GoToMeeting & HIPAA Compliance
GoToMeeting is an online meeting and video conferencing service provided offered by LogMeIn. The prodyct is just one of many conferencing and desktop sharing solutions that can enhance communication and collaboration, with many advantages for healthcare groups.
In order for collaboration tools to be employed by healthcare groups that are required to adhere with Health Insurance Portability and Accountability Act Rules, tools must undergo a risk analysis and determined to meet the security standards demanded by HIPAA.
Fail to make sure that a particular service is HIPAA compliant and you could breach the privacy of patients, breach HIPAA Rules, and possibly have to cover a sizable financial penalty for non-compliance.
It should be noted that no software or communications platform can be completely HIPAA-compliant. Even if proper safeguards are incorporated to guarantee the confidentiality, integrity, and availability of ePHI, it is still possible to use a ‘HIPAA-compliant’ service in a non-compliant fashion. It is up to a HIPAA-covered entity or business associate to ensure that any software or communication platform is set up properly, is used appropriately, that PHI is only shared or communicated to people authorized to receive the data, and that when information is disclosed, the minimum necessary standard applies.
In order to ascertain if GoToMeeting is HIPAA compliant, technical safeguards would need to be incorporated to meet the requirements of the HIPAA Security Rule.
To protect data on the move, GoToMeeting employs full end-to-end data encryption. All sent data is protected using HMAC-SHA-1 message authentication codes, while chat, video, audio, and control data are protected in transit using AES 128-bit encryption. AES 128-bit encryption meets the existing standards for encryption recommended by NIST.
Protecting data in transit is only one element of HIPAA compliance. If PHI is to be sent – via email, secure text messages, or conferencing solutions – there must be audit controls in place. An audit trail must be maintained allowing activity relating to PHI to be reviewed. GoToMeeting creates logs of connection and session activity, and access to reporting and management tools are available to account managers.
Controls must also be in place that ensure only authorized individuals are able to gain access to the system. GoToMeeting is protected by unique meeting codes and includes the option of setting strong passwords. When meetings are set up they are not publicly listed, and meeting organizers have full management over who can join the meetings.
Each user that wishes to attend a meeting must identify themselves using a unique email address and/or number along with a unique password, and users are automatically signed off after a period of inactivity, which can be set by the meeting organizer.
GoToMeeting also states on its website, “the technical security controls employed in the GoToMeeting service and associated host and client software meet or exceed HIPAA technical standards.”
While the technical security measures meet HIPAA requirements, HIPAA-covered entities must also enter into a HIPAA-compliant business associate agreement with service suppliers before to using a service for communicating PHI. GoToMeeting offers a business associate agreement which covers use of the service, meeting this regulatory requirement.
So, can GoToMeeting be deemed HIPAA-compliant? Provided HIPAA-covered entities and business associates complete a BAA with GoToMeeting prior to using the service for communicating PHI, GoToMeeting can be used in a HIPAA-compliant fashion.
However, as GoToMeeting outlines, “Organizations should carefully review all configurable security features of GoToMeeting in the context of their specific environments, user population and policy requirements to determine which features should be enabled and how best to configure.”