Is GoToMeeting HIPAA compliant? Could HIPAA covered entities or their business associates use GoToMeeting to share protected health information (PHI) and stay compliant with HIPAA?
GoToMeeting is an online conferencing tool developed by LogMeIn. Many solutions of this type exist to enable people to share desktops and perform meetings remotely and they offer a number of advantages to organizations.
Any system used by entities covered by the Health Insurance Portability and Accountability Act, more commonly known as HIPAA, must adhere to certain privacy and security rules defined in the Act.
If a tool does not conform to these rules, patient privacy may be compromised and the user may be liable for a HIPAA breach, potentially opening themselves up to large monetary sanctions.
It must be stated that no program or tool can be said to be 100% HIPAA compliant. Even if all the necessary options and settings are in place to protect electronic PHI (ePHI), the tool can still be misused. Compliance depends on users. The covered entity must check that staff are trained and that features are correctly implemented before any PHI is used with the system. Any information transmitted is also subject to the Minimum Necessary Standard.
Is GoToMeeting HIPAA Compliant?
For GoToMeeting to be compliant, it would need to be in line with all aspects of the HIPAA Security Rule.
In terms of end-to-end encryption requirements, GoToMeeting is up to standard; transmitted data is protected using HMAC-SHA-1 message authentication codes, while chat, video, audio, and control data are protected in transit using AES 128-bit encryption. AES 128-bit encryption meets the current standards for encryption recommended by NIST.
Audit controls are needed to track which PHI was sent where, by whom, and when. GoToMeeting is also compliant in this aspect as it records connection and sessions and account administrators have access to reporting tools.
Another requirement is the ability to authenticate users, which GoToMeeting does by issuing unique meeting codes which can be supplemented with password protection. Meeting organizers can restrict attendance to certain people, who must identify themselves with email addresses (or a phone number) and a password. Users can be automatically kicked following periods of idleness, to be determined by the organizer.
Perhaps the strongest point is that GoToMeeting stands behind their tool being HIPAA compliant, stating on their website that “the technical security controls employed in the GoToMeeting service and associated host and client software meet or exceed HIPAA technical standards.” GoToMeeting are also willing to sign a Business Associate Agreement (BAA) with covered entities. This must be signed before the service can be used.
Knowing this, can we say that GoToMeeting is HIPAA compliant? If the BAA is signed prior to use with PHI, then GoToMeeting meets all requirements for HIPAA compliant use.
Covered entities should take into account that GoToMeeting advises caution, saying “Organizations should carefully review all configurable security features of GoToMeeting in the context of their specific environments, user population and policy requirements to determine which features should be enabled and how best to configure.”