The truth is, no platform connected to the internet is 100% secure. There may be vulnerabilities that provide openings for hackers to sneak into your data.

However, the privacy standards of different video communication platforms like FaceTime, WhatsApp, and Zoom can be determined by the levels and layers of security they employ.

Some platforms are highly secured and safeguarded with multi-layered protection, while others may lack robust security.

Patients have a right to keep their health information private. As their physicians and healthcare providers, it is our duty to do everything in our power to protect that right. We must take all precautions to ensure we are contacting patients through platforms with the highest security standards and compliance with privacy laws like HIPAA. If we fail in this responsibility, we fail our patients and violate their trust at the most fundamental level.

Video Calling Platforms for HIPAA Compliant Telehealth

Are popular video chatting apps safe for doctor-patient chats?

That’s the question on many medical professionals’ minds these days.

With telemedicine and social distancing measures in full effect, more physicians are turning to tech like FaceTime, Zoom and Skype to connect with their patients remotely.

But before firing up one of these apps for your next virtual visit, it’s important to consider whether they comply with privacy laws like HIPAA.

In this article, we’ll have an honest discussion on how certain well-known video calling platforms—FaceTime, Google Meet, WhatsApp, Zoom, Skype and Microsoft Teams—stack up under the scrutiny of health care regulations.

The fact is, some are better suited for sensitive doctor-patient communications than others. Does this mean that the technology is there; and we just have to use it responsibly? Let’s read!

---

Is FaceTime HIPAA Compliant?

FaceTime is not inherently HIPAA compliant due to Apple’s lack of a Business Associate Agreement with healthcare providers. However, with written patient consent, FaceTime can be used in a HIPAA-friendly manner to transmit protected health information, ensuring patient privacy.

Read about FaceTime’s HIPAA Compliancy in detail here ➜

---

Is Google Meet HIPAA Compliant?

Google Meet follows HIPAA guidelines and offers a Business Associate Agreement for healthcare providers, making it a secure platform for sharing protected health information. By signing the agreement and configuring privacy settings, doctors can confidently use Google Meet for telehealth services while safeguarding patient data.

Read about Google Meet’s HIPAA Compliancy in detail here ➜

---

Is WhatsApp HIPAA Compliant?

WhatsApp is not HIPAA compliant and should not be used to share private health information without risking patient privacy. While doctors can obtain patient consent, WhatsApp remains unreliable for HIPAA-compliant data transmission, urging caution in its use for healthcare purposes.

Read about WhatsApp’s HIPAA Compliancy in detail here ➜

---

Is Zoom
HIPAA Compliant?

Zoom is HIPAA compliant with necessary security measures in place, ensuring protected health information is transmitted securely. Healthcare providers can safely conduct remote appointments on Zoom by following proper configuration and sharing PHI only with authorized individuals, maintaining patient confidentiality.

Read about Zoom’s HIPAA Compliancy in detail here ➜

---

Is Skype
HIPAA Compliant?

Skype for Business offers HIPAA-compliant packages like E3 and E5, enabling secure transmission of protected health information. By activating access controls, securely saving messages, and implementing encryption, providers can use Skype as a convenient and safe communication platform for healthcare purposes.

Read about Skype’s HIPAA Compliancy in detail here ➜

---

Is Microsoft Teams HIPAA Compliant?

Microsoft Teams, while not inherently HIPAA compliant, can be configured for HIPAA compliance with a Business Associate Agreement in place. By setting user permissions, enabling encryption, and providing staff training, healthcare organizations can use Teams effectively for secure communication and collaboration while protecting patient data as required by HIPAA regulations.

Read about Microsoft Teams’ HIPAA Compliancy in detail here ➜

Using FaceTime for HIPAA Compliant Telehealth

At first glance, FaceTime may seem like a convenient way to visually consult with patients. However, without proper precautions, using FaceTime could potentially lead to violations of patients’ privacy rights.

