The Health Insurance Portability and Accountability Act (HIPAA) sets privacy and security standards designed to protect the confidentiality of patient health and personal information. With respect to video conferencing, to comply the solution and security architecture must provide end-to-end encryption and meeting access controls so data in transit cannot be intercepted.
In general, the requirements of HIPAA Security Standards state that any organization must:
1. Ensure the confidentiality, integrity, and availability of all electronic protected personal and health information the covered entity creates, receives, maintains, or transmits.
2. Protect against any reasonably-anticipated threats or hazards to the security or integrity of such information.
3. Protect against any reasonably-anticipated uses or disclosures of such information that are not permitted or required under the privacy regulations.
4. Ensure compliance by its workforce.
How does eZuce Vibe comply with HIPAA Standards?
We do not have access to identifiable health information and we protect and encrypt all audio, video, and screen sharing data.
The following demonstrates how eZuce supports HIPAA compliance based on the HIPAA Security Rule published in the Federal Register on February 20, 2003 (45 CFR Parts 160, 162, and 164 Health Insurance Reform: Security Standards; Final Rule).
Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to authorized persons or software programs.
- Unique User Identification: Assign a unique name and/or number for identifying and
tracking user identity.
- Emergency Access Procedure: Establish (and implement as needed) procedures for obtaining necessary electronic health information during an emergency.
- Automatic Logoff: Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.
- Encryption and Decryption: Implement a mechanism to encrypt and decrypt electronic protected health information.
eZuce Vibe's Support of the Standard
Meeting data transmitted across the network is protected using a unique Advanced Encryption Standard and securely distributed to all participants.
Multi-layered access control for community managers, provisioners, and members.
Application access is protected by userid and passwords.
Meeting access is password protected.
Public meetings are listed publicly only to verified community members. Private meetings are not listed.
eZuce Vibe leverages a redundant and distributed worldwide architecture that offers a high level of availability and redundancy.
eZuce Vibe maintains no customer data other than user names, email addresses and encrypted passwords (and not even that if the customer is using their own third party authentication).
Meeting moderators can disconnect attendees or terminate sessions in progress.
Meeting moderators can lock a meeting in progress yet still allow other community members to 'knock' to enter.
Meetings can end automatically with timeouts.
Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.
Meeting connections traverse eZuce Vibe’s secure and distributed mesh software defined real time communications infrastructure.
Meeting connections are continually logged for audio and quality-of-service purposes.
Account admins have secured access to meeting management and statistics.
Implement policies and procedures to protect electronic protected health information from improper changes or destruction.
Patient related information is not stored in eZuce's cloud.
Multi-layer integrity protection is designed to protect both data and service layers.
Controls are in place and protect data in motion and at-rest.
Establish a mechanism to authenticate electronic protected health information.
Implement methods to verify that information has not been destroyed or altered.
Application executables are all digitally signed for all platforms.
Data transmission is protected using 256 bit advanced encryption systems.
Verify that the person or entity seeking access is the one claimed.
Single Sign On with an organizations authentication services is an option
Web and application access are protected by verified email and password.
Meeting host must log in to eZuce Vibe using a unique email address and account password.
Access to desktop or window for screen sharing is under the Community Manager's control.
Information Transmission Security
Protect personal and electronic health information that is transmitted over a network.
Ensure that protected health information is not improperly modified.
Encrypt any data transmitted across a network.
End-to-end data security protects against passive and active attacks on transmitted data.
Data transmission is protected using 256 bit message authentication codes.
Meeting data transmitted across the network is protected with a unique Advanced Encryption Standard.
Security and Encryption
Only members invited by Community Managers and Provisioners can host eZuce Vibe meetings. Meeting moderators control meeting attendance through the use of meeting IDs and passwords. Each meeting has only one moderator unless an additional moderator is purposefully added by the meeting owner. The moderator can screen share or lock screen sharing for the meeting. The meeting moderators have control of the meeting and meeting attendees. The moderators can utilize features such as locking a meeting, kicking out attendees, mute/unmute attendees, etc.
eZuce Vibe employs an optional setting to support industry-standard end-to-end Advanced Encryption Standard (AES) encryption using 256-bit keys to protect meetings. eZuce Vibe's encryption fully complies with HIPAA Security Standards to ensure the security and privacy of patient data. Additionally, there is no data stored "at rest" in the infrastructure. Data "in motion" (voice, video and chat) by default is not transferred as RTP but instead encapsulated in a proprietary manner so as to be utilize less overhead. Optionally TLS and SRTP can be enabled to encrypt transmitted data where mandated by law.
Screen Sharing and Healthcare
Medical professionals and authorized healthcare partners can use eZuce Vibe to meet with patients and other healthcare professionals to screen-share health records and other resources. eZuce Vibe does not distribute any actual patient data. Screen sharing transmits encrypted screen capture along with mouse and keyboard strokes only, not the actual data.
eZuce Vibe further protects data confidentiality through a combination of encryption, strong access control, an option for customer supplied access control, and other protection methods.