2 Ways to Ensure HIPAA Compliance for Telemedicine Video Streaming


The pandemic has accelerated efforts that were already underway to expand telemedicine. To avoid the spread of the coronavirus through in-person visits, doctors and patients turned to virtual visits as a safe and convenient way to ensure doctors’ and patients’ health. Telehealth, however, will likely continue to be an important health care service in our… Continue reading 2 Ways to Ensure HIPAA Compliance for Telemedicine Video Streaming

The pandemic has accelerated efforts that were already underway to expand telemedicine. To avoid the spread of the coronavirus through in-person visits, doctors and patients turned to virtual visits as a safe and convenient way to ensure doctors’ and patients’ health.

Telehealth, however, will likely continue to be an important health care service in our post-pandemic lives. The forced adoption of virtual doctor visits has shown how useful e-visits can be for routine check-ups. In fact, a recent study conducted by the American Medical Association concluded that 24% of health care office visits and outpatient volume could be delivered virtually and an additional 9% delivered “near-virtually.”

Patients and overwhelmed parents alike have appreciated the convenience of not having to travel to a doctor’s office. Furthermore, telemedicine helps expand health care to rural areas far away from the nearest office, while providing better care for residents of long-term health facilities. These kinds of benefits serve to help doctors and patients as well as medical organizations in general.

There is a growing appetite for expanding telehealth services with 57% of providers viewing telehealth more favorably than before COVID-19. According to WebMD, the Wall Street Journal recently reported that the global market is projected to grow from $25.4 billion this year to $55.6 billion by 2025. That kind of growth is certainly a substantial market indicator.

A big part of telemedicine is ensuring that all sensitive medical information remains secure. These security and privacy concerns are why the HIPAA Privacy Rule was created. The Privacy Rule sets national standards for the protection of “individually identifiable health information” — which includes information about a patient’s mental or physical health, medical treatments or payment history.

As health providers continue to shift their record keeping and patient messaging to an online model, HIPAA compliance has expanded to the digital realm as well. Indeed, your telehealth application and network has to meet not only HIPAA requirements but also possibly even more stringent state privacy laws. Two key aspects that can help keep confidential data safe and secure pertain to where the data is hosted and how it is transported.

Note: The features highlighted below concern only technical safeguards that can be configured with Red5 Pro. They are not a substitute for due diligence when it comes to making sure that your telehealth application and network are HIPAA compliant.

Improve Data Security through Encryption

A key aspect to create a secure system is encryption. For browser-based applications, WebRTC is your best choice for a streaming protocol because it provides real-time latency of under 500 milliseconds which is good for facilitating smooth, back-and-forth conversations. Moreover, for security reasons, WebRTC streams are always encrypted.

Encryption is a way of scrambling data so that only authorized parties can understand the information. In technical terms, it is the process of converting plaintext to ciphertext. In simpler terms, encryption takes readable data and alters it so that it appears random. This requires the use of two encryption keys; one public and one private. Those keys are a set of mathematical values that both the sender and the recipient of an encrypted message can decipher. Encryption needs to be both random, to prevent unauthorized users from accessing the data, and predictable so that the information can be used correctly by authorized recipients.

In the case of WebRTC, the encryption process is performed in the browser with no additional configurations required. Furthermore, WebRTC does not require any plug-ins, which further enhances security because it eliminates the concern of third-party software and potential side effects such as data tracking or viruses. In general, plug-in connections pose a potential security risk as they could be exploited.

WebRTC security supports AES (Advanced Encryption Standard) protection, also known as bank-grade protection. As such, WebRTC eliminates the risk of using third parties or leveraging a DIY platform to manage all the functions related to authenticating devices and authorizing users. Instead, WebRTC uses the video transport protocol SRTP (Secure Real-Time Protocol) to send and receive encrypted content over the three channels WebRTC devotes to video, audio and data.

Exchanges of the keys used by SRTP to encrypt and decrypt content are managed through a version of the IETF’s TLS (Transport Layer Security) protocol known as DTLS (Datagram Transport Layer Security), which is used with UDP (User Datagram Protocol) connectivity, the ultra-low latency packet transmission protocol employed by WebRTC. Alternatively, you can also use TCP for this process. This key exchange happens automatically with instantiation of a WebRTC stream.

Furthermore, the same WebRTC security architecture will be replicated regardless of who your hosting provider is. The ability to support cross-cloud solutions increases flexibility. It also enables the establishment of the same security features in different regions since the WebRTC security implementation is standard. More details on the security features of WebRTC can be found on the Red5 blog.

Consider Self-Hosting Your Telehealth Application

The best way to ensure full data security is to host your telemedicine app on your own servers. Having full control over the back-end infrastructure also allows you to fully customize the security on your telemedicine application like custom authentication, AI processes, manipulation of the video images with watermarking.  Most importantly, it prevents other providers from accessing your streams; a top priority for security. Flexibility and extensibility are closely tied to security when it comes to writing back-end code for telemedicine apps.

Self-hosted streaming infrastructure prevents you from getting boxed-in by a platform-as-a-service (PaaS) hosting provider. A PaaS vendor may not support the full range of API packages—and the accompanying features—you are looking to integrate into your application. Furthermore, a scalable WebRTC-based application will run through a server, meaning that the stream is also decrypted server side. In that case, the PaaS provider you are relying on has access to all the videos you stream through it.

Another reason that you might want to manage the service yourself is that you might need recordings of the sessions for the patient to review later, or for the medical staff to review for compliance reasons. This recording is essentially a part of the medical record. You won’t want to trust third party vendors with access to this data.

While self-hosting is arguably the strongest choice for ensuring data security, it should be noted that cloud-based hosting providers such as Google Cloud, and AWS offer HIPAA compliant platforms as well. These would be a little more convenient to use, but would limit customization options to some degree. In that case, hosting agnostic solutions would provide the flexibility and basic feature set you need.

Whether self hosting or using a specific cloud platform, safe-guarding sensitive data is essential. Patients want to know that their personal information is secure, let alone the legal implications of not providing effective security.

The pandemic may have forced the widespread adoption of telemedicine in order to maintain a degree of basic care; evisits, however, are here to stay. The benefits to doctors, patients and medical organizations will still be valuable in a post-pandemic world. Thus it is important to continue to expand the availability of telemedicine. A big part of that is making sure that sensitive data remains safe which means setting up a secure infrastructure.

Interested in building your own telemedicine application? Reach out to us at info@red5.net or schedule a call. We’d love to show you what’s possible with Red5.