HIPAA considerations for ensuring privacy and security for healthcare video content

What are some HIPAA requirements?

HIPAA requires the implementation of secure policies and procedures that help maximize the privacy and security of patients’ health information. There are several specific rules, but a primary goal is to ensure that PHI is only disclosed to those authorized to view it. 

PHI includes personally identifiable information about a patient, such as their full name, birthday, or recognizable features. It may also include any information they’ve shared with their doctors, any diagnoses those doctors make, and their prescribed treatment plans. That’s why HIPAA is such an important protection: It helps guarantee the confidentiality of medical records. 

Adherence to HIPAA regulations can lead to patients feeling more comfortable sharing sensitive details with healthcare providers. This can contribute to better healthcare decision-making and potentially improved patient outcomes and care.

Who should be aware of HIPAA requirements?

Covered entities and their business associates who handle PHI on their behalf may need to meet HIPAA requirements. A covered entity could include any healthcare organization that handles patients’ medical records or other personally identifiable information. It’s crucial that these entities and their business partners handle PHI carefully to secure the privacy of patient data. 

Those subject to HIPAA may need to ensure their video content is secure. Vimeo offers a video hosting solution with features designed to help entities handling PHI meet their HIPAA compliance obligations, provided they configure their account appropriately and enter into a BAA with Vimeo. 

Read more about HIPAA compliance on Vimeo →

Guidelines for HIPAA: The 4 HIPAA rules and regulations

There are several interconnected HIPAA requirements that describe how information can pass from patients to doctors and health plan providers. This is especially true of electronic PHI (ePHI), and there are additional rules dedicated to proper disclosure online and the necessary security of digital databases. Complying with these regulations helps support the protection of data, though it does not guarantee it.

1. HIPAA Privacy Rule

The HIPAA Privacy Rule obligates covered entities to prevent unauthorized access to patients’ medical records and other PHI. It also outlines patients’ rights with respect to their PHI, including the right to obtain copies of any data healthcare providers have about them and to request corrections to that data. 

2. HIPAA Security Rule

The HIPAA Security Rule requires that covered entities implement administrative, physical, and technical safeguards to protect the integrity and security of PHI. They must also be ready for audits by the Department of Health and Human Services (HHS) or the Office of Civil Rights (OCR) at any time.

Vimeo follows industry-wide best practices for security and compliance, and it has the SOC 2 report and ISO 27001 certification to prove it. Some existing controls include authenticated logins, user management and privacy settings, and secure data processing.

3. HIPAA Breach Notification Rule

HIPAA’s Breach Notification Rule requires covered entities and their business associates to notify people if someone accesses their data improperly. The rule describes what constitutes a data breach and whether they must also notify local media if a breach occurred. It also stipulates how soon they must contact the HHS.

4. HIPAA Omnibus Rule

The HIPAA Omnibus Rule contains several additional regulations that aim to strengthen HIPAA overall. It describes how business associates must also be HIPAA compliant and expands patients’ rights to access their information. It’s a catch-all rule where the HHS has added regulations that didn’t fit into the other categories.

A checklist for creating secure video content

Creating, publishing, and sharing medical video content introduces certain risks, such as improperly disclosing PHI. However, implementing the following policies and procedures can help mitigate those risks and assist you in using a platform like Vimeo to host videos securely:

1. Implement written policies, procedures, and standards of conduct. Your standard operating procedures (SOPs) should clearly describe how, when, and why workers can disclose patient information.
2. Designate a compliance officer and a compliance committee. Identify a group of people responsible for maintaining the integrity of your SOPs and ensuring workers follow them carefully.
3. Conduct effective training and education. Your compliance committee should craft detailed training plans that make HIPAA obligations clear.
4. Develop effective lines of communication. Everyone should know the escalation path for unauthorized disclosure incidents and understand who is accountable for such violations.
5. Conduct internal monitoring and auditing. Regularly check to help verify that workers maintain HIPAA compliance and that they properly gather, store, and dispose of PHI.
6. Enforce standards through well-publicized disciplinary guidelines. Ensure everyone in the organization knows the repercussions of a HIPAA violation, both for the individual and the business.
7. Respond promptly to detected violations and undertake corrective action. Your SOPs must outline a rapid response to any HIPAA violations and an immediate risk assessment to safeguard against further breaches.

