Are Video Calling Platforms HIPAA Compliant?

Privacy is the foundation of trust in healthcare, forming the bedrock of the patient-provider relationship. In the context of telehealth, where sensitive health information is exchanged digitally, maintaining privacy takes on an even greater significance. 

The Health Insurance Portability and Accountability Act (HIPAA) was established to safeguard this trust by setting strict standards for the protection of Protected Health Information (PHI). 

When healthcare providers use video calling platforms for virtual consultations, prioritizing the privacy of Protected Health Information (PHI) is essential. With the rapid rise of telehealth, video-calling platforms have gained significant traction, but an important question remains: 

Are these platforms HIPAA compliant? This is a crucial consideration that healthcare providers must address before integrating them into their practices.

Examining HIPAA Compliance in Commonly Used Video Calling Platforms

Not every video calling platform is 100% secure—security breaches can and do happen. For healthcare providers, where the stakes are higher due to the sensitive nature of Protected Health Information (PHI), using platforms that meet HIPAA compliance standards is not just important; it’s a legal and ethical necessity. 

HIPAA mandates rigorous safeguards to ensure the confidentiality, integrity, and security of PHI, but not all platforms are built to meet these stringent requirements. Let’s take a closer look at how popular platforms stack up when it comes to compliance.

Platform Name	HIPAA Compliant?	Details
FaceTime	❌ No	Learn why FaceTime is not HIPAA-compliant
Google Meet	⚠️ Partially	See how Google Meet can achieve HIPAA compliance with conditions
WhatsApp	❌ No	Understand why WhatsApp is not HIPAA-compliant
Zoom	✅ Yes	Find out how to use Zoom in a HIPAA-compliant manner
Microsoft Teams	✅ Yes	Explore how Microsoft Teams is fully HIPAA-compliant

 

1- Facetime

Healthcare providers often consider using FaceTime for virtual consultations due to its widespread availability and user-friendly interface. However, it's crucial to assess whether FaceTime aligns with HIPAA requirements to ensure the protection of Protected Health Information (PHI).

Security Measures:

FaceTime employs end-to-end encryption, ensuring that only the communicating parties can access the content of the calls. Apple states that it does not store the content of FaceTime calls, enhancing privacy.

Business Associate Agreement (BAA):

A critical aspect of HIPAA compliance is the establishment of a Business Associate Agreement (BAA) between healthcare providers and service vendors that handle PHI. Apple does not offer BAAs for FaceTime, which poses a compliance challenge.

Considerations for Healthcare Providers:

Given that Apple does not sign BAAs for FaceTime, its use for transmitting PHI may not fully comply with HIPAA standards. Healthcare providers should carefully evaluate this risk and consider alternative platforms that are willing to enter into BAAs and offer comprehensive compliance features. 

If a patient specifically requests communication via FaceTime, providers should obtain written consent acknowledging the associated risks and ensure that all available security measures are utilized.

2- Google Meet

Google Meet has become a popular choice among healthcare providers for virtual consultations, owing to its integration within the Google Workspace suite and user-friendly interface. However, ensuring that its use aligns with the Health Insurance Portability and Accountability Act (HIPAA) is essential to protect patient privacy and maintain compliance.

Security Measures:

Google Meet offers robust security features, including end-to-end encryption for data in transit and at rest, ensuring that communications remain confidential and protected from unauthorized access. Additionally, administrators can implement access controls to restrict meeting participation to authorized individuals only.

Business Associate Agreement (BAA):

For healthcare providers to use Google Meet in a HIPAA-compliant manner, it is imperative to sign a Business Associate Agreement (BAA) with Google. This agreement outlines the responsibilities of both parties in safeguarding Protected Health Information (PHI). Google offers BAAs to customers subscribed to specific Google Workspace plans, such as the Business and Enterprise editions.

Configuration and Administrative Controls:

Merely signing a BAA does not automatically render Google Meet HIPAA-compliant. Administrators must configure the platform appropriately to ensure compliance. This includes setting Google Meet as the default video conferencing tool to prevent the use of non-compliant services like Hangouts, managing meeting recordings securely by storing them in Google Drive with restricted access, and ensuring that meeting invitations do not contain PHI. Developing comprehensive policies and training staff on the proper use of Google Meet are also crucial steps.

Considerations for Healthcare Providers:

To effectively use Google Meet in compliance with HIPAA, healthcare providers should:

• Subscribe to an Appropriate Google Workspace Plan: Ensure enrollment in a plan that supports HIPAA compliance and offers the necessary administrative controls.

• Execute a BAA with Google: Formalize the agreement to delineate the responsibilities of both parties concerning PHI.

• Configure Security Settings: Implement administrative controls to restrict access, manage meeting recordings securely, and prevent unauthorized disclosures of PHI.

• Train Staff: Educate all users on the proper use of Google Meet in a manner that complies with HIPAA regulations.