The core issue is that Apple and FaceTime are not covered entities under HIPAA rules. Apple has not entered into a Business Associate Agreement (BAA) with healthcare providers, meaning they have no obligation to safeguard protected health information transmitted via FaceTime. This leaves patient privacy vulnerable.

While the encryption used by FaceTime offers some level of security, Apple still potentially collects information related to users’ health.

Details like weight, prior medical diagnosis and testing (e.g., diagnosis of an irregular heart rhythm), current and previous use of certain medications (e.g., blood thinning medications), certain family history (e.g., history of atrial fibrillation) and health habits (e.g., smoking) — the kind of personal data covered by HIPAA — could be gathered by Apple through in-app surveys and other means.

However, following HIPAA depends more on how people use technology, not how advanced the tech is. Apple says FaceTime calls are encrypted end-to-end so only the people talking can access them. Even so, you can only use FaceTime in a HIPAA-compliant way if you get written permission from patients before sharing their PHI.

Using Google Meet for HIPAA Compliant Telehealth

Google Meet is one of the best ways for doctors to talk to patients while following the rules of the Health and Human Services Department (HHS). Doctors can create, receive, and send protected health information (PHI) because Google Meet follows HIPAA.

To follow HIPAA, businesses that work with health groups need a business associate agreement. 

“Customers that are subject to HIPAA and want to utilize any Google Cloud products in connection with PHI must review and accept Google’s Business Associate Agreement (BAA)”, says Google.

They have further stated:

“Google ensures that the Google products covered under the BAA meet the requirements under HIPAA and align with our ISO/IEC 27001, 27017, and 27018 certifications and SOC 2 report.”

Because it’s easy to use and keeps health data private, Google Meet is great for doctors and patients to connect. People can use Meet on their phones or computers. Doctors can give HIPAA compliant telehealth services to patients.

Still, before talking, doctors need to sign a business associate agreement with Google Meet to ensure HIPAA compliance. The agreement outlines the responsibilities of health groups and businesses to protect patient data. So, doctors should read the whole agreement carefully before having a virtual treatment session with the patient.

Doctors should also turn ON features to keep communications private. Signing an agreement alone may not be enough for HIPAA compliance. For this, doctors should make Google Meet invites “private” to hide any protected health information, like a patient’s name.

The most important thing is training staff to use Google Meet according to HHS rules. For instance, controlling video recording, which Google Meet saves to Google Drive by default. This can prevent accidental sharing of electronic protected health information.

Using WhatsApp for HIPAA Compliant Telehealth

WhatsApp, the popular messaging app used by nearly three billion people across the globe, isn’t compliant with the Health Insurance Portability and Accountability Act or HIPAA. For doctors and healthcare organizations, this means WhatsApp can’t be used to share patients’ private health information.

According to its terms of service, WhatsApp itself says:

“Don’t use WhatsApp for telemedicine or to send or request any health related information, if applicable regulations prohibit distribution of such information to systems that do not meet heightened requirements to handle health related information.”

WhatsApp also states:

“We make no representations or warranties that our Business Services meet the needs of entities regulated by laws and regulations with heightened confidentiality requirements for personal data, such as healthcare, financial, or legal services entities.”

While there are no ways for healthcare groups to make WhatsApp HIPAA compliant, there are exceptions. Doctors can get patient consent to share health information over WhatsApp. But even with consent, WhatsApp should not be relied upon as a HIPAA-compliant way to share private health details.

Doctors should warn patients that using WhatsApp to share health info could put their privacy at risk. If patients still want to use WhatsApp after being warned, doctors should document the request to protect themselves.

WhatsApp can be useful in healthcare to speed up work and improve patient satisfaction. But private health info should not be shared on WhatsApp. WhatsApp is owned by Meta, Facebook’s parent company, and health details on WhatsApp could also be accessed by Facebook for its own purposes, putting patients’ privacy in danger.

Using Zoom for HIPAA Compliant Telehealth

Zoom, a popular video conferencing service, announced in 2017 that they had created the first large-scale cloud-based telehealth service for healthcare providers. For doctors and nurses, Zoom has proven useful for speaking with patients since Zoom follows the rules of HIPAA.

