested in offering telemedicine but not sure which apps are HIPAA compliant?
There is a great deal of confusing information out there about which videoconferencing apps are HIPAA compliant. I hope to shed some light on which apps to use, based on my extensive training in HIPAA Security & Privacy, Cybersecurity, and IT frameworks. The apps below are derived from the list of apps suggested by OCR, the federal regulatory agency that is responsible for enforcing HIPAA privacy and security compliance.
Since the implementation of Stay at Home orders due to COVID-19, Zoom has risen in popularity. Zoom claims that they are HIPAA compliant. However, this only applies to the Zoom Healthcare plan, which charges $200 per month. The free Zoom plan, however, is NOT HIPAA compliant.
According to HIPAA Journal, you can still use Zoom provided that you get a Business Associate Agreement (BAA) signed from Zoom. You are, however, responsible for the security vulnerabilities Zoom is known for, and they are known for A LOT of them. One of the common vulnerabilities is called Zoom-bombing. Wikipedia defines Zoom-bombing when an unfamiliar users show up and hijack meetings by showing obscene, lewd, racist, or antisemitic images. The NY Times reported that there have been a rise in Zoom-bombing. Washington Post reported of attackers secretly recording meetings and releasing the recorded private meetings to the public.
Videos viewed by The Washington Post included one-on-one therapy sessions; a training orientation for workers doing telehealth calls that included people’s names and phone numbers; small-business meetings that included private company financial statements; and elementary school classes, in which children’s faces, voices and personal details were exposed.
Many of the videos include personally identifiable information and deeply intimate conversations, recorded in people’s homes. Other videos include nudity, such as one in which an aesthetician teaches students how to give a Brazilian wax.
While there are articles out there that provide suggestions on how to secure Zoom, just keep in mind it does not completely eliminate the risks of getting hacked. Free Zoom does not offer the same security as it would if you are paying $200/month for the Healthcare plan.
In short, I would recommend that you do not use Zoom, and if you do use it, to make sure you have a signed BAA.
Webex offers free subscription plans. Webex is owned by Cisco Systems, and Cisco is a well-known company that addresses network hardware and security. HIPAA Journal states that Webex complies with the required HIPAA technical safeguards. Recently, they have increased the number of allowed participants from 50 to 100. Webex is HIPAA compliant.
Doxy.Me claims that they are HIPAA compliant. The free and paid plans on Doxy.Me are pretty similar except that the paid plan offers a standard video quality, High Definition video, and ability to dial in without using video. Because Doxy.me is so popular among healthcare providers, you risk having poor quality video, especially if you are using it during high-traffic time. If you want to combat this, make sure you have a computer with a good video card, large RAM (16GB+), and a fast internet speed (100+ MBPS).
Apple Facetime is only available to Apple device users. While Apple has done a great job making it easy to use Facetime, Facetime is not HIPAA Compliant and Apple states they are not willing to sign a BAA. There is an exception, however to the rule, called the HIPAA Conduit Exception Rule. The HIPAA Journal states that Apple can be considered as a HIPAA Conduit, and can be used for telehealth without BAA provided that no PHI is being transferred.
I have not found any official documentation on Apple Facetime being classified as a HIPAA Conduit. I recommend staying away from Apple Facetime in general for telehealth purposes if you can.
While OCR approved the use of Facebook Messenger for telemedicine, Facebook Messenger is not HIPAA compliant. According to HIPAA Journal, Facebook is willing to sign a BAA; however, they do not meet the minimum audit controls to protect ePHI. In order to become HIPAA compliant, both requirements will need to be met.
Facebook Live should not be used under any circumstances – as this is not approved by OCR to use for telehealth since it is a public-facing app.
According to HIPAA Journal, Skype may be compliant, however it seem to only apply to certain enterprise-type licenses. Since Skype is owned by Microsoft, and Microsoft claims their products are HIPAA compliant. If you have the free edition of Skype, just like a lot of us do, then the answer is no, Skype Free is not HIPAA compliant.
Google Hangouts is HIPAA compliant and meets the minimum technical requirements to be HIPAA compliant. HIPAA Journal shares that not all their features meet the HIPAA compliance. The video chat, Voice Over IP, and SMS, for instance, are not HIPAA compliant and should not be used. Google is also willing to sign a BAA if you have the G-Suite edition. Again, it is to your discretion if you want to use Google Hangouts. If you do decide to use the free version, stay away from using the chat.
As an alternative to the apps I have listed above, it is even more secure to use a paid application, such as Simple Practice, Practice Fusion, etc., many of which offer free trials to start.
To providers, which one do you think you will use? Post your questions and comment below.
Are you ready to set up your telemedicine private practice?
CryptaWeb can help!
We provide Web Development, Cybersecurity services, and IT Support.
Contact Us for FREE, No Obligation, Consultation
*I am writing this blog, independently, based solely on my own opinion and expertise. I did not receive any compensation from any companies nor do I have association with any of the products suggested above. Tags AppsApplicationHIPAACloudtelehealth