3- Whatsapp

WhatsApp, owned by Meta (formerly Facebook), is a globally popular messaging platform known for its end-to-end encryption, facilitating secure text, voice, and video communications. However, when it comes to handling Protected Health Information (PHI) in compliance with the Health Insurance Portability and Accountability Act (HIPAA), WhatsApp presents significant limitations.

According to its terms of service, WhatsApp itself says:

“Don’t use WhatsApp for telemedicine or to send or request any health related information, if applicable regulations prohibit distribution of such information to systems that do not meet heightened requirements to handle health related information.”

Official Stance on HIPAA Compliance:

As of now, WhatsApp has not released an official statement asserting that its platform is HIPAA-compliant. The company does not offer a Business Associate Agreement (BAA), a critical requirement for HIPAA compliance when handling PHI. Without a BAA, healthcare providers cannot consider WhatsApp a compliant platform for transmitting PHI.

Considerations for Healthcare Providers:

Given the absence of a BAA and the lack of official support for HIPAA compliance, healthcare providers should exercise caution when considering WhatsApp for professional use. While the platform's end-to-end encryption provides a level of security, it does not fulfill all the necessary requirements outlined by HIPAA. Providers are advised to seek alternative communication tools that are specifically designed to comply with HIPAA standards and are willing to enter into a BAA.

4- Zoom

Zoom has become a widely utilized platform in healthcare for virtual consultations, team meetings, and telehealth services. Ensuring that its use aligns with the Health Insurance Portability and Accountability Act (HIPAA) is essential for protecting patient privacy and maintaining compliance.

Security Measures:

Zoom offers robust security features to safeguard Protected Health Information (PHI). The platform employs end-to-end Advanced Encryption Standard (AES) 256-bit encryption for all communications, ensuring that data transmitted during meetings remains confidential and secure. Additionally, Zoom provides access and authentication controls, allowing administrators to manage user permissions effectively. Features such as waiting rooms, meeting passcodes, and the ability to lock meetings further enhance security by preventing unauthorized access.

Business Associate Agreement (BAA):

A critical component of HIPAA compliance is the establishment of a Business Associate Agreement (BAA) between healthcare providers and service vendors that handle PHI. Zoom is prepared to sign a BAA with healthcare organizations. To facilitate this, healthcare providers must subscribe to a paid Zoom plan, such as Pro, Business, or Enterprise, and request to execute a BAA through their Zoom account settings. The BAA outlines Zoom's commitment to safeguarding PHI and delineates the responsibilities of both parties in maintaining compliance.

Configuration and Administrative Controls:

Signing a BAA is a foundational step, but healthcare providers must also configure Zoom appropriately to ensure HIPAA compliance. This includes enabling security features such as waiting rooms to control participant access, requiring meeting passcodes, and managing screen sharing permissions to prevent unauthorized information sharing. It's also advisable to disable cloud recording unless absolutely necessary, and if used, ensure that recordings are stored securely with restricted access. Regular audits of meeting settings and user access can help maintain compliance and identify potential vulnerabilities.

Considerations for Healthcare Providers:

To effectively use Zoom in a HIPAA-compliant manner, healthcare providers should:

• Subscribe to an Appropriate Zoom Plan: Ensure enrollment in a paid plan that supports HIPAA compliance and offers the necessary administrative controls.

• Execute a BAA with Zoom: Formalize the agreement to delineate the responsibilities of both parties concerning PHI.

• Configure Security Settings: Implement administrative controls to restrict access, manage meeting settings securely, and prevent unauthorized disclosures of PHI.

• Train Staff: Educate all users on the proper use of Zoom in a manner that complies with HIPAA regulations.

By taking these steps, healthcare providers can leverage Zoom for telehealth services while maintaining compliance with HIPAA and safeguarding patient information.

5- Microsoft Teams

Microsoft Teams has become an integral tool for healthcare providers, offering capabilities such as secure chat, video conferencing, and file sharing. Ensuring that its use aligns with the Health Insurance Portability and Accountability Act (HIPAA) is essential for protecting patient information and maintaining compliance.

Security Measures:

Microsoft Teams is built on the Microsoft 365 enterprise-grade cloud, delivering advanced security and compliance capabilities. The platform is Tier D-compliant, adhering to standards including HIPAA, ISO 27001, ISO 27018, SSAE16 SOC 1 and SOC 2, and EU Model Clauses.

Business Associate Agreement (BAA):

To support compliance with HIPAA, Microsoft enters into Business Associate Agreements with its covered entity and business associate customers. This agreement establishes the permitted and required uses and disclosures of Protected Health Information (PHI) by Microsoft as a business associate.

Configuration and Administrative Controls:

While Microsoft Teams offers robust security features, healthcare organizations must configure the platform appropriately to ensure HIPAA compliance. This includes implementing access controls, setting up data loss prevention policies, and ensuring that all communications involving PHI are conducted within the secure environment provided by Teams. Additionally, organizations should provide training to staff on the proper use of Teams in a manner that complies with HIPAA regulations.

Summary