Summary Report:
   Nefsis Video Conferencing & HIPAA

Watch Full Demo


Start Your Video Conferencing Free Trial Now.

See Nefsis in action,
watch our video demos.




Internet Video Conferencing

Web Conferencing Features

IT Friendly



Health care entities and providers use video conferencing to improve efficiency and reduce travel costs for both themselves and their patients. Consultations held as online meetings between providers, or between providers and patients, afford privacy, security and real-time interaction, without the inconvenience of traveling or waiting.

Wherever healthcare and technology overlap, questions about the Health Insurance Portability and Accountability Act (HIPAA) inevitably arise. Title II of HIPAA deals with the privacy and security of electronic healthcare transactions and sets out criteria for compliance.

In short, Nefsis is not a health-related business or a “covered entity” under HIPAA, nor is it a “business associate” of a covered entity under the Health Information Technology for Economic and Clinical Health Act (HITECH Act). Covered entities and their business associates may securely and privately use Nefsis in healthcare-related video conferences. While control over the selection of content shared by users in an online meeting rests with those covered entities and business associates, Nefsis provides the capabilities to help them comply with HIPAA.

Overview of HIPAA

Title II of HIPAA includes five rules of “Administrative Simplification” for making healthcare more efficient and medical information more accessible, and two of them — the Privacy Rule and the Security Rule — relate to electronic data communication.

HIPAA and the Department of Health and Human Services (HHS) define the “covered entities” to which these rules apply: health plans; health care clearinghouses, such as billing services and community health information systems; and health care providers that transmit health care data in electronic form.

Since Nefsis does not fall into any of these categories, it is not a covered entity under HIPAA.

How HIPAA relates to video conferencing

The Privacy Rule governs the ways in which information about a patient’s health status, treatment and payment is used and disclosed. The rule applies to covered entities — not to providers of video conferencing services — and requires covered entities, among other things, to take reasonable steps to ensure confidentiality in communicating this information.

The Security Rule sets out standards for keeping Electronic Protected Health Information (EPHI) safe. Of note is its Technical Safeguards provision, setting rules for access to computers and the secure communication of EPHI over public networks to protect it from interception by anyone other than the intended recipient.

Again, compliance with these safeguards rests squarely with the covered entities who, under 45CFR164.312, must “implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.” As they relate to video conferencing, these measures include “a mechanism to authenticate EPHI,” “a mechanism to encrypt and decrypt EPHI,” and “policies and procedures to protect EPHI from improper alteration or destruction.”


Authentication is the process of verifying that an entity — user, administrator, conference participant, computer, conference server — is who or what it claims to be.

Nefsis lets conference hosts create secure conferencing with conference room passwords. Nefsis also provides an authentication option to dial out to participants, instead of their dialing-in for the audio portion of the conference. In addition, Conference hosts visually recognize and can check every meeting participant, whether or not they have enabled their video feed, and can expel any participant at any point in the conference.


Encryption keeps the video conference private and prevents eavesdropping.

Nefsis' secure settings require an SSL3-/TLS-encrypted connection for all users prior to joining a conference. In addition, connections are encrypted from end to end, including all participants and the conferencing server. Nefsis also sends all conference content (live data sharing, presentations, Voice over Internet Protocol and video) over secured TCP/IP connections. Nefsis secures the video conference and helps covered entities comply with HIPAA, with no noticeable effect on video quality.


A third measure relates to securing access to and preserving the integrity of EPHI.

Nefsis gives users the option of storing conference content that could be regarded as EPHI. Covered entities choosing to save conferences for inclusion as EPHI may safely record Nefsis content to their own HIPAA-ready electronic health record (EHR) system. Nefsis also provides an option to save conference presentation material on Nefsis servers. However, by deselecting this feature no conference data will be saved. In this case, covered entities need not worry about compliance with guidelines relating to the storage and archival of medical information.


Since a company providing video conferencing services, like Nefsis, is not a covered entity or a business associate of a covered entity under HIPAA, there are no particular rules to observe. Nevertheless, Nefsis helps these entities maintain HIPAA compliance by providing a superior level of security for online meetings.

With its high standards of authentication and encryption, Nefsis exceeds the Technical Safeguards of HIPAA’s Security Rule. As for guidelines on the integrity of health information: covered entities may safely store Nefsis conference content in any HIPAA-ready EHR system.

Contact us

Contact UsClick here to schedule a live demo and see Nefsis over the web. You can also contact us with any questions you may have regarding HIPAA and secure video conferencing.

Related Pages

More about security — More details about SSL, TLS, certificates and multi-layer security
How Nefsis works — Multi-core concurrency and advanced video conferencing technology
Dedicated server option — an on-premise option for more access, routing and IT controls