COVID-19 really hit the healthcare system under the belt. Did you find yourself scrambling for a HIPAA compliant solution when that happened, too, trying to quickly onboard your patients and continue helping them?
Then you know that having your own HIPAA compliant video conferencing and messaging solution sets your business up for success in the long run.
Table of Contents:
- HIPAA and Co
- White-Label vs. Custom
- Features to Look Out for in HIPAA Compliant Messaging
- Features to Look Out for in HIPAA Compliant Audio and Video Calling
- HIPAA Compliance in Messaging & Calling SDKs
- Nuances of Choosing a HIPAA compliant Conferencing SDK
- Top 3 HIPAA Secure Video Conferencing and Messaging APIs
- Our Experience with HIPAA compliant development
HIPAA and Co
I’m pretty sure you’re familiar with the terms, but let’s get them out of the way asap.
HIPAA is a public law that enforces the following rules on healthcare providers:
These rules set the security and privacy guidelines for handling PHI.
PHI is protected health information — virtually any patient information, such as demographics, medical history, lab results, insurance, etc.
BA is a business associate, a technology partner helping you set up a HIPAA compliant video calling and messaging SDK. And BAA is a business associate agreement that you and your partner need to sign before developing or integrating a telemedicine service.
Now, when creating HIPAA compliant platforms, you’d often look to quickly integrate with external softwares that enable functionalities like video calling, instant messaging, and more. This is where SDKs and APIs come in.
You might want to know the difference between SDK and API. Well, the former is like a code plugin that developers download and merge with custom code to produce your app.
And an API is a set of commands that developers need to know to make your app work with different standalone services. An example of such a command could be, “Sync this message across all the devices with this account.”
The bottom line is SDKs and APIs are tools that help developers build your app faster.
White-Label vs. Custom Secure HIPAA Compliant Video Conferencing and Messaging
Today, when it comes to HIPAA compliant platforms, you can go two ways. One is developing your own custom solution, and the other is white-labeling a telemedicine product. With white-label teleconferencing, you are likely to face:
- Higher licensing costs in the long run
- Standard telemedicine features
- Lack of flexibility to adapt to your processes
In other words, it will be you who will be adapting, not the solution. Consequently, many healthcare companies decide to go the custom route. Having a custom telehealth platform gives them all the freedom over features, branding, and full compatibility with internal workflows.
However, as it turns out, app development costs for custom-developed telemedicine platforms are higher than for a white-label solution. So what’s the way out?
Well, you can choose a video conferencing SDK that complies with the HIPAA rules and plugs into your existing healthcare system. This helps you reach the market faster on tangible budget, without the dependency on adapting to a white-label solution.
But how do you decide on what call/messaging SDK to choose with so many variants available? We suggest you do so by reviewing their available feature sets, pricing, support, and integration simplicity. Let’s skim through features first.
Features to Look Out for in HIPAA Compliant Messaging
Whether you’re a patient, doctor, or quite honestly just someone that has a smartphone, it’s unlikely that you go about your day without iMessage, WhatsApp, Hangouts, and other messengers. So, it’s no surprise that as a doctor or medical practitioner you’re looking for more or less the same functionality in a medical chat. Plus, the enhanced security measures that the HIPAA guidelines command.
Still, you should double-check if all advertised functionality of a given SDK actually meets the HIPAA requirements. For instance, Twilio lists chatbot integrations as not yet HIPAA compliant. With that in mind, let’s review some of the features a decent HIPAA compliant messaging API should include.
Of course, push and in-app notifications are a critical feature for any messaging app. It’s important to note, though, that for healthcare chats, we can’t send any PHI in notifications. So, a pop-up banner can say things like “You’ve got a new message from Dr. M.,” but no details must be included.
One-on-one and group chats
Doctors and patients should be able to chat one-on-one, but then for doctor-doctor communication, inviting a colleague on a call may turn out quite useful. I know Dr. House would love the feature.
Editing and deleting messages
This option is another self-evident part of our messengers today, but it can get complicated if you think of it. Do you let a doctor and patient delete any message at all or just the most recent one? Do you reflect that in the chat history (more on this below)? Do you notify the user if the message has been updated? You’ll run into many nuances like these.
Fortunately, if you decide to go with some HIPAA compliant chat SDK — the answer will be, “Whatever the SDK/API provides.” Because if you add too much custom code around the tool, you’ll have a hard time supporting the app going forward.
User online status
The green and grey dots indicating whether users are online or not. By the way, would you allow an invisible status for doctors who are online but want the privilege of showing as offline to patients?
Delivery/read receipts and typing indication
Pretty self-explanatory and mostly nice-to-have features.
Sending images and videos
Being able to share CT scans and MRIs, physiotherapy videos, and other imagery/videos with peers and patients can go a long way.
Since patients likely rotate between several devices throughout the day, it’s a good practice to let them continue the conversation from where they left off on any device. In addition, messages should be automatically sent and delivered even if there’s no connection: from the cache when their phones get connected again.
User roles and permissions
This option probably makes sense for group chats in a clinical environment, so that, let’s say, medical assistants couldn’t accidentally delete discussions where they participate.
Messages should be stored safely on a server so that authorized users can easily access them from any device.
Some progressive messaging SDKs offer add-on options like showing how many users have read your message in a group chat, integrations with external chatbots and messengers, keyword filtering, etc.
