Q&A: Complying with HIPAA regulations for video conferencing
Q: If I provide telehealth services to patients using video conferencing, how can I make sure these video sessions are compliant with HIPAA’s Security Rule?
A: When you are evaluating video conferencing vendors, which is the best place to start, it is a good idea to do your up-front due diligence by requiring the vendors to complete a security questionnaire, share their SOC 2 Type 2 report, or share their HITRUST certification report. That way you gain an understanding of the level of security offered by vendors. You can also start by checking out the vendors’ websites and see what they have posted about HIPAA. You may be surprised what you find. Even if a vendor claims to be HIPAA-compliant, ask for proof.
The second step to take when you’re negotiating the contract with the selected vendor or are in the process of subscribing to a service is to execute a business associate agreement (BAA). CEs have been penalized by OCR for not executing a BAA. Also, having one provides you with legal and contractual protection.
Vetting vendors is not a onetime activity. It is a good idea to periodically evaluate the continued compliance and level of security of especially your critical vendors or vendors who store large amounts of PHI on your behalf. This needs to be a part of a sound vendor management program, and it is advisable to conduct evaluations on an annual basis. This can be done by sending critical vendors another security questionnaire to complete and return. It demonstrates you are exercising due diligence, and it alerts you to potential new risks.
Editor’s note: This question was answered by Chris Apgar, CISSP. Apgar is president of Apgar & Associates, LLC, in Portland, Oregon. He is also a BOH editorial advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS. Need expert advice? Email your questions for consideration in the Revenue Cycle Daily Advisor. Note: We do not guarantee that all questions will be answered