As you may know, any service that shares private health information must follow the guidelines of the Department of Health and Human Services. This means Zoom has to sign a business associate agreement with healthcare groups before sharing patients’ private details. Thankfully, Zoom is always ready and willing to sign these agreements with healthcare providers and ensures they have all the necessary security controls to meet HIPAA’s requirements.

After signing with healthcare groups, Zoom enables the following security measures for accounts:

• Cloud recording is turned off. 
• Chat encryption is turned on.
• Offline messages are only available after all parties start a coded key exchange.
• The setting “Require Encryption for 3rd Party Endpoints (H323/SIP)” is turned on for all account members.
• Text messages are encrypted.

Here’s a detailed PDF published by Zoom regarding its HIPAA compliance policies:

Now, even with Zoom’s HIPAA compliance, the onus is still on healthcare providers to use the platform properly. They need to be mindful of only sharing PHI with authorized individuals like patients. And they must configure Zoom’s settings correctly for each telehealth session. But overall, Zoom has taken the necessary steps to make their video platform HIPAA compliant. So doctors can safely conduct remote appointments without compromising their patients’ protected health information.

Using Skype for HIPAA Compliant Telehealth

When it comes to secure communication between healthcare providers and patients, Skype can be a good option for sharing protected health information (PHI) – but only if used properly.

The free version of Skype is not HIPAA compliant and cannot be used to transmit sensitive patient data.

However, Skype for Business offers packages that allow providers to utilize the platform in a HIPAA-compliant manner.  

Specifically, the E3 and E5 versions of Skype for Business enable features necessary for protecting PHI according to HHS guidelines.

➜ Providers must activate access controls on all devices, restricting Skype usage to only necessary members of the practice. This prevents unauthorized access to patient information.

➜ Messages within Skype must also be securely saved so that PHI access logs comply with HIPAA’s minimum necessary standard.

➜ Automatic log-off features should be turned on as well, to prevent someone from accessing Skype on an unattended device.

On a technical level, Skype uses 256-bit AES encryption to scramble communication data. This masks PHI, making it unreadable to anyone without the proper decryption key.

As a Microsoft product, Skype can enter into Business Associate Agreements with covered healthcare entities. But the onus is still on providers to properly configure Skype’s settings for HIPAA-compliant PHI transmission.

As long as the proper packages and protections are implemented, Skype provides a convenient and secure communication platform for providers and patients.

Using Microsoft Teams for HIPAA Compliant Telehealth

Microsoft Teams has become the go-to platform for communication and collaboration in many organizations, including healthcare. With its robust features for messaging, video meetings, and file sharing, it’s easy to see why. But for healthcare providers, there’s an important question that must be asked: Is Microsoft Teams HIPAA compliant?

The short answer is – it depends. Microsoft Teams itself is not inherently HIPAA compliant. However, it can be configured and used in a HIPAA compliant manner.

The key factors are: 

1). Having a Business Associate Agreement (BAA) in place with Microsoft,

2). and how the platform is actually used by the organization.

Let’s break it down.

Microsoft offers a BAA for Teams as part of qualifying Office 365 plans. This essentially designates Microsoft as a HIPAA business associate, legally bound to protect any protected health information (PHI) stored or shared on Teams. But the healthcare organization itself must also implement proper safeguards in how they use Teams day-to-day.

Proper use cases are things like scheduling, general communication with staff, and non-PHI collaboration. Once you start transmitting actual patient data, then HIPAA compliance becomes mandatory. This means setting user permissions, enabling encryption, multi-factor authentication, automatic sign-out, and proper backup of any PHI stored on Teams. Proper training of staff on HIPAA-compliant use is also essential.

In summary, Microsoft Teams itself is HIPAA compliant only if the required BAA is in place and the platform is used appropriately for PHI data. By default it is not compliant. But with the right setup and training, Teams can certainly be an invaluable, secure communication tool for the modern healthcare workplace. The key is understanding how to configure and use it in a way that keeps sensitive data protected, as required by HIPAA.

