Educause Security Discussion mailing list archives
Re: HIPAA / HITECH Compliant Video Conferencing Solution
From: Anurag Shankar <ashankar () INDIANA EDU>
Date: Wed, 27 Apr 2016 15:56:30 -0600
Two comments on Carolann's post: 1. A BA is someone who creates, receives, maintains, or TRANSMITS PHI for you. 2. We take the conservative stand and believe that vendors are NOT exempt from being a BA even if data flows encrypted through their system and they do not see it. This is because the guidance document from the OCR is fuzzy on this point. In one place it says: "The conduit exception is a narrow one and is intended to exclude only those entities providing mere courier services, such as the U.S. Postal Service or United Parcel Service and their electronic equivalents, such as internet service providers (ISPs) providing mere data transmission services. ...." This I think excludes video conferencing vendors. Then in another place it says: "... an entity that maintains [PHI] on behalf of a covered entity is a business associate and not a conduit, even if the entity does not actually view the [PHI]. We recognize that in both situations, the entity providing the service to the covered entity has the opportunity to access the [PHI]. However, the difference between the two situations is the transient versus persistent nature of that opportunity." The first part appears to imply that you need a BAA even with a video conferencing vendor who does not view the PHI, but the second leaves a "transient nature" fuzziness which vendors who don't want to sign a BAA love. I even asked a senior OCR person at a conference to clarify the video conferencing vendor issue specifically but, as you can imagine, she pointed me right back to the document. That's government for you. Some think that the safe thing is to assume that a video conferencing vendor MAY be able to get out of the BA clause but ONLY IF it absolutely cannot see the PHI. This is possible only if the vendor has no access to the decryption key. Merely having secure HTTP, which is what vendors usually mean when they say "encrypted in transit", is not enough because the data is decrypted on arrival on the server and totally visible to anyone who cares to look. I know it's splitting hairs but we really can't take a chance. Thoughts? Anurag
Current thread:
- HIPAA / HITECH Compliant Video Conferencing Solution Gregg, Christopher S. (Apr 21)
- <Possible follow-ups>
- Re: HIPAA / HITECH Compliant Video Conferencing Solution Anurag Shankar (Apr 25)
- Re: HIPAA / HITECH Compliant Video Conferencing Solution Jeff Choo (Apr 25)
- Re: HIPAA / HITECH Compliant Video Conferencing Solution Lazarus, Carolann (Apr 25)
- Re: HIPAA / HITECH Compliant Video Conferencing Solution Jeff Choo (Apr 25)
- Re: HIPAA / HITECH Compliant Video Conferencing Solution Anurag Shankar (Apr 27)
- Re: HIPAA / HITECH Compliant Video Conferencing Solution Gregg, Christopher S. (May 09)