Covered the HIPAA bases? Don't forget about streaming media

March 12, 2015

You’ve considered all the risks posed by the new HIPAA guidelines, but did you include streaming media?

You’ve considered all the nuances of the new HIPAA guidelines when it comes to securing the reams of patient data residing on your computer networks including installing firewalls and changing passwords frequently. But did you think twice when the doctors in your hospital signed up for an interactive web conference series to stay current with their medical specialties?

Streaming media and web conferencing sites might seem harmless, but watching or listening to streaming media may require downloading a special media player that may contain malware, according to the “HIPAA, Privacy & Security Training Module,” put out by the University of North Carolina at Chapel Hill.

Regardless of whether a patient data breach happens or not, all web conferences, webinars or any technology used for online collaboration or conferencing, are subject to HIPAA guidelines, outlined in the law’s Privacy Rule, the Security Rule and the HITECH Act, which clarified and strengthened the first two rules in 2009.

Penalties vary, from up to $50,000 per incident up to $1.5 million per incident for violations that are not corrected, per calendar year. And in some cases, the penalties for state laws might be more severe.

The ruling applies to vendors who are legally classified as business associates: As privacy rule 45 C.F. R. § 164.504(e), states:  “If a vendor or subcontractor transmits, maintains, or has routine access to protected health information (PHI) when providing its services to a covered entity then it is considered a business associate.” So, that applies to software vendors transmitting patient information, which might be discussed in an online doctors forum, a webinar series, or other online conferencing application.

NEXT: Avoid heavy fines

 

To avoid heavy fines, look for a streaming media and conferencing vendor that is HIPAA-compliant. That vendor will understand all the nuances of the law, and have the latest encryption technology to secure your data.

Here are a few things to make keep in mind when shopping for a vendor who adheres to all the HIPAA guidelines.

  • Data encryption: Make sure data used in web meetings and transmitted in a web conference or webinar are securely encrypted using state-of-the-art encryption techniques. This includes audio communication, video clips, presentations, Q&A, chats and surveys.

  • Access Controls: Only authorized users are allowed access to electronic protected health data; this includes transferring, removing, disposing and re-using electronic media and data. Access controls should include unique user IDs, an emergency access procedure, automatic logoff and encryption and decryption.

  • Daily audit reports: Tracking logs should be maintained to keep a continuous audit of activity on hardware and software. These reports can pinpoint the source of any security violations.

  • Integrity Controls: These are measures put in place to ensure that electronic protected health information has not been altered or destroyed.

  • Disaster Recovery: Comprehensive offsite backup and disaster recovery systems need to be in place to ensure that any electronic media errors or failures can be quickly remedied and patient health information can be recovered accurately and intact.

  • Network Security: A highly secure network is critical to protect against unauthorized public access of electronic protected health information, regardless of how it is transmitted.

Sabrina George is vice president of marketing at Onstream Media & Infinite Conferencing, divisions of Onstream Media Corp.