Physical and technical safeguards for HIPAA compliance

The HIPAA Security Rule outlines certain administrative, physical, and technical safeguards that all organizations subject to HIPAA must use to safeguard health information. These measures may include:

• Properly secured workstations and devices when not in use
• Contingency plans for data breaches and accidental disclosure
• Security awareness training for anyone who handles PHI
• Proper encryption of files that contain PHI
• Unique user identification methods for every worker

You can learn more about physical and technical safeguards by reading the papers published about the Security Rule on the HHS website. They even offer a video course to educate newly covered entities and business associates about HIPAA regulations.

What’s a HIPAA violation: Types and examples

When a HIPAA violation occurs, the HHS and the OCR investigate to determine precisely how it happened. They categorize the breach and then determine if neglect or malicious intent was a factor.

HIPAA violation categories

Failing to meet any of the HIPAA regulations constitutes a violation, but here are the main violations that most commonly trigger an investigation:

• Data breaches: A HIPAA Security Rule violation involving bad actors who hack into a covered entity’s database to expose PHI for personal gain.
• Example: When Anthem, Inc. experienced the largest health information breach in history, it had to pay the HHS $16 million in fines.

• Improper disclosure: A Privacy Rule violation that occurs whenever there is an unauthorized disclosure of PHI. Keep in mind that Privacy Rule violations are not limited to "person to person" scenarios.
• Example: The Inmediata Health Group had to pay $250,000 when it was found that many of their patients’ medical records were discoverable on search engines.

• Failure to notify: Failing to notify affected patients promptly constitutes a HIPAA Breach Notification rule violation.
• Example: When Sentara Hospitals failed to notify the HHS that a data breach occurred, the HHS fined them $2.175 million.

• Refusing to furnish records: Covered entities violate the HIPAA Omnibus Rule if a patient can’t conveniently and promptly request a copy of their medical records.
• Example: When the Oregon Health & Science University failed to provide timely access to patients’ records, the HHS fined them $200,000.

Tiers of HIPAA violations

If the OCR determines that a HIPAA violation occurred, they’ll categorize the violation and assess if neglect or malicious intent was involved. Penalties are determined per violation, per calendar year. Penalities can vary based on numerous factors.. For example, a $100 fine becomes $500 if five patients’ PHI were exposed. The tiers of severity are as follows, each with their own minimum and maximum penalty cap:

• No Knowledge: The entity was unaware and the violation was an accident or caused by an unforeseen malfunction. 

• Reasonable Cause: The entity knew or should have known that a violation could occur, either because its security or administrative practices were lacking or because training was subpar.

• Willful Neglect, Corrected within 30 days: The entity violated HIPAA due to willful neglect. The entity corrected the violation within 30 days of discovery. .

• Willful Neglect, Not Corrected within 30 days: The entity violated HIPAA regulations due to willful neglect. The entity did not correct the violation within 30 days of discovery. 

How Vimeo supports healthcare customers

At Vimeo, keeping your data safe and secure has always been a top priority. We follow industry-wide best practices for security and compliance, and we have the SOC 2 report and ISO 27001 certification to prove it. Some of our existing controls include:

• Authenticated login: Vimeo uses robust security measures like single-sign on (SSO) and two-factor authentication (2FA) to help make sure your videos can only be viewed by your intended audience — and no one else.
• User management and privacy settings: Granular role-based access controls, folder management, and video privacy settings allow you to control not only who can publish your videos, but also how and where.
• Data processing: Both video content and user data are encrypted using industry best practice such as AES 256 and TLS 1.2. Custom data retention settings allow you to automate deletion of video content on Vimeo according to your unique compliance needs, making it easier to adhere to your organization’s data retention policy.

As part of our commitment to helping healthcare organizations use video, Vimeo completed the security risk analysis provided by the U.S. Department of Health and Human Services (HHS). The analysis helped us validate Vimeo’s alignment with HIPAA’s administrative, physical, and technical safeguards as outlined in the HIPAA Security Rule. For more in-depth information around how to configure Vimeo for HIPAA-compliant use, please see our Help Center documentation here.

