Share this article on:
Is GoToMeeting HIPAA complaint? Can GoToMeeting be used by HIPAA-covered entities and their business associates for communicating protected health information without violating HIPAA Rules?
GoToMeeting is an online meeting and video conferencing solution offered by LogMeIn. The service is one of many conferencing and desktop sharing solutions that can improve communication and collaboration, with many benefits for healthcare organizations.
In order for collaboration tools to be used by healthcare organizations that are required to comply with Health Insurance Portability and Accountability Act Rules, tools must a subject to a risk analysis and determined to meet the security standards demanded by HIPAA.
Fail to ensure that a particular service is HIPAA compliant and you could violate the privacy of patients, breach HIPAA Rules, and potentially have to cover a sizable financial penalty for non-compliance.
It should be pointed out that no software or communications platform can be truly HIPAA-compliant. Even if appropriate safeguards are incorporated to ensure the confidentiality, integrity, and availability of ePHI, it is still possible to use a ‘HIPAA-compliant’ service in a non-compliant manner. It is up to a HIPAA-covered entity or business associate to ensure that any software or communication platform is configured correctly, is used appropriately, that PHI is only shared or communicated to people authorized to receive the information, and that when information is disclosed, the minimum necessary standard applies.
How secure is GoToMeeting? Is GoToMeeting HIPAA compliant?
Is GoToMeeting HIPAA Compliant?
In order to consider GoToMeeting HIPAA compliant, technical safeguards would need to be incorporated to meet the requirements of the HIPAA Security Rule.
To protect data in transit, GoToMeeting employs full end-to-end data encryption. All transmitted data is protected using HMAC-SHA-1 message authentication codes, while chat, video, audio, and control data are protected in transit using AES 128-bit encryption. AES 128-bit encryption meets the current standards for encryption recommended by NIST.
Protecting data in transit is only one element of HIPAA compliance. If PHI is to be transmitted – via email, secure text messages, or conferencing solutions – there must be audit controls. An audit trail must be maintained allowing activity relating to PHI to be examined. GoToMeeting creates logs of connection and session activity, and access to reporting and management tools are available to account managers.
Controls must also be present that ensure only authorized individuals are able to gain access to the system. GoToMeeting is protected by unique meeting codes and includes the option of setting strong passwords. When meetings are set up they are not publicly listed, and meeting organizers have full control over who can join the meetings.
Each user that wishes to join a meeting must identify themselves using a unique email address and/or number along with a unique password, and users are automatically logged off after a period of inactivity, which can be set by the meeting organizer.
GoToMeeting also confirms on its website, “the technical security controls employed in the GoToMeeting service and associated host and client software meet or exceed HIPAA technical standards.”
While the technical safeguards meet HIPAA requirements, HIPAA-covered entities must also enter into a HIPAA-compliant business associate agreement with service providers prior to using a service for communicating PHI. GoToMeeting offers a business associate agreement which covers use of the service, meeting this regulatory requirement.
So, is GoToMeeting HIPAA-compliant? Provided HIPAA-covered entities and business associates enter into a BAA with GoToMeeting prior to using the service for communicating PHI, GoToMeeting can be used in a HIPAA-compliant manner.
However, as GoToMeeting explains, “Organizations should carefully review all configurable security features of GoToMeeting in the context of their specific environments, user population and policy requirements to determine which features should be enabled and how best to configure.”