HIPAA And EnableX 

Introduction
What is HIPAA

This terms of use (“Terms of Use”) governs the use of the Services by you (“User/you/your”). By continuing to access and use the Services, you herebyHIPAA (Health Insurance Portability and Accountability Act of 1996) is United States legislation that provides data privacy and security provisions for safeguarding medical information. More information on the HIPAA can be found here  

It provides standards to protect the confidentiality, integrity, and availability of protected health information (PHI), including electronic protected health information (ePHI).  

 HIPAA is divided into two separate rules that work in conjunction with each other to ensure maximum protection: The Security rule and the Privacy rule.

 

  • The Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. It requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.
  • The Privacy Rule revolves around the individual and their rights to have control over the way their sensitive data is used. Aside from this, the data must remain confidential. This Rule sets national standards for the protection of individually identifiable health information by three types of covered entities: health plans, health care clearinghouses, and health care providers who conduct the standard health care transactions electronically.

To satisfy HIPAA guidelines, the healthcare provider and the covered entity must satisfy the HIPAA guidelines.

Roles and responsibilities of various entities in HIPAA

The HIPAA Rules apply to covered entities and business associates.  

Individuals, organizations, and agencies that meet the definition of a covered entity under HIPAA must comply with the Rules requirements to protect the privacy and security of health information and must provide individuals with certain rights with respect to their health information.  If a covered entity engages a business associate to help it carry out its health care activities and functions, the covered entity must have a written business associate contract or other arrangement with the business associate that establishes specifically what the business associate has been engaged to do and requires the business associate to comply with the Rules’ requirements to protect the privacy and security of protected health information. EnableX can sign HIPAA-compliant Business Associate Agreements subject to a scenario when PHI content or data are available on the EnableX platform  

HIPAA and EnableX platform

EnableX has been designed such that healthcare providers and other Covered Entities may use our services for video communication in a manner that is consistent with their HIPAA obligations. 

  • The platform does not need and store PHI of users.  
  • The media communication in a session happens over an encrypted channel  
  1. Secured tokens are used for session establishment 
  2. Random AES keys are generated by clients at the beginning of the media connection  
  3. Data Transmission and Encryption: Transport Layer Security (TLS) is used to encrypt both voice and video data. The core protocols used are SRTP for media traffic encryption and DTLS-SRTP for key negotiation, both of which are defined by the IETF. The endpoints use AES cipher with 128-bit keys to encrypt audio and video, and HMAC-SHA1 to verify data integrity. 
  • The session related audio, video and text are not stored on the platform.  
  • Any personal information that the user enters in the application is not shared with the platform 
  • If recording feature is used, then the platform API and portal allow the application developer the flexibility to manage/delete or associate specific rules to manage the recorded file. Furthermore, the application developer can choose to move the recorded file immediately after its creation over an encrypted channel and force delete the file from the EnableX server. 
  • EnableX does not auto-create or store any copy of the session recording. Recording can be initiated only by the application and the rights & permissions to initiate/manage recording feature is managed at the application layer 
  • EnableX is hosted behind a protected firewall and all components communicate over a private VLAN not exposed to outside to help protect intrusion. 
  • Edge filtering and advanced routing techniques help protect against Distributed Denial of Service (DDoS) attacks. 
How to build your HIPAA compliant application using EnableX platform?

The platform is used across large number of industry verticals such as healthcare and banking which have stringent security requirement. To ensure that the applications hosted on EnableX are compliant it provides different deployment models (private/public/hybrid/on-premise), provides API’s to query/delete any customer specific data stored on platform (i.e. sessions recording), does not store any end customer data on its platform and provides full control (read/modify/delete) over application and its associated data passed via application to the platform.  

While EnableX platform provides you with all tools to have control over your application data, the application developer is responsible to ensure that the final application is developed in compliance to HIPAA.   

Below are our recommendations which you should consider ensuring that your applications are build according to HIPAA requirements 

  • Keep API key secure and safe 
  • When possible use Adhoc rooms and create one token per participant  
  • Use anonymous identifier to mask customer data for token generation – Do not share customer information in the encrypted token with EnableX.  
  • Delete recorded content after transfer to your application storage area 
  • Limit maximum number of users who can join the session 
  • User joins the room as with participant’s role and only allow the moderator’s role to assign privileges to selected users to be able to record the session.  

This should not be considered as legal advice. We recommend you seek out specialist legal counsel to discuss your company’s specific situation.