Regulations and compliance are one of the most important factors when it comes to creating and implementing solutions for specific industries. Any retailer or organization collecting credit card information needs to meet Payment Card Industry (PCI) compliance, and healthcare organizations require Health Insurance Portability and Accountability Act (HIPAA) compliance for patient privacy.
A case from Oklahoma about a doctor whose patient died has recently gained a lot of attention – the focus is on the fact that this doctor-patient interaction happened online, via Skype, without ever meeting face-to-face in person. The case highlights several key points:
- Some states require informed consent for working in telehealth.
- Some states require in-person assessments before opting for telehealth services – making telehealth an appropriate means for follow-up care
- Telehealth equipment needs to be HIPAA compliant
The Oklahoma medical board deemed Skype not HIPAA-complaint. While the Oklahoma situation does not bring up video quality, encryption or server or network information, it does beg the question of how HIPAA compliance applies to WebRTC. Many refer to WebRTC as “Skype in the browser,” although it is very different from that. Yes, WebRTC is putting two-way, peer-to-peer, video and audio communication in the browser, but WebRTC is a technology, and Skype is a client -- a product.
WebRTC has the potential to impact many different areas, but three stand out above others: Education, or distance learning, customer service and healthcare. The promise of remote patient monitoring and eliminating the hassle of meeting with a doctor in person is what’s drawing WebRTC toward healthcare, or vice versa, but there are a lot of different components to consider, like compliance.
So, what would it take for a WebRTC solution to be HIPAA compliant? Here are a few things that need to be considered for those looking to enter the healthcare market with WebRTC.
First and foremost, if a website is HIPAA compliant, the compliance of WebRTC would be easy to assure with proper integration. Since WebRTC is already built in to browsers, it can allow companies that provide secure and HIPAA-compliant unified communications services to do so at a relatively low cost to a variety of endpoints.
A HIPAA-compliant hosting provider must have certain administrative, physical and technical safeguards in place, according to the U.S. Department of Health and Human Services, including:
- A Business Associate Agreement (BAA) must exist between the healthcare provider and the company responsible for the telemedicine technology
- The BAA must guarantee the HIPAA compliance of all measures for security practices and data encryption
- Providers must obtain informed patient consent prior to conducting online video appointments
Another question to ask related to WebRTC and telehealth is if insurance companies are even ready to evaluate WebRTC for compliance. This is just one area to consider that will help determine WebRTC’s role in healthcare environments moving forward.
There are a few players working with HIPAA compliance and WebRTC.
Net Medical Xpress provides the RTC Conference Switch—the fourth WebRTC product released from the company—so organizations using the system can take a standard website and directly add a video conferencing system, which can then be accessed and used via a standard Web browser. It's specifically designed to be compliant with HIPAA, and therefore uses audit controls, a proprietary permission software, and both public and private key encryption methods to help keep the conversations, and the content represented therein, sufficiently quiet.
Coalfire, a provider of risk assessments, testing and implementation of a managed information security solution, offers HIPAAcentral, a compliance exchange that provides a comprehensive suite of services for covered entities and business associates and their subcontractors to manage, maintain and exchange healthcare regulatory compliance data. A WebRTC developer or company could use HIPAAcentral when looking to meet compliance.
When it comes to telehealth, Skype may not be the answer, but maybe WebRTC is.
Edited by
Cassandra Tucker
