5 things to look for in HIPAA-compliant video conferencing software

Ensuring HIPAA-compliant video conferencing is a growing concern for organizations that handle protected health information (PHI), though. Healthcare providers have some flexibility during the pandemic. Still, HHS will fully enforce HIPAA provisions in the future, so now is the time to update your technology and processes to be compliant.

While this guide is not a substitute for consulting with a legal professional, we’ll give you a starting point so you can begin taking the steps necessary to use HIPAA-compliant video chat when needed.

How to provide “compliant” telehealth services during the pandemic

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) contains many requirements for anyone handling protected health information. These rules are enforced by the Department of Health and Human Services (HHS). 

HIPAA includes provisions governing the use of video conferencing software, but OCR and HHS have determined not to penalize those providing telehealth services during the pandemic.

That means that healthcare providers using non-compliant video conferencing solutions can take the steps necessary to provide remote care while limiting potential exposure to the virus.

The HSS notified healthcare providers that, while the pandemic is classified as a nationwide public health emergency, providers can use “any non-public facing remote communication product that is available to communicate with patients.”

It also suggests that “[c]overed health care providers that seek additional privacy protections for telehealth while using video communication products should provide such services through technology vendors that are HIPAA compliant and will enter into HIPAA business associate agreements (BAAs) in connection with the provision of their video communication products.“

These protections will be necessary to continue offering telehealth services when the pandemic is no longer a national emergency and are also needed to ensure compliance when discussing PHI over a video conference with other healthcare professionals.


What are the consequences of violating HIPAA?

When the Secretary of HHS declares that a public health emergency no longer exists, HIPAA violations for non-compliant video conferencing will be penalized. HHS reports that, in cases where it imposed a monetary penalty, the average amount was over $1.3 million.

In 2017, a survey of health organizations found that the average cost of a data breach was $6.2 billion. This amount includes revenue lost, breach notification costs, lost brand value, HIPAA settlement fines, and other costs.

The rise of telehealth

When the coronavirus is under control, some healthcare providers will reduce or eliminate telehealth options and go back to business as usual. But, based on the trends seen during the pandemic, telehealth is here to stay for most patients and providers.

The Centers for Disease Control and Prevention (CDC) highlight many benefits of telehealth during the pandemic. These benefits include expanded access to care and reduced demand on facilities, which will continue to be of concern after reducing exposure to the virus is no longer a driving force.

And receiving telehealth during the pandemic has shown many patients the value they receive from remote consultations.

Policies designed to limit the spread of coronavirus have forced people who may otherwise have preferred an in-person consultation to receive remote healthcare services. That has exposed a large segment of the population to the benefits of telehealth. 

Research cited by the CDC shows that delivering online treatment is “effective” and “well-accepted by patients.”

And, in a 2021 survey, over 70 percent of respondents viewed telehealth services as “the way of the future.” Twenty-three percent of patients who received these services found that remote consultations exceeded their expectations, and 21 percent prefer telehealth services to in-person visits.

This trend is likely to continue, as the coronavirus is still influencing day-to-day life around the world. Providers who make HIPAA-compliant video conferencing a priority now will be able to make a smooth transition into post-pandemic telehealth.

Why your practice needs a HIPAA-compliant video conferencing solution

During the pandemic, the HHS is recommending telehealth services in many situations, like:

  • routine health care
  • medication consultation
  • nutrition counseling
  • mental health counseling

Synchronous telehealth, where the patient engages in real-time communication with a healthcare provider, can be offered over the phone. But, including HIPAA-compliant video in these communications makes it more likely that insurers will cover the services.

For example, in every state, Medicaid will reimburse providers for real-time video communications with patients. As of this writing, only ten states will reimburse providers for services that don’t include live video.

How to choose a HIPAA-compliant video conferencing solution

The American Medical Association’s Telehealth Implementation Playbook offers guidance on what to look for when selecting HIPAA-compliant video conferencing software. 

Some of the critical factors they suggest providers consider include:

  • Business stability
  • Customizability
  • Integrations
  • HIPAA compliance
  • Usability
  • Customer service

Below, we’ll cover some questions you should answer as you consider HIPAA-compliant video conferencing solutions.


