Is WebEx HIPAA compliant?

WebEx is a popular online meeting and web conferencing platform that allows companies and individuals to connect and discuss topics virtually, saving transport and possibly venue hire costs but is it compliant with the Health Insurance Portability and Accountability Act, more often known as HIPAA?

How does WebEx work?

WebEx allows people to connect and collaborate virtually in a way that minimizes the inconveniences created by distance. WebEx and similar web-based tools help organizations to be truly global and help remote employees to contribute and assemble into cohesive teams.

Speed and convenience are two of the keys strengths of WebEx and these are certainly assets to organizations working in the health care industry. Through more fluid communications, regional operations can be more effectively planned and managed, education and training sessions can be held remotely, and a wider variety of experts can be brought in to transfer knowledge as the hurdle normally caused by distance can be largely done away with. There is also the possibility that patients themselves could communicate with their health care providers through WebEx facilities.

Despite the enormous potential benefits of using WebEx, HIPAA-covered entities must exercise caution before adopting the platform into their regular procedures. As with any tool that can be used to transfer or store protected health information (PHI), WebEx must be vetted to ensure that it can meet strict HIPAA criteria and certain other elements must also be in place. Does WebEx include the necessary features and can it be used by HIPAA-covered entities to transfer PHI in accordance with HIPAA rules?

Security features

Cisco, the developer managing WebEx, included a raft of security measures in the system. These help to protect communications and information from being intercepted by unintended recipients. The connection between the WebEx application and the WebEx cloud server is compatible with different security protocols and uses high-grade protections. Media packets are also protected in transfer by strong security measures. Users may opt for end-to-end encryption to be used, meaning Cisco would not decrypt any of the media content.

HIPAA rules require that different aspects to be recorded so that audits can be carried out. WebEx records media streams so that they can be referred to at a later date, either for a refresher of the content for the organization’s own normal purposes or for HIPAA audits. WebEx also stores this recorded data securely, with the further safeguard of saving audio, video and data streams in separate locations.

There are numerous options which platform administrators can chose to configure in order to ensure that their instance of WebEx conforms to different aspects of HIPAA. These include the potential for rate limiting on login attempts, the automatic deactivation of accounts after a defined period of inactivity, password policies, 2-factor authentication, and strict access controls.

Business Associate Agreement

As with other tools, even with the necessary technical aspects, a Business Associate Agreement (BAA) must be put in place between the HIPAA-covered entity and the service provider in order for the use of the tool or service with PHI to be compliant with HIPAA. Cisco will sign such an agreement.

WebEx can be used in compliance with HIPAA but organizations must ensure that their settings are correctly configured and a suitable BAA is in place.