VidHealth and HIPAA Compliance

Important: HIPAApropriateness reviews, including their summaries, are for informational purposes only. They are neither consultation nor legal advice. Be aware that while we do our best to be thorough and complete, information may be missing or possibly even inaccurate. Products also change quickly, and the review may become out of date. By continuing to read, you agree to use the information in HIPAApropriateness reviews and their summaries at your own risk.

Vital Stats

HIPAA compliance with this product appears possible?: Yes.

Recommend for your HIPAA risk management needs?: Yes. See Notes below for security concerns.

# of Caveats: 0 view caveats→

# of Usage Notes: 3 view notes→

Relevant Product Characteristics

This product is designed specifically with mental/behavioral health professionals in mind.
At least one technical leader or manager behind this product has an extensive background serving the health care industry.

What Is This Product?

VidHealth is a videoconference platform that allows for waiting rooms, one-on-one sessions, and optionally group meetings (though this feature needs to be requested before you can use it). At the time of this writing it is free to use after creating an account with them. The software is browser based, and doesn’t require any plug-ins or downloaded apps. It works best on Chrome, but has been tested on Firefox and Safari and seemed to work fine. It isn’t recommended for use on mobile devices.

VidHealth uses an encrypted form of video conferencing, and no data of yours is kept on their servers. The way it works is that you create a single-use link to send to a client (more on that below in the notes) and by following that link you join your client for a session. You can also create a dedicated waiting room link, that will allow anyone with access to the link to join a virtual waiting room (don’t worry, they can’t see each other). When you the clinician log in to VidHealth, you will see if anyone is waiting in your waiting room, and you can join them in session with a simple click of the button.

Because VidHealth uses session and waiting room links you will need to do a collaborative risk analysis with your client about how to get them those links. Sending them over conventional email or SMS poses a security risk.

Additionally, the waiting room system has an option to send you SMS (text) notifications if a client enters the room. This option is turned on by default, and will need to be turned off when you set up your waiting room. It sends whatever name your client enters when they’re asked to join, and so exposes PHI via unsecured SMS messaging.

Caveats

Caveats are criticsms of the company or product that we feel are relevant to your risk management or other important considerations.

None

Notes

Notes cover points where the product can’t ensure compliance or ethical action for you. These help you know what your part of the compliance puzzle looks like when using this product. A high note count usually correlates with a feature-rich product, and not necessarily with a product that has problems.

1) Be sure to request, sign, and submit your BAA

VidHealth does not automatically execute a Business Associate Agreement with you. In order to agree to the BAA, you must request one using the email address listed in their FAQ. You will need to sign it and submit it.

2) Turn off SMS notifications

If you have a waiting room set up the option to be notified via SMS will be turned on by default. You will need to turn this feature off, as it will send the client’s name to your phone over unsecured SMS.

3) Send your room links securely

VidHealth uses a system of single use room links, or their waiting room. Either way, if you send the link via unsecured means such as SMS or conventional email you’re putting PHI at risk. You’ll need to work with your client to do a risk analysis on how to get the links to them, ideally before you have a VidHealth session with them.