HIPAA

zoom

  • 1.  zoom

    Posted 09-21-2020 10:56 AM

    Anyone using Zoom for telehealth? Do you have a BAA? In their literature they claim it's not needed under the conduit exception and explain all the security measures in place. However, if you want a BAA they will gladly charge you lots of money for their Zoom for Healthcare version but it looks to me like the only security changes are on the user end, which you can do with the regular subscription plan and price.

    Thoughts?

     


    Michael Scudillo, OTR, CHC 
    Chief Compliance Officer/Privacy Officer


    15 Microlab Road
    Suite 101 • Livingston, New Jersey 07039

    P: 1-973-992-8181 X7108 • F: 1-973-992-9797 • C: 1-973-699-4964
    www.uirehab.com

    This email and any attachments may contain information that is confidential, proprietary and/or privileged. It is intended only for the use of the person(s) and entity(ies) to whom it is addressed. If you are the intended recipient, further disclosures are prohibited without proper authorization. If you are not the intended recipient, any disclosure, copying, printing or use of this information is strictly prohibited and possibly a violation of the health insurance portability and accountability act (HIPAA) and other federal and state laws and regulations. If you have received this information in error please contact Universal Institute at 973-992-8181 ext. 7018 or via email at michael.scudillo@uirehab.commichael.scudillo@uirehab.com> and delete the material from all computers. michael.scudillo@uirehab.com>
    19th Annual CEI Virtual Conference


  • 2.  RE: zoom

    Posted 09-21-2020 11:47 AM
    We do and we have a BAA we negotiated pre-Covid.

    ------------------------------
    Scott Intner
    Chief Compliance Officer
    GW Medical Faculty Associates
    Washington,DC
    ------------------------------

    19th Annual CEI Virtual Conference


  • 3.  RE: zoom

    Posted 09-21-2020 12:55 PM

    Same with us we have a BAA negotiated pre-COVID

     

    Thank you,

    Sharon Taylor, RN, MS, CIC, CPHRM, CHC, CHPC        

    Director Risk Management/ Accreditation Services

    Burgess Health Center

    1600 Diamond Street

    Onawa, IA 51040

    Tel: 712-423-9248

    Fax: 712-423-9322

    E-mail: staylor@burgesshc.org

    Website: www.burgesshc.org

     

     

    image017.jpg@01CD7F97.28704CD0

     

    Quality Care You Can Believe In

    Electronic Mail Confidentiality Notice:

    This electronic mail message and all attachments may contain confidential information belonging to the sender or the intended recipient. This information is intended ONLY for the use of the individual or entity named above. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution (electronic or otherwise), forwarding or taking any action in reliance on the contents of this information is strictly prohibited. If you have received this electronic transmission in error, please immediately notify the sender by telephone, facsimile, or email to arrange for the return of the electronic mail, attachments, or documents.

     

     




    19th Annual CEI Virtual Conference


  • 4.  RE: zoom

    Posted 09-21-2020 02:08 PM
    We also use Zoom, we have a contract with them and we have a BAA in place for them.

    ------------------------------
    Ann Dunham
    MBA, SPHR, CHC, CHRC
    Compliance Officer
    Hannibal Regional Healthcare System
    Hannibal, MO
    ------------------------------

    19th Annual CEI Virtual Conference


  • 5.  RE: zoom

    Posted 09-21-2020 02:22 PM

    Thanks for the replies....curious...if they claim HIPAA under the conduit exception, why the BAA?  Did you have to subscribe to the Zoom for Healthcare version to get a BAA?