Business stability

Most healthcare providers have a rigorous review process in place that makes choosing new software a time-consuming process. After that, it takes time to implement the solution.

Assessing the business stability of each vendor you consider reduces the likelihood of having to start the process over because the company shuts down.

Key questions to ask include:

  • How long has the company been in business?
  • Is it well-funded?
  • Does it work with other healthcare organizations?

There are no guarantees, but a well-funded company that has been in business for a few years and has gone through the review process with other healthcare organizations is a safe bet.



You probably work with many technology providers already. Before implementing new technology, you should assess how easily it will fit into your current IT landscape.

Key questions to ask include:

  • Does the company’s video conferencing solution work with your existing technology where necessary?
  • Is it customizable?
  • What will the impact be on your network usage?
  • What technology will the patient need?

The video conferencing software you choose doesn’t need to integrate with every tool you currently use. But if it needs to communicate with certain tools, it’s important to evaluate how difficult it will be to do that.

You’ll also need to assess the load it will place on your network and the burden it will place on patients. Some video conferencing software is resource-intensive. Many options will require your patients to download software to receive telehealth services.

You’ll want to find a solution that won’t put an unnecessary load on your system. And, if possible, it’s better to choose a video conferencing tool that doesn’t require your patients to download software or extensions.


HIPAA compliance

You wouldn’t be reading this article if you didn’t understand the importance of finding a HIPAA-compliant video conferencing solution. 

Here are a few questions you can ask to determine whether each option is compliant:

  • Is the company willing to sign a Business Associate Agreement (BAA)?
  • What protections does the software have in place to protect PHI?
  • What other features does it have in place to comply with HIPAA?

You should pose these questions to each vendor directly to see what measures they take to ensure compliance.



Your care team is busy enough as it is. That’s why finding a simple solution that your team can quickly implement is essential.

Here are some questions to ask:

  • Is it easy to use?
  • How long does it take to implement?
  • What’s the user experience like?

The best way to discover the answers to these questions is by having multiple members of your team demo the software and report on the user experience.


Customer service

Even the best software will run into hiccups. The way each vendor handles those inevitable hiccups will vary.

Here are two questions to ask before you make a decision:

  • What support does the company offer for care team members?
  • What support does the company offer for patients?

You want to find a vendor who will be there not only when you need them but also when your patients need them.


Other features to consider

In addition to HIPAA-compliant video conferencing, other features may allow you to provide better care. Here are a few to consider as you research your options.



With co-browsing software, you can review documents with patients, cover treatment options, and give your patient control when necessary. Co-browsing is similar to screen sharing, but instead of sharing your screen, you share a browser. Depending on how your co-browsing platform implements this feature, it can be more secure than screen sharing.

For example, a Surfly session only shares the browser tab in which the session started. And it doesn’t store any personal information or session data on disk, so your data is never at risk. 

Surfly has several other security measures in place as well. These include masking confidential information and grantlisting and blocklisting websites.


Website annotation

Website annotation allows you to annotate existing websites on your website or third-party websites so that you can share additional information with your patients. For example, say you have a standard online document you give to all patients but want to provide further information that varies by patient. You can annotate that document to include patient-specific details.

Surfly offers website annotation, so you can get the benefit of HIPAA-compliant video conferencing and secure co-browsing with one tool.



You can also improve privacy and security with e-signing. With Surfly, you can provide your privacy policies in a co-browsing session as part of a HIPAA-compliant video conference so that patients can sign off on these policies online. 

You can also use e-signing to receive patient consent and confirm patient identities. 

Improve your telehealth services with HIPAA-compliant video conferencing and more

As we move past the pandemic, HIPAA-compliant video conferencing technology is essential for telehealth providers. This guide has covered the key factors to assess and additional features to ask about when you’re researching HIPAA-compliant video chat options for your organization. 

Don’t stop at video conferencing. Many tools are available, like co-browsing and e-signing, to make your telehealth services more secure and efficient. Now is the time to evaluate those options as part of your due diligence into video conferencing software.

Try HIPPA compliant video now