The Health Insurance Portability and Accountability Act (HIPAA) lays out privacy and security standards that protect the confidentiality of patient health information. In terms of a learning management system, the solution and security architecture must provide end-to-end encryption and meeting access controls so data in transit cannot be intercepted. The general requirements of HIPAA Security Standards state that covered entities must:
We sign the HIPAA Business Associate Agreement (BAA) for our healthcare customers, meaning we are responsible for keeping your patient information secure and reporting security breaches involving personal healthcare information. We do not have access to identifiable health information and we protect and encrypt all learner, audio, video, and screen sharing data.
The following table demonstrates how Tovuti supports HIPAA compliance based on the HIPAA Security Rule published in the Federal Register on February 20, 2003 (45 CFR Parts 160, 162, and 164 Health Insurance Reform: Security Standards; Final Rule).
Person or Entity Authentication:
Security and Encryption
Only members invited by account administrators can host Tovuti meetings in accounts with multiple members. The host controls meeting attendance through the use of meeting IDs and passwords. Each meeting has only one host unless a co-host is purposefully added by the host. The host can screen share or lock screen sharing. The host has complete control of the meeting and meeting attendees, with features such as lock meeting, expel attendees, mute/unmute all, lock screen sharing, and end meeting.
Tovuti employs industry-standard end-to-end Advanced Encryption Standard (AES) encryption using 256-bit keys to protect meetings. Tovuti encryption fully complies with HIPAA Security Standards to ensure the security and privacy of patient data.
Screen Sharing in Healthcare
Medical professionals and authorized healthcare partners can use Tovuti to meet with patients and other healthcare professionals to screen-share health records and other resources. Tovuti does not distribute the actual patient data. Screen sharing transmits encrypted screen capture along with mouse and keyboard strokes only, not the actual data. Tovuti further protects data confidentiality through a combination of encryption, strong access control, and other protection methods.
Currently, the agencies that certify health technology – the Office of the National Cordinator for Health Information Technology and the National Institute of Standards and Technology – do “not
assume the task of certifying software and off-the-shelf products” ( p. 8 352 o f t he Security Rule), nor accredit independent agencies to do HIPAA certifications. Additionally, the HITECH Act only provides for testing and certification of Electronic Health Records (EHR) programs and modules. Thus, as Tovuti is not an EHR software or module, our type of technology is not certifiable by these unregulated agencies.