The Health Insurance Portability and Accountability Act, more commonly known by its abbreviation HIPAA, is a crucial piece of legislation that provides a federal floor and sets a high standard for patient data confidentiality.
HIPAA’s role is especially relevant with the increasing intertwinement of digital platforms and healthcare practices. While modern digital tools certainly bring increased convenience and efficiency in this field, they also pose numerous questions concerning the protection of private and sensitive patient data.
With that in mind, it’s essential to pose the question, are Google Meet, Microsoft Teams, and Skype HIPAA compliant? In this article, we will dig deeper and examine HIPAA compliance in the context of video conferencing platforms to provide you with definitive answers on this topic.
Contents
Is Google Meet HIPAA Compliant?
Is Microsoft Teams HIPAA Compliant?
Is Skype for Business HIPAA Compliant?
What Is the Best Free HIPAA Compliant Video Conferencing Platform?
HIPAA Compliant Authentication and MFA
A Quick Overview
Before we dissect different platforms through the lens of HIPAA, let’s quickly go over the key requirements of this federal law. HIPAA is centered around four equally essential core elements. These are:
- Privacy Rule — This aspect of HIPAA regulation establishes uniform standards for protecting patient health data. It precisely sets the rules on who can access individually identifiable information and under which conditions they can do so.
- Security Rule — This HIPAA stipulation requires organizations to execute technical, physical, and administrative safeguards that would guarantee the security of the protected information.
- Breach Notification Rule — If a breach of protected/personal health information occurs, entities are obliged to notify the Department of Health and Human Services, as well as the individuals affected by this breach.
- Enforcement Rule — This section of HIPAA regulation sets procedures for investigating and assessing non-compliance, as well as the penalties this non-compliance might incur.
Is Google Meet HIPAA Compliant?
The short answer is yes, Google Meet is HIPAA-compliant and is a popular choice among healthcare providers for communicating protected health information. However, before Google Meet can be used as a HIPAA-compliant platform, the healthcare entity should subscribe to a Google Workspace Business Plan or a Cloud Identity account.
Healthcare providers also must sign the Business Associate Addendum. Even with this, Google Meet still won’t be HIPAA compliant, as the organization’s admins would have to configure some aspects in order to ensure compliance.
One of the key additional aspects that shouldn’t be overlooked is masking any personal health information by making all Google Meet invites private. It is also imperative to control access to the recordings of Google Meet videos and train healthcare workers to use Google Meet in compliance with HIPAA.
Google Meet HIPAA Compliant Cost:
This HIPAA-compliant video conferencing platform offers a four-tier subscription plan that can meet different users’ business needs. Additionally, every plan comes with a monthly and annual subscription option, with the latter offering more affordable rates. Here’s a breakdown of the Google Workspace pricing plans:
- Business Starter — $7.20 per user/month or $6 per user/month for an annual plan.
- Business Standard — $14.40 per user/month or $12 per user/month for an annual plan.
- Business Premium — $21.60 per user/month or $18 per user/month for an annual plan.
- Enterprise — Variable options depending on business needs and other factors.
Is Microsoft Teams HIPAA Compliant?
Yes, Microsoft Teams can be a HIPAA-compliant video platform, provided that the organization using it has an appropriate Microsoft Teams Business plan and that the platform is configured to meet all of the requirements that ensure HIPAA compliance.
First of all, one of the most important considerations to keep in mind is that you automatically accept Microsoft’s Business Associate Agreement when you subscribe to one of its business plans. This is why it’s essential to thoroughly go through the BAA terms before accepting in order to understand all of the stipulations.
It’s worth noting that Microsoft Teams might be unsuitable for some healthcare entities based on their size and the way they operate. This is because its business plan must include a license for every user.
Just like Google, Skype, or any other software, Microsoft Teams is not inherently compliant and needs to be configured properly. This includes checking the following configuration aspects:
- Access Control — One of the main issues that have to be looked after when making Microsoft Teams HIPAA compliant is the topic of access control management. This platform lacks robust access management controls. Fortunately, Microsoft Teams does enable granular permissions, which admins can use to determine the extent of every user’s access. With precise and careful configuration, it is possible to set proper access control in Microsoft Teams and make it HIPAA compliant.
- Data Encryption — Microsoft Teams uses TLS 1.2 encryption for data in transit. Moreover, it uses standard 256-bit AES encryption for data at rest. This means there’s not much to change on this front, as the platform is HIPAA-compliant in terms of encryption.
- Audit Logs — HIPAA requires regular periodical audits that affirm that the entity employs the appropriate measures to maintain compliance with the HIPAA rules. So, when using Microsoft Teams, it’s essential to maintain audit logs. This offers a transparent overview that serves as a useful insight in case of any suspicious activities or data breaches.