What is the difference BAA and Privacy Policy for Telehealth?

The difference between a BAA and a privacy policy for video calls is an important one for any healthcare organization to understand.

At its core, a BAA (business associate agreement) is a contract between a HIPAA covered entity like a hospital or doctor’s office and a business associate like a video conferencing provider. The BAA establishes what the business associate is allowed to do with any protected health information (PHI) they may come into contact with. It lays out their specific responsibilities around securing and safeguarding that data.

A privacy policy, on the other hand, is a public-facing document that informs users of the video conferencing platform about how their personal data will be collected, used, and protected. It speaks in broader strokes about the types of information gathered and the measures taken to keep it private.

While a BAA and a privacy policy have some overlap in setting expectations around data practices, the BAA is a legally binding agreement while the privacy policy is more of an informational notice.

The BAA provides recourse if the business associate mismanages PHI, with fines and potential termination of the contract on the table. The privacy policy does not carry that same weight – it is a policy, not a contract. Healthcare organizations should absolutely review a video conferencing provider’s privacy policy to understand their data handling at a high level. But that policy does not take the place of a detailed BAA that holds the vendor accountable as a true business associate under HIPAA.

For any healthcare organization selecting technology partners that may encounter PHI, having both a solid BAA and a transparent privacy policy in place provides overlapping levels of protection for patient health data.

Conclusion

Compliant Telehealth is easier than you think, but only with BellMedEx!

Telemedicine should be convenient for your practice, not a compliance headache. While most generic video chat tools leave your patients’ data at risk, BellMedEx’s HIPAA-ready EHR platform offers seamless telehealth integration that checks all the regulatory boxes. Experience straightforward virtual care capabilities that protect patient data end-to-end.

Specifically, it applies to situations where the patient receives care at home- a private residence, not a hospital or facility, through a telehealth platform.

Important Tips for Telehealth Visits

➜ Real-Time with Audio & Visual: Telehealth visits must be conducted in real-time using both audio and visual communication channels.

➜ Proper Documentation: Thorough documentation is crucial for telehealth visits. Here’s a checklist:

1. Mode: Indicate the mode used for the visit (e.g., video conferencing).
2. Date & Duration: Document the date and duration of the telehealth visit.

➜ Complete Documentation: Maintain the same level of detailed notes as you would for an in-person visit.

Telehealth POS 10 Billing Code

The POS 10 billing code is the POS 10 code used in billing and coding to indicate the location (home, a location other than hospital or facility) where the healthcare service was delivered.

Let’s be more specific:

POS 10 represents telehealth, which indicates the services delivered at home via telecommunication technology. It includes; telemedicine visits, teletherapy sessions, remote patient monitoring or any telehealth care provided at a place – home, where the patient and the provider are not present physically in the same location.

Place of Service (POS) 10 for Home Visits — Effective January 1, 2024

The place of service code represents the location where the telehealth services are performed and are denoted by specific codes. POS 10 (service delivered at home) is one of the most commonly used codes on the CMS-1500 form.

Here’s what the new policy for Telehealth POS 10 code states:

Important Announcement: “CMS makes Telehealth POS 10 official”

CMS makes telehealth POS 10 official and lists it under covered telehealth services. After giving it much thought the authorities have finally decided to make a permanent policy change in the POS 10 status and have given instructions to pay the claims for covered POS 10 telehealth services.

Now, “covered” are the telehealth services that are on the CMS’ list of telehealth services. The effective date for making it official was 1st Jan, 2024.

The purpose of making it official is to notify Medicare Administrative Contractors (MACs) that covered telehealth services that use POS 10 and are payable by Medicare, must be paid at the Medicare Physician Fee Schedule non-facility rate.

Note: Non-facility rate is the reimbursement amount set by Medicare for services provided in non-facility settings. And the non-facility setting is a location that is not a part of the hospital such as provider offices, clinics, etc.

What are the different Telehealth Places of Service?