Providers are required to ensure the confidentiality, integrity, and availability of all e-PHI, protected health information in electronic form. PHI includes video, images, names, IP addresses, chat messages, etc…
There are several things to consider in order to ensure confidentiality when conducting video sessions.
Only those who have a need to know should have access to client data. There is normally no need for the conferencing vendor’s staff to have access to client data.
The video meetings should not allow unintended people from entering the meeting. Video meetings are simply a website address. If the meetings are not secured properly, anyone who goes to that URL address will enter that client’s meeting. Some clinicians use a “waiting room” for their video meetings. These often have their own vulnerabilities. The way in which clients are provided the meeting URL also must be considered and should only be provided via secure means. Both the technology of the client and clinician can jeopardize confidentiality. Providers should ensure that clinicians’ devices and networks are secure and that their clinicians are adequately trained. Clients should also be provided information on how to securely attend a video session using the video technology selected by the provider. The clinician’s and client’s environments can also jeopardize confidentiality. Providers ought to train their clinicians on how to create a private environment and should audit these sites. Clinicians should also assess the privacy of the client’s location and assist clients in selecting and creating a private location for their sessions. Behaviors such as being subject to a phishing attempt, poor password management, or recording sessions can also create significant risks. Adequate training, policies, and monitoring helps reduce these risks.
Availability to PHI comes into play when chat is utilized during a video session. If chat is used with a client the chat must be securely retained in the client’s record. Often video conferencing software does not store this data for the provider. Therefore, the provider must configure the technology correctly and create procedures to reduce the risk of losing this data.
Providers have the responsibility of all PHI and their clinicians’ accounts. Therefore, providers should not allow their clinicians (workforce) to use their own personal video services. HIPAA also requires that providers obtain a HIPAA business associate agreement (BAA) from the video conferencing provider. They must also obtain satisfactory assurances that the vendor will appropriately safeguard all PHI. This requires vetting the vendor. Using a vendor like Zoom can be a great fit for healthcare providers wanting to hold video meetings with clients. However, several configurations and procedures should be implemented. We at the Telehealth Certification Institute LLC can help you with this process of compliance.