UIS.601.1 Using Zoom for Telehealth

In support of UIS 600 Regulated Data Security

In order to maintain compliance with the Department of Health and Human Services (HHS) regulations issued under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Georgetown University protects the privacy and security of protected health information with a set of cyber security standards and practices for its information systems, data processors, suppliers, and user accounts.

Each health practitioner, researcher, and program manager who collects or processes protected health information (PHI) must adhere to the guidelines and procedures associated with these guidelines in order to support and be compliant with the University General Counsel and Information Security framework.

Georgetown’s Zoom instance is designed and architected as a secure and scalable video/audio conferencing and collaboration tool. At the moment, it is not deployed for use with protected health content.

No Longer In Effect (2023) – HHS Telehealth Discretion During Coronavirus

March 2020

During the COVID-19 nationwide public health emergency, The Department of Health and Human Services (HHS) has mandated that covered health care providers subject to the HIPAA Rules may seek to communicate with patients, and provide telehealth services, through remote communications technologies.

Even though some of these technologies, and the manner in which they are used by HIPAA covered health care providers, may not fully comply with the requirements of the HIPAA Rules, the HHS Office of Civil Rights (OCR) will exercise its enforcement discretion and will not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency.  This notification is effective immediately. 

At Georgetown, the General Counsel’s Office and University Information Services have coordinated to make Zoom teleconferencing available to the University’s Counseling and Psychiatric Services (CAPS) and the Student Wellness and Counseling Center (SWCC) for audio or video communication technology to provide telehealth to students or affiliated patient during the COVID-19 public health emergency.

It is important to note that Georgetown’s Zoom instance is not the same as Zoom for Healthcare, and is therefore, not HIPAA compliant. In the interest of patient privacy and security, any Georgetown counseling professional is required to comply with the best practice and acceptable usage of Zoom during this period.

  • Only use Georgetown’s enterprise Zoom (not the consumer version).
  • Notify patients that the session does not guarantee the same privacy as an in-person visit does.
  • Do not use the same Zoom connection numbers/links repeatedly for multiple patients.
  • Do not record counseling sessions.
  • Monitor the attendance to ensure that only invited participants are present throughout the session.
  • Validate attendee names and phone numbers that display in the participant window.
  • Check that wired or wireless networks are encrypted and secure for all participants.
  • Encourage that participants are not in public areas where sessions can be overheard or intruded upon.
  • At the conclusion of every sessions, be sure to “end the meeting” completely to ensure all participants are disconnected

Georgetown is exploring how we can include secure and protected telehealth methods for the delivery of services to students and family members. Updates and additional information will be provided as it becomes available from the University or from the Department of Health and Human Services.

Reference: https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/notification-enforcement-discretion-telehealth/index.html

Reviewed and Approved March 2020