HIPAA Compliant Video Streaming / Conferencing on WordPress

HIPAA is the federal Health Insurance Portability and Accountability Act of 1996. The primary goal of the law is to make it easier for people to keep health insurance, protect the confidentiality and security of healthcare information and help the healthcare industry control administrative costs.

When Is A Software Vendor Considered a Business Associate Under HIPAA?

If a vendor or subcontractor transmits, maintains, or has routine access to protected health information (PHI) when providing its services to a covered entity then it is considered a business associate. For example, a vendor that hosts the software containing patient information on its own server or accesses patient information when troubleshooting the software, then it is considered a business associate and must have a business associate agreement with the covered entity as specified under the HIPAA Privacy Rule 45 C.F.R. § 164.504(e).

The only exception under HITECH section 13408 is in the case of a data transmission organization that acts as a conduit, in that it only transports information but does not access it, such as the US Postal Service or its electronic equivalent — Internet Service Providers (ISPs), a telecommunication company, etc. While these may have access to PHI, they only access PHI on a random or infrequent basis as necessary for the performance of the transportation service or as required by law: “[D]ata transmission organizations that do not require access to protected health information on a routine basis would not be treated as business associates” (p. 22)

For VideoWhisper software, data sent by clients is communicated with hosting server, not software provider. Security compliance requirements refer to site and hosting setup.
Here are some considerations/ideas for building a HIPAA compliant video streaming / conferencing service:

Secure Streaming Data for Videoconferencing Applications

  • Video streaming occurs between client applications and streaming server (host) and access to applications can be restricted based on authentication.
  • Additionally, transfers can be protected  and data encrypted using  RTMPE/RTMPS on a dedicated Wowza server  .
  • User streaming to server can be archived as video files on RTMP server. Access to video archives and text chat logs needs to be restricted. If folders containing these are publicly accessible, restriction can be applied with a .htaccess file (that can be generated with CPanel folder protect feature).

These mentions also apply to VideoWhisper video streaming and conferencing applications.

HIPAA Hosting

  • You need to host your WordPress site with a hosting provider that provides HIPAA compliance and who will sign your HIPAA Business Associate Agreement.  This means that HIPAA WordPress hosting with regular providers like GoDaddy is not possible right away.
  • Using a dedicated server managed by your own administrators or a HIPPA provider is best.
  • If server or site software is setup by a 3rd party provider, passwords need to be changed and your own staff needs to review changes before using site for sensitive data.

Secure HTTP (HTTPS)

  • Get a SSL certificate and dedicated IP address for your web site so that traffic to/from it can be encrypted in transit.
  • Ensure that your WordPress site cannot be accessed without SSL (.htaccess redirect)

Restrict Access to Electronic Protected Health Information (ePHI)

Electronic protected health information (ePHI) refers to any protected health information (PHI) that is covered under Health Insurance Portability and Accountability Act of 1996 (HIPAA) security regulations and is produced, saved, transferred or received in an electronic form.

Protection depends on site setup, staff and operation procedures.

  • Ensure that ePHI is never publicly available –users must login to access that content.
  • Ensure that users with access to ePHI are properly granted / revoked access by your HIPAA administrators.
    Ex: It should not be possible for someone to sign-up and get access without explicit review / approval.
  • Ensure that users have access to only the ePHI they need and should have access.
  • Ensure that all WordPress logins are monitored and are logged. (ex. User Login Log plugin)

Secure WordPress

  • Ensure that all WordPress logins are monitored and are logged.
  • Keeping your WordPress and all plugins up-to-date.
  • Use plugins like “Duo Security” to add 2-factor authentication to your site.
  • Ensure that user logins to WordPress will automatically log users off due to inactivity.
  • Log access to ePHI, if possible. An easy way is to make sure web and rtmp access logs are enabled.
  • Review your procedures and users periodically.
  • Ensuring that WordPress does not cache copies of ePHI-pages insecurely on disk, especially if you are in a shared environment.  Wordpress content is normally stored in a database, but if it is cached insecurely on disk that will weaken security and in a shared environment could provide access to unauthorised persons. That’s an extra reason why you should have your own dedicated server.
  • Ensure that there are good backups of your site and its content. Most hosting providers offer automated site backups. These should also be downloaded periodically and stored on a different secure machine.

Extra Security

If you are restricting access to a specific set of users, consider locking down access to the site by IP address .