To further strengthen our offering for healthcare companies, Vimeo took the following additional steps:

1. We signed BAAs with relevant third-party data processors.

Business associate agreements (BAAs) establish a legal framework that outlines the obligations and responsibilities regarding protected health information (PHI) for sub-processors who store or process customer data. This agreement signifies that both Vimeo and our sub-processors understand the importance of protecting PHI in alignment with HIPAA regulations by:

• Limiting sub-processors’ use of PHI to only what is necessary for the agreed-upon services 
• Requiring sub-processors to implement appropriate security measures to safeguard PHI, including administrative, physical, and technical safeguards 
• Ensuring appropriate actions are taken to mitigate risks in the event of a data breach or non-compliance

2. We established a HIPAA security policy and internal training.

Protecting PHI isn’t just our security team’s job — it’s everyone’s job. While we have long stressed the importance of data security internally at Vimeo, we also took the step of codifying all procedures, practices, and safeguards related to PHI in a formal HIPAA security policy. By requiring employees to sign and acknowledge this policy, we established a shared understanding of the responsibilities and obligations expected of everyone at Vimeo.

In addition, we rolled out an internal HIPAA training program designed to educate employees on the importance of maintaining confidentiality and integrity of PHI, safeguards and best practices for handling PHI, as well as the potential consequences of non-compliance.

3. We now offer a BAA to Vimeo customers.

Finally, Vimeo offers enterprise customers in HIPAA-regulated industries a HIPAA business associate agreement. HIPAA requires healthcare providers (or “covered entities,” in HIPAA talk) to enter into such agreements with any and all business associates (in this case, Vimeo) who will be processing protected health data. Vimeo’s BAA outlines the standards we employ to safeguard PHI and empowers our customers in the healthcare space to invest in video within a secure ecosystem that supports HIPAA compliance.

To learn more about entering into a BAA with Vimeo, please contact us to discuss your healthcare video needs with our team. For more details on how we secure our platform, check out our enterprise security offerings and certifications.

Frequently asked questions

What are the key features that make a video platform HIPAA-compliant?

A video platform designed to help with HIPAA compliance, like Vimeo, offers robust features to support the privacy and security of uploaded videos when used appropriately and with a signed BAA. This includes strong access controls, user authentication, and rigorous security practices for a secure database. Vimeo also encourages any covered entity using our platform to audit their videos carefully and to never include ePHI in content they upload.

Can healthcare providers use video content for marketing purposes?

Absolutely. Video advertising is a great way to showcase the human element in any healthcare organization. You should develop video marketing that highlights all the incredible people who make your organization run and the impressive facilities you use. Just make sure the videos contain no PHI or that proper patient consent is obtained if individuals are identifiable. 

How can I ensure my video content is HIPAA compliant?

To ensure your video content is HIPAA compliant, you should implement written policies, procedures, and standards of conduct, designate a compliance officer and committee, conduct effective training, develop clear communication lines, perform internal monitoring and auditing, enforce disciplinary guidelines, and respond promptly to detected violations with corrective action. Additionally, utilize physical and technical safeguards like secured workstations, contingency plans, security awareness training, encryption, and unique user IDs.

Does Vimeo offer a BAA for healthcare customers?

Yes, Vimeo offers a Business Associate Agreement (BAA) to enterprise customers in HIPAA-regulated industries. This agreement outlines the standards Vimeo employs to safeguard PHI, empowering healthcare providers to use video within a secure ecosystem that supports HIPAA compliance. Vimeo has also signed BAAs with relevant third-party data processors and established an internal HIPAA security policy and training program to further strengthen its offering for healthcare companies.

Power secure healthcare messaging with Vimeo video

Complying with HIPAA might seem daunting initially, but Vimeo is here to help. If you’re a covered entity or business associate needing a secure video platform to manage your healthcare videos, signing a BAA with us is a great first step. Our HIPAA-compliance video solution provides industry-leading privacy and security features, making it easy to securely share videos with patients and other healthcare providers when configured and used in accordance with required configurations. 

Safeguarding PHI and adhering to HIPAA privacy rules isn’t just a legal necessity — it’s also a competitive advantage. With Vimeo, you can confidently market your services as a solution that prioritizes security for privacy-conscious consumers.