Features to Look Out for in HIPAA Compliant Audio and Video Calling
Now let’s see what you can get in terms of video calls with a HIPAA compliant SDK for your mobile or web healthcare application development. You may think that video calls are pretty straightforward, and they really are, but there are always nuances.
One-on-one and group video calls
It’s safe to say that after years of calling on FaceTime, Skype, and other apps, we all know what a video call should look like:
- Picture-in-picture video feed
- Camera rotation
- Stickers and reactions
Integration with chat
You’d think that HIPAA compliant teleconferencing SDKs would come bundled with the chat out-of-the-box, but that’s not always the case. Some companies focus exclusively on HIPAA compliant chats, and others — on video or audio calls.
Screen sharing and recording
Screen recording can be used by patients as a fallback option they can refer to, but ideally, doctors keep control over this feature, providing patients with a clip, .e.g, demonstrating an exercise when needed.
Customization and integration
As extra functionality, your solution may need to integrate with other APIs, such as enabling relaxing music background while on the call. And customization may come handy when you operate out of the home office and need to set a proper background.
Call dashboard for admins
Accessing calls and gathering respective analytics in an admin interface is essential to improving internal clinical workflows.
HIPAA Compliance in Messaging & Calling SDKs
You must be thinking, “Ok, you threw at me a bunch of features. But what about HIPAA? Tell me more about HIPAA in terms of how it applies to damn SDKs, APIs, or what have you.”
Well, when vendors say they are HIPAA compliant, it means they are doing everything possible to protect your and your patients’ data. These include:
- Data encryption
- Multi-factor authentication
- Expiration of idle sessions
- Secure TLS/SSL protocols for data transmit
- User access rights management
- Removing PHI from all publicly accessible interfaces
That’s sort of a bare minimum. There are more technical things app developers need to consider on the server-side as well. Get in touch if you’d like to learn more.
Nuances of Choosing a HIPAA Compliant Conferencing SDK
After shortlisting a couple of variants that have desired HIPAA-eligible features, you need to start looking deeper. You’d have to assess these audio and video calling / messaging APIs from these perspectives:
- Usage of an API with their SDK for messaging, audio calls, and video calls. Do they support all of these?
- Do they have a plug-and-play UI kit if you don’t want to spend time designing a custom UI/UX?
- Do they provide licensing or self-hosting options?
Beyond that, you should be looking at things like:
Is call quality good enough? How many people can join a call before its quality starts to degrade? How does the SDK handle switching from different types of internet connection?
How quickly can you scale this solution?
Multi-device and platform support
Does the SDK you consider work on web browsers and mobile phones/tablets? Does it also support Linux?
Programming language support
Best HIPAA compliant Video Conferencing and Messaging APIs
There are quite a few video and audio conferencing and messaging APIs available when custom developing your mobile app, but the top three that immediately come to mind include Twilio, Sendbird, and Agora. Worth a look, what do you think?
Headquarters: San Francisco, California.
Notable features: “Message consumption horizon” visualizes how many participants have read your message. User roles and permissions for group chats. HIPAA compliant SMS messaging.
NB: the in-app messaging component is not HIPAA-eligible yet, out-of-the-box.
Advantages: Robust platform covering all major communication channels, including SIP.
Headquarters: San Mateo, California.
Notable features: Allows to automatically translate messages into 50+ languages.
NB: Compliance with HIPAA, HITECH, BAA, ISO27001, EU-US Privacy Shield, GDPR.
Advantages: Offers a UI kit. Signs BAA for chat and video. Probably the best HIPAA compliant text messaging.
Headquarters: Santa Clara, California.
Notable features: ultra-low latency (~400ms) and resilience to packet loss (up to 70%), which translates to super smooth, stutter-free video calling.
NB: Real-time messaging is in beta.
Advantages: super smooth audio and video conferencing.
We’ve built custom HIPAA compliant chats and integrated off-the-shelf HIPAA compliant video chats and HIPAA compliant instant messaging at Topflight.
As a matter of fact, we’ve been recently investigating different options for our telemedicine product and have stumbled upon attractive alternatives. Besides decent competitors (such as QuickBlox) who outrun the well-established trio with aggressive pricing, there are also promising variants that focus solely on chat or video calling APIs.
For instance, you could go with PubNub for HIPAA compliant secure messaging and Vonage’s HIPAA compliant video chat API, or find other options based on your telemedicine solution’s requirements.
Take marketing copy on these SDK sites with a grain of salt. Even though it looks as easy as updating your phone’s OS, implementing a HIPAA compliant messaging system or a video calling SDK can be challenging. Often, even a senior developer may stumble once or twice when starting to implement a new SDK. If you’ve been in a similar situation, or have questions around cost or how long it will take to develop your app, or need help with choosing a HIPAA compliant conferencing API for your app, get in touch. Also, check out article on how to develop a HIPAA compliant app.
How do I know if a chat or calling SDK agrees with the HIPAA rules?
See if the company that offers it is willing to sign a BAA with you.
How much am I saving by going with an off-the-shelf variant?
At least $100,000 in pure development costs.
Since many of these SDKs come for iOS and Android, does it mean developers can copy-paste code into my app and be done?
Someday, coding will be precisely that, but for now, developers working on integrations still need to tweak quite a few things around to make an SDK work with your telemedicine app.
I’ve chosen a HIPAA approved video conferencing SDK and the company that offers it provides both SDK and API. Which one do I need again?
Both. SDK – to plug into your app – and API to teach your app how to “speak” with the cloud. Remember, everything digital lives on servers these days.