- Secure Authentication Methods — Lastly, the configuration process should pair up modern authentication methods like multi-factor authentication and single sign-on with Microsoft Teams. These security mechanisms provide an added layer of protection that ensures only those who should access the data can do so. Conveniently, Microsoft Teams supports both of these features, helping entities inch another step closer to HIPAA compliance.
Microsoft Teams HIPAA Compliant Cost:
Several Microsoft Teams plans can be configured to support HIPAA compliance. In this sense, Microsoft offers the most flexibility out of the platforms we analyzed.
Looking into the numbers, the Microsoft Business Basic plan is the most affordable one, priced at just $6 per user/month. The Business Standard plan includes more features and a higher price plan of $12.50 per user/month. Lastly, the Business Premium plan offers the most comprehensive solutions with the most advanced options, with a price tag of $22 per user/month.
Is Skype for Business HIPAA Compliant?
With approximately 300 million users worldwide, Skype is one of the most popular communication apps for businesses and individuals in the world. So, is Skype HIPAA compliant? In a nutshell, yes, Skype is HIPAA-compliant, but only the business version.
Namely, you can make Skype for Business HIPAA compliant if you purchase the Enterprise E3 or E5 package and complete the necessary setup steps. These enterprise packages come with all of the needed solutions to ensure proper risk management, data protection, and compliance with regulatory requirements. Organizations are required to enter into a Business Associate Agreement with Microsoft before they can disclose personal health information via Skype.
To make Skype for Business HIPAA compliant, you would also have to enable the automatic log-off feature. On top of this, it’s crucial to ensure that Skype is carefully configured to meet all of the other HIPAA requirements.
This also includes an audit trail and adequate backup for all communications. In line with that, access controls must be precisely set in order to prevent any unauthorized disclosure of personal health information, including ensuring that no data is sent from the organizations without prior patient permission.
On another note, one aspect of Skype for Business is HIPAA compliant from the get-go. As messages through Skype are already encrypted using military-grade AES 256-bit encryption and unbreakable 2,048 encryption keys, this criteria of HIPAA compliance is already met and doesn’t have to be adjusted or improved.
Skype for Business HIPAA Compliant Cost:
The E5 compliance package will cost you $12 per user/month. Considering this, HIPAA-compliant Skype for Business falls somewhere in the middle in terms of the video conferencing HIPAA-compliant apps we’ve outlined in this article.
What is the Best Free HIPAA Compliant Video Conferencing Platform?
For those on a budget looking to ensure HIPAA compliance, big platforms like Google Workspace, Microsoft Teams, and others are an excellent pick. These trusted options offer limited free services and free trials, so you can test them out and decide which platform best suits your requirements and budget.
Of course, it’s important to note that ensuring HIPAA compliance doesn’t stop with this, as there are other requirements that can bring forth additional costs and efforts. This includes employee training as well as performing periodic ongoing audits and monitoring to ensure all of the requirements are met.
HIPAA Compliant Authentication & MFA
If you want to protect your organization against security threats that may lead to data breaches, consider the Hideez Authentication Service. It's a flexible identity access management system that offers secure HIPAA-compliant logins for employees across all web services and workstations.
With the Hideez Service, employees can choose between several authentication methods and tailor them for their daily authentication scenarios. This includes setting up passkeys, physical security keys, or even a mobile app. This system enables convenient and secure log-on and log-offs for healthcare workers who need to constantly access and leave their workstations during their shifts.
Plus, with passwordless access to systems that store personal health information and the ability to generate OTPs as a second factor, Hideez makes daily authentication quick and convenient. More importantly, this form of authentication is secure and HIPAA compliant.
The security rule stipulated in the HIPAA requirements underlines the importance of strong authentication. And, while a HIPAA compliant video platform isn't required to have multi-factor authentication, it is something every entity should set up to ensure maximum data security. The Hideez Authentication Service can help healthcare entities obtain HIPAA compliance and add a robust security layer with seamless MFA.
If you want to ensure HIPAA compliance and set up passwordless authentication for your organization, try our 30-day trial today.
FAQ
What Does It Mean To Be HIPAA-Compliant?
Compliance with HIPAA requires entities that handle protected health information to implement and follow certain security and privacy procedures and practices. Note that HIPAA rules evolve and update with time, so healthcare entities should always keep track of the latest information.
What Video Platforms Are HIPAA-Compliant?
Google Meet, Microsoft Teams, and Skype for Business are some of the most reputable HIPAA-compliant video platforms. Naturally, all of these HIPAA-compliant virtual meeting platforms need to be configured to a certain extent in order to ensure HIPAA compliance, as they do not meet all of the required criteria out of the box.
Is There Any Free HIPAA-Compliant Scheduling Software Available?
While there are a few free HIPAA-compliant scheduling software options available, it’s better to stick with tried and tested premium options. Most HIPAA-compliant video call and scheduling platforms offer free trials and demo versions, enabling organizations to test out the software before committing to a subscription plan.