Is WebEx HIPAA Compliant?
Webex is HIPAA compliant and, provided policies relating to disclosures are complied with, can be used to disclose PHI during videoconference calls between healthcare providers or during telehealth calls between providers and patients. It is also important the platform is configured to support HIPAA compliance and that a Business Associate Agreement is in place with Webex by Cisco.
What is Webex?
Webex by Cisco is a web and video conferencing and collaboration platform that helps businesses connect with remote workers and partners as if they are in the same room.
With tools such as Webex, healthcare organizations can communicate quickly and easily with the workforce, no matter where employees are located. Regional operational meetings can be conducted, medical education can take place online, and healthcare employees can be trained on new processes and procedures. These platforms can also potentially be used for communicating with patients.
However, before any collaboration tools can be used in connection with protected health information (PHI), healthcare organizations must be certain that the tools support HIPAA compliance. So how does Webex fare in this regard? Is Webex HIPAA compliant or should the platform be avoided by HIPAA-covered entities?
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Webex Security
Cisco has implemented a host of security controls to ensure all communications take place securely and information cannot be intercepted. Any information sent from a Webex application to the Webex cloud occurs through an encrypted channel which supports TLS 1.0, 1.1 and 1.2 protocols and uses high strength ciphers such as AES-256. Media packets are encrypted using AES 128. There is also the option of end-to-end encryption, which if applied, means Cisco will not decrypt any media streams.
All media streams can be recorded for future reference and meet HIPAA audit requirements. Data is also protected at rest with encryption and audio, video, and data streams are stored separately.
Administrators can configure the platform to provide the desired level of security, including rate limiting on login attempts, the automatic deactivation of accounts after a defined period of inactivity, password policies can be enforced, 2-factor authentication can be used, and strict access controls set to carefully control who has access to the platform.
Cisco also provides full documentation on functionality, technology, and security to help healthcare organizations with their risk assessments.
Cisco will also sign a business associate agreement with HIPAA covered entities and their business associates.
Is Webex HIPAA Compliant?
Webex incorporates administrative and technical safeguards that meet HIPAA requirements; however, it is up to covered entities to ensure the platform is configured correctly and that it is used in a manner compliant with HIPAA Rules.
Provided that is the case, and a business associate agreement has been entered into with Cisco covering the use of Webex for Healthcare, Webex can be considered a HIPAA compliant solution and can be used by healthcare organizations.
