HIPAA is the United States federal Health Insurance Portability and Accountability Act of 1996. The primary goal of the law is to make it easier for people to keep health insurance, protect the confidentiality and security of healthcare information and help the healthcare industry control administrative costs in United States.
The HIPAA Privacy Rule is composed of US national regulations for the use and disclosure of Protected Health Information (PHI) in healthcare treatment, payment and operations by covered entities
When Is A Software Vendor Considered a Business Associate Under HIPAA?
If a vendor or subcontractor transmits, maintains, or has routine access to protected health information (PHI) when providing its services to a covered entity then it is considered a business associate. For example, a vendor that hosts the software containing patient information on its own server or accesses patient information when troubleshooting the software, then it is considered a business associate and must have a business associate agreement with the covered entity as specified under the HIPAA Privacy Rule 45 C.F.R. § 164.504(e).
The only exception under HITECH section 13408 is in the case of a data transmission organization that acts as a conduit, in that it only transports information but does not access it, such as the US Postal Service or its electronic equivalent — Internet Service Providers (ISPs), a telecommunication company, etc. While these may have access to PHI, they only access PHI on a random or infrequent basis as necessary for the performance of the transportation service or as required by law: “[D]ata transmission organizations that do not require access to protected health information on a routine basis would not be treated as business associates” (p. 22)
For VideoWhisper software, data sent by clients is communicated with hosting server, not software provider. Security compliance requirements refer to site and hosting setup.
Exception under HITECH section 13408 may also apply to a remote streaming provider as telecommunication company that only transports the streaming data and does not access it.
Here are some considerations/ideas for building a HIPAA compliant video streaming / conferencing service:
Secure Streaming Data for Videoconferencing Applications
- Video streaming occurs between client applications and streaming server (host) and access to applications can be restricted based on authentication.
- Additionally, transfers can be protected and data encrypted using RTMPE/RTMPS on a dedicated Wowza server .
- User streaming to server can be archived as video files on RTMP server. Access to video archives and text chat logs needs to be restricted. If folders containing these are publicly accessible, restriction can be applied with a .htaccess file (that can be generated with CPanel folder protect feature).
These mentions also apply to VideoWhisper video streaming and conferencing applications.
- You need to host your WordPress site with a hosting provider that provides HIPAA compliance and who will sign your HIPAA Business Associate Agreement. This means that HIPAA WordPress hosting with regular providers like GoDaddy is not possible right away.
- Using a dedicated server managed by your own administrators or a HIPPA provider is best.
- If server or site software is setup by a 3rd party provider, passwords need to be changed and your own staff needs to review changes before using site for sensitive data.
Setup VideoWhisper and 3rd party HIPAA Hosting
- A regular license for VideoWhisper will remove all limitations and intrusive ads from the flash application when run from licensed domain. Also includes one installation on compatible hosting (see requirements).
- VideoWhisper administrators can take care of server setup.
A complete service with complete original setup and 6 months administration/assistance and also installation services separately are available.
After original setup, password can be changed or access can be restricted in other ways (by keys, IP) to protect server during usage with real user data.
Server and Hosting Software Required
- A HIPAA dedicated server or VPS with CentOS 7 and root SSH access will be needed to configure requirements.
HIPAA servers can be ordered from: AWS, RackSpace, LiquidWeb.
- As described in requirements, for HTML5/mobile support Wowza Streaming Engine is required.
Projects can start with a free Wowza SE trial license key during development.
- For the web hosting part VideoWhisper recommends WHM/CPanel usually available from hosting provider (but can also be ordered separately https://cpanel.net/pricing/).
- Optional: WordPress can be easily setup and backed up automatically with Softaculous.
Secure HTTP (HTTPS)
- Get a SSL certificate and dedicated IP address for your web site so that traffic to/from it can be encrypted in transit.
- Ensure that your WordPress site cannot be accessed without SSL (.htaccess redirect)
Restrict Access to Electronic Protected Health Information (ePHI)
Electronic protected health information (ePHI) refers to any protected health information (PHI) that is covered under Health Insurance Portability and Accountability Act of 1996 (HIPAA) security regulations and is produced, saved, transferred or received in an electronic form.
Protection depends on site setup, staff and operation procedures.
- Ensure that ePHI is never publicly available –users must login to access that content.
- Ensure that users with access to ePHI are properly granted / revoked access by your HIPAA administrators.
Ex: It should not be possible for someone to sign-up and get access without explicit review / approval.
- Ensure that users have access to only the ePHI they need and should have access.
- Ensure that all WordPress logins are monitored and are logged. (ex. User Login Log plugin)
- Ensure that all WordPress logins are monitored and are logged.
- Keeping your WordPress and all plugins up-to-date.
- Use plugins like “Duo Security” to add 2-factor authentication to your site.
- Ensure that user logins to WordPress will automatically log users off due to inactivity.
- Log access to ePHI, if possible. An easy way is to make sure web and rtmp access logs are enabled.
- Review your procedures and users periodically.
- Ensuring that WordPress does not cache copies of ePHI-pages insecurely on disk, especially if you are in a shared environment. Wordpress content is normally stored in a database, but if it is cached insecurely on disk that will weaken security and in a shared environment could provide access to unauthorised persons. That’s an extra reason why you should have your own dedicated server.
- Ensure that there are good backups of your site and its content. Most hosting providers offer automated site backups. These should also be downloaded periodically and stored on a different secure machine.
If you are restricting access to a specific set of users, consider locking down access to the site by IP address .