West Virginia University Computer Security and Privacy Incident Reporting System
File An Incident Report Learn more about defending your data.Content on this website will be moved to the IT Help Center at it.wvu.edu/help on Sunday, May 19. If you cannot find an article you need, please call the ITS Service Desk at 304-293-4444.
Mountaineer Doctor Television
HSC-ITS Zoom Recording Policy for Clinical Supervision
HSC-ITS Zoom Recording Policy for Clinical Supervision
Student or Resident Patient Encounter Recordings with Faculty Oversight & Assessment
Zoom Account Configuration:
- Each student/resident will be issued their own individual HSC Zoom acct managed under HSC’s Business Associate Agreement with ID solution/Zoom for Telehealth
- Zoom Account will be set and locked to record to the cloud only with auto-delete of cloud recordings set at 10 days
- Zoom Account will be set to require a randomly generated Meeting ID for each patient consultation. Password and Waiting Room will also be enabled and required for each patient consultation.
- Cloud recording download ability will be disabled and locked
- This will prevent the student/resident/faculty from downloading the cloud recordings
- Zoom Account will be set that Only Authenticated Users can view cloud recordings and require a password to view the cloud recordings will be enabled and locked.
- Faculty members will need to have a licensed Zoom account under HSC portal in order to be considered an Authenticated User.
- Recording will be setup to auto-delete from the cloud at 10 days.
Student/Resident Responsibility:
- Students/Residents will use their assigned or personally owned device to host Zoom session and record the session locked to record to cloud only.
- Student/Resident will provide url and auto-generated random password to supervisor to view recording stored in the cloud.
Department Responsibility:
- Department will create a workflow and process to send Patient Consent and Video/Audio recording Consent forms to patients electronically – workflow and process must be approved by Privacy officer.
- Example: The Quin Curtis Center will use HSC Qualtric to manage tele-consent forms and will create process for download/import into Titantium.
- Department will establish policy to ensure the HIPAA technical, physical and administrative safeguards are being met at all times. See below for safeguards at home that should also be followed.
- Users are required to continue to follow all HSC HIPAA policies, procedures, and standards and ensure to operate in a secure environment at home and locking their PC when walking away, as well as reporting incidents to the HSC Privacy and Security Team. https://intranet.hsc.wvu.edu/hsc-standards-policies-procedures-and-interim-hipaa-privacy-and-security-policies/home/
- Make sure you are in a private well lit room with little backlighting so the patient is able to see you well; have the camera at eye level and your computer’s microphone on.
- Use of headsets should be required for privacy purposes
- Employees should not allow any friends, family, etc. to use devices that access PHI.
- If not completed, have each employee/student sign a Confidentiality Agreement to assure the utmost privacy when handling PHI.
- Employees who store hard copy (paper) PHI in their home office need a lockable file cabinet or safe to store the information.
Employees are required to have a cross-cut shredder at their location for the destruction of paper PHI once it is no longer needed. The department dean or designated representative must specify and approve when it is ok to dispose of any paper records and who specifically is allowed to retain and print at home. https://intranet.hsc.wvu.edu/hsc-standards-policies-procedures-and-interim-hipaa-privacy-and-security-policies/phi-reviewed-4-22-2019/proper-removal-disposal-of-phi/
- Employees must follow HSC’s Proper Removal and Disposal of PHI Policy for disposal of all PHI or devices storing PHI. https://intranet.hsc.wvu.edu/hsc-standards-policies-procedures-and-interim-hipaa-privacy-and-security-policies/equipment-disposal-policy-reviewed-4232019/proper-removal-and-disposