A decade ago, YouTube was the only known video platform and it was used mostly for entertainment purposes. Sharing videos within organizations was not commonplace and these were usually stored on physical drives. Over time, various online video platforms have emerged that allow business users to easily upload videos on such platforms, and these videos are then stored somewhere in the cloud, ready to be shared easily.
With businesses and various organizations going virtual after the COVID-19 pandemic, there has been an explosion in the amount of video data online. Healthcare organizations are no exception and might be looking for ways to store and share their videos online.
However, uploading internal videos for any healthcare organization in the US is not as easy as it is for the rest of us. You can’t just upload a video with patient data on a public platform like YouTube as this is prohibited by the Health Insurance Portability and Accountability Act (HIPAA). There are other important considerations that you need to account for as well.
We read a lot about how technology can help improve healthcare. But when we talk about implementation, one of the biggest challenges is looking for an IT system that provides cutting-edge technology and helps you remain compliant with data governance laws at the same time.
Therefore, it’s important for IT teams in healthcare organizations to evaluate a video platform to know whether it can help safeguard sensitive patient data. But what does such a HIPAA-compliant video platform offer? What features should you look for? This article discusses all of this and provides a checklist of features to look for.
What is the Health Insurance Portability and Accountability Act (HIPAA)?
The HIPAA law was formulated by the US Department of Health and Human Services in 1996. It is a law that helps safeguard Electronic Patient Health Information (ePHI) in a way that it is not disclosed to non-concerned parties, without the patient’s consent.
The HIPAA law is mandatory for healthcare organizations, health plans, health clearing houses, and business associates that are dealing with electronic patient health data. These are known as covered entities.
To reflect the latest developments in technology, the HIPAA law has been amended a couple of times. The major one amongst these was the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009.
The HIPAA law covers 5 major rules that include:
- HIPAA Security Rule: This rule has standards under three sets of safeguards – technical safeguards, administrative safeguards and physical safeguards. The Technical safeguards are concerned with the IT systems that are in place. The administrative safeguards refer to having the right policies and ensuring that they are enforced. The physical safeguards refer to the physical access controls at the facility where ePHI is stored.
- HIPAA Privacy Rule: This rule details when patient health information can be used, by whom and how. It also elaborates on the standards for obtaining patient consent.
- HIPAA Breach Notification Rule: This rule lays down the duty of healthcare providers in the event of a data breach, the necessary notifications to be issued and the risk management that healthcare providers need to carry out.
- HIPAA Omnibus Rule: This was an amendment in the initial HIPAA rule to include newly updated definitions, and the rules to be followed by business associates dealing with ePHI.
- HIPAA Enforcement Rule: This rule lays down the fines and penalties to be imposed on healthcare providers for breach of ePHI.
HIPAA Compliant Video Platform Checklist
When evaluating a video platform to ensure HIPAA compliance, it’s important to have certain features within the platform. These will help safeguard videos containing ePHI and will ensure that these videos are accessed by authorized individuals only.
The list has been compiled by referring to the complete HIPAA Compliance Checklist by the HIPAA Journal, and mapping it onto video platforms.
1. Implement a Means of Access Control
- This requires your organization to centrally manage user login information and access settings through means of a central Identity and Access Management (IAM) system such as Okta, OneLogin, Azure AD etc. Your video platform should be able to integrate with such a system to enable Single Sign-On with one username and password.
- The video platform should offer capabilities (SCIM) to keep users and groups automatically synced with your directory. This way if you remove a user or revoke access from your IAM system, the changes should automatically reflect in your video platform.
- The video platform should allow you to restrict access in terms of the actions that users can perform within the system. For instance, not every user should have admin rights to add and delete users. Not every user should be able to edit or make copies of video data.
- The video platform should allow you to define who can access a video and who can’t. For instance, a doctor should be able to view videos of only patients that he attended or has consent to view. He should not be able to access videos he is not allowed to see. The HIPAA law states under clause 164.312(a)(1) that users should be able to “access the minimum necessary information needed to perform job functions”.
2. Introduce a Mechanism to Authenticate ePHI
- The video platform should offer functionality to verify at any point that ePHI hasn’t been altered and is the same as it was uploaded. Clause 164.312(c)(2) reads “Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.”
3. Implement Tools for Encryption and Decryption
- Clause 164.312(a)(2)(iv) requires “a mechanism to encrypt and decrypt electronic protected health information.” It is recommended to choose a video platform that is end-to-end encrypted from video upload till playback. The encryption mechanism should be AES at minimum (FIPS Compliant module), with a mechanism in place to encrypt and safeguard the keys as well.
4. Introduce Activity Logs and Audit Controls
- The video platform should be able to generate reports regarding all user activity performed within the system and for each video file. These reports should be able to give a chronological record of who accessed a video file, when, and how.
5. Facilitate Automatic Log-off
- The video platform should allow you to define a time period of inactivity after which a user would be logged out of the system. This prevents unauthorized access to ePHI in the case when a user leaves their workstation unattended.
The above checklist is only for features within the video platform. You can check out VIDIZMO, which is one platform that offers all of these features.
It’s equivalently important for your organization to have physical and administrative safeguards in place as well. Having a HIPAA-compliant video platform would be of no use if these aren’t implemented and enforced.
For instance, if users are able to use each other’s laptops, then having a secure platform is of no use as there is a risk of breach due to a lack of administrative policies. I recommend reading the HIPAA administrative and physical safeguards‘ documentation.
Online video use is on the rise. Healthcare organizations too can benefit from emerging technologies in the field of online video as long as these platforms are HIPAA compliant. If you’re an IT buyer and are looking for a video platform for your organization, then do evaluate the platform on the 5 points mentioned above.