As more and more startups, such as Square and Uber, breakthrough regulated industries, developers fearlessly take chances in the healthcare market. If this is you, you better take some time to read the rules before coding. For healthcare, rules are defined by the Health Insurance Portability and Accountability Act (HIPAA). HIPAA regulates how patients’ information must be handled by healthcare professionals (covered entities) and their partners (business associates). As an example, the covered entity could be a health insurance company while the business associate could be a startup that utilizes Protected Health Information (PHI) for its mHealth app.

Developers Hate HIPAA

The rules defined in HIPAA may be subject to many interpretations, making them challenging to translate into technical specifications. Although the U.S. Department of Health & Human Services clarified HIPAA with the publication of the Omnibus Rule last year, developers are still left with unanswered questions. Last September, ACT | The App Association called on Congress to adopt a more sensible implementation of HIPAA:

[…] the Office of Civil Rights (OCR) should provide implementation standards […] For example, cloud storage is essential for success in the new mobile, always-on world. However, we lack clarity when it comes to data in the cloud […] lack of clarity prevents new, and beneficial technologies from helping patients.

HIPAA compliant data storage is a hot topic for every mHealth startup handling PHI. Companies like TrueVault or Catalyze have already published good resources on the subject so I won’t expand on this point. In this article, I’ll answer the main question asked by developers building video-powered healthcare apps for telepsychiatry, teledermatology or online doctor consultation services, or teleconsultation. At SightCall, we talk with many developers who ask for advice regarding the use of video calling for their medical app. The most asked question is: “How can I add HIPAA compliant video conferencing to my app?”. If this is a question you have, read on to reach the light at the end of the tunnel.

Understanding HIPAA Compliance for Video Consultations

HIPAA is broken into several sections, the two main ones being the Privacy Rule and the Security Rule. While the former applies to PHI in all forms (paper, oral, electronic, etc.), the latter applies only to PHI in electronic form (E-PHI).

The Security Rule is the section that is most closely scrutinized by developers, as it sets security standards to protect any E-PHI created, received, maintained or transmitted by covered entities and business associates. Technical specifications such as authentication, unique user identification or encryption are discussed in the Security Rule. When it comes to video conferencing, the Security Rule has a straightforward answer:

“E-PHI does not include paper-to-paper faxes or video teleconferencing or messages left on voice mail, because the information being exchanged did not exist in electronic form before the transmission.”

Indeed, the Security Rule applies to electronic media, which as defined in HIPAA means (1) electronic storage media; or (2) transmission media used to exchange information already in electronic storage media. In other words, as long as your app does not record the consultation between the doctor and its patients, the video chat capability does not add additional requirements to meet in regards to the Security Rule.

Concerning the Privacy Rule that controls when and how PHI can be disclosed, it really boils down to one question: “who is dealing with PHI?” If your app does not create, receive, maintain or transmit PHI, there is no need to worry about HIPAA in the first place. In the opposite scenario, PHI may be shared with a third party, as telehealth apps often rely on a partner to power the video calling feature. If this happens, the third party (“subcontractor” in HIPAA terminology) becomes a business associate as well. As a consequence, you must obtain satisfactory assurances that your video calling API provider meets the requirements of the Privacy Rule. These assurances include a wide range of measures such as privacy policies, workforce training program, and data safeguards. Clearly, assessing these measures isn’t something startups want to spend their time on when choosing a provider.

The best way to reduce the burden of complying with the Privacy Rule is to choose a video conferencing service that does not require access to PHI. You may be wondering which patient health information is PHI and which information is not. The answer is simple: patient health information is considered PHI only if it can be linked to an individual who can be identified.

Taking the example of an online doctor visit app, you’ll want to make sure that both the doctor and the patient participating in the call have their authenticity verified based on their user ID. This means you’ll need to choose a video conferencing service that comes with an authentication mechanism calling user IDs from your app. You may want to use emails for user IDs; however, this means you’ll be sharing PHI with a subcontractor as emails allows tracing back to individuals’ identities.

So, how can you anonymously authenticate users to the video call?

The answer is to use opaque user IDs. Opaque IDs can be strings of random characters that are defined in your app and tied to a unique user. Your video chat API provider will use them to anonymously authenticate your users to its video cloud service. Bottom line: you don’t need to worry whether your subcontractor stores user IDs in a HIPAA compliant manner.

Making sure you are not sharing PHI with your video provider is really the most important point to consider, as it avoids extending the applicability of HIPAA to another party. That said, remember that all the above applies to a scenario where conversations are not stored. If you’re looking to add video recording, you’ll need to implement additional safeguards as defined in the Security Rule. The same is true if screen sharing and file transfer (often complementary to video conferencing) is used to share PHI.

Also, keep in mind that security measures required to be HIPAA compliant may not be sufficient to reach the level of privacy you aim for your app. For instance, I highly recommend considering end-to-end encryption of the media in transit even though it goes beyond requirements defined in the Privacy and Security Rule. This safeguard will prevent discussions between patients and doctors to be snooped on.

Hopefully this article has clarified your understanding of how HIPAA applies to video conferencing so you don’t pass on the opportunity to build the next $1 billion app! Indeed, the global telehealth market is estimated to reach $4.5 billion in 2018, growing tenfold from 2013. At the same time, six of ten doctors and patients claim not to be hesitant about using digital health technology. These numbers outline a steady base of users willing to adopt telemedicine!

Do you have other HIPAA related questions? Feel free to post a comment.