     

    Thanks

     


    Michael Scudillo, OTR, CHC 
    Chief Compliance Officer/Privacy Officer


    15 Microlab Road
    Suite 101 • Livingston, New Jersey 07039

    P: 1-973-992-8181 X7108 • F: 1-973-992-9797 • C: 1-973-699-4964
    www.uirehab.com

    This email and any attachments may contain information that is confidential, proprietary and/or privileged. It is intended only for the use of the person(s) and entity(ies) to whom it is addressed. If you are the intended recipient, further disclosures are prohibited without proper authorization. If you are not the intended recipient, any disclosure, copying, printing or use of this information is strictly prohibited and possibly a violation of the health insurance portability and accountability act (HIPAA) and other federal and state laws and regulations. If you have received this information in error please contact Universal Institute at 973-992-8181 ext. 7018 or via email at michael.scudillo@uirehab.commichael.scudillo@uirehab.com> and delete the material from all computers. michael.scudillo@uirehab.com>



    19th Annual CEI Virtual Conference


  • 6.  RE: zoom

    Posted 09-21-2020 02:28 PM
    I was not involved in the request for the BAA but we do subscribe/contract with the Zoom for Healthcare version.

    ------------------------------
    Ann Dunham
    MBA, SPHR, CHC, CHRC
    Compliance Officer
    Hannibal Regional Healthcare System
    Hannibal, MO
    ------------------------------

    19th Annual CEI Virtual Conference


  • 7.  RE: zoom

    Posted 09-21-2020 02:35 PM
    We use zoom and have a BAA. During the public health emergency you can use zoom to do telemedicine without the BAA in place similar to HHS allowing you to use facetime, skype, etc. right now, but outside of the public health emergency, you would have to have a BAA with any vendor that stores, maintains, or transmits PHI as assurance of thier compliance with the HIPAA privacy and security regulations.  See below directly from HHS, but if you can ensure HIPAA compliance, I think it is worth it to do so.

    "Under this Notice, however, OCR will not impose penalties against covered health care providers for the lack of a BAA with video communication vendors or any other noncompliance with the HIPAA Rules that relates to the good faith provision of telehealth services during the COVID-19 nationwide public health emergency. "

    ------------------------------
    Savannah Knuettel
    Compliance Officer
    Galen Medical Group
    Hixson,TN

    The views expressed herein are my own and do not represent those of my employer or clients. They are not meant to constitute legal advice or create an attorney-client relationship.
    ------------------------------

    19th Annual CEI Virtual Conference


  • 8.  RE: zoom

    Posted 09-21-2020 04:53 PM

    I believe Zoom started signing BAA's in 2015 (under the healthcare platform) because the OCR stated an opinion that these type of audio-video platforms for telehealth were not just "conduits".  Zoom without the BAA would therefore not be HIPAA compliant.

     

     




    19th Annual CEI Virtual Conference


  • 9.  RE: zoom

    Posted 09-22-2020 04:39 PM
    We use Zoom through the healthcare platform and have a BAA.  Negotiated pre-COVID as well.  I think your individual use matters when determining if the service is just a "mere conduit."  For instance, if you use Zoom in a manner that allows recording, the recording is stored in a cloud service maintained by Zoom.  So you could at least make an argument your use was a conduit for the livestreamed portion, but I don't think you could make that same argument if you record.

    Maybe of interest, when I negotiated with Zoom I specifically asked about whether or not Zoom could see information of users on the transmission.  I was told on regular Zoom, Zoom is able to see the email address and potentially other information about each user.  That may also need to be part of your conduit analysis-- how that info is collected and used.

    ------------------------------
    Lindsay Daniel
    Associate Counsel and HIPAA Compliance Officer
    East Tennessee State University
    Johnson City,TN
    ------------------------------

    19th Annual CEI Virtual Conference


  • 10.  RE: zoom

    Posted 09-22-2020 06:05 AM
    We evaluated Zoom for healthcare at the onset of the pandemic and opted to not use them in part for that reason. We found their terms not favorable to our organization and patients. To be fair, we found that true of many other tools and opted to go with the solution that we already had a VRA in process for pre-COVID.

    ------------------------------
    Brenda Manning J.D., C.H.C., C.H.P.C.
    Privacy Director
    Interim Privacy Officer
    Carilion Clinic

    The views expressed herein are my own and do not represent those of my employer. They are not meant to constitute legal advice or create an attorney-client relationship.
    ------------------------------

    19th Annual CEI Virtual Conference


  • 11.  RE: zoom

    Posted 09-22-2020 10:42 AM
    We have a contract and BAA with Zoom. We found it made working with other entities much easier and that the conduit exception did not meet our requirements/interpretation.

    ------------------------------
    Aurae Beidler
    Compliance/ Privacy Officer
    Linn County Health Services
    ------------------------------

    19th Annual CEI Virtual Conference


  • 12.  RE: zoom

    Posted 09-22-2020 08:14 AM
    We have 1 license with Zoom without a BAA, but it is not used for telehealth or any activity with PHI.  It is only used to provide one specific type of training for some of our credentialed employees.  It is controlled and managed by our Staff Development section.

    ------------------------------
    Lloyd Hemmert
    Compliance & Ethics Officer
    Hill Country MHDD Centers
    Kerrville,TX
    [lhemmert@hillcountry.org]
    ------------------------------

    19th Annual CEI Virtual Conference


  • 13.  RE: zoom

    Posted 09-22-2020 09:20 AM
    I think most people have noted it but to be sure...just because Zoom representatives claim that no BAA is needed because they consider Zoom a conduit...which is incorrect...a BAA is needed..BUT WAIT...

    Given the enforcement discretion by OCR...CEs can use vendors such as Zoom without having to put a BAA in place first during the Pandemic.  The important thing here is to not take this to mean that you won't need a BAA.  You will...but at least for now, not having a BAA will not result in an enforcement action as described by the OCR on the topic of using vendors such as Zoom.

    If nothing else, it gives CEs the flexibility to explore different vendors and buys them time to put BAAs into place.





    Posted: 6:19 AM AZ time

    ------------------------------
    -------------Frank "Snake Bite Leader" Ruelas--------------
    ► We don't fail unless we quit! ◄
    Next Up:
    C&C...CPG OIG and 8B2.1

    ░ Pass the Exam Group for 2020 ░
    Melissa Singleton - Jan - CHPC
    Julie Clutter - Jan - CHPC
    Tanisha Grant - Feb - CHC
    Lisa Bibby - Jan - CHPC
    Kelly Puida - Mar - CHPC
    Christina Serrano - Mar - CHC
    Rachel Anderson - May - CHC
    Melissa Alexander - June - CHC
    Theresa Veazey - June - CHC
    Barbara Zubeck - June - CHPC
    Patricia Radatz - June - CHC
    Anthony Fleming - July - CHC
    Laura Chaney - July - CHC
    James Maruyama - July - CHC
    Namrita Notani - July - CHC
    Lisa Campbell - August - CHC
    Susan Hammerschmidt - August - CHC
    Brandi Brooks - August - CHC
    Shari Singleton - August - CHC
    Rebecca Crane - August - CHC
    Meagan Bottrell - August - CHC
    Jill Lyons - August - CHC
    Camille Walton - September - CHC
    Danique Flax - September - CHC
    Melanie Schoonover - September - CHPC
    Meghan Smith - September - CHC
    Mandi Quigley - September - CHPC
    ------------------------------

    19th Annual CEI Virtual Conference


  • 14.  RE: zoom

    Posted 09-22-2020 09:41 AM

    Thanks to those who provided some input and answers to my Zoom question. Frank – thanks for summing that up. That's exactly the position I thought we were in...using Zoom under the current enforcement discretion and exploring options and a BAA.

     


    Michael Scudillo, OTR, CHC 
    Chief Compliance Officer/Privacy Officer


    15 Microlab Road
    Suite 101 • Livingston, New Jersey 07039

    P: 1-973-992-8181 X7108 • F: 1-973-992-9797 • C: 1-973-699-4964
    www.uirehab.com

    This email and any attachments may contain information that is confidential, proprietary and/or privileged. It is intended only for the use of the person(s) and entity(ies) to whom it is addressed. If you are the intended recipient, further disclosures are prohibited without proper authorization. If you are not the intended recipient, any disclosure, copying, printing or use of this information is strictly prohibited and possibly a violation of the health insurance portability and accountability act (HIPAA) and other federal and state laws and regulations. If you have received this information in error please contact Universal Institute at 973-992-8181 ext. 7018 or via email at michael.scudillo@uirehab.commichael.scudillo@uirehab.com> and delete the material from all computers. michael.scudillo@uirehab.com>



    19th Annual CEI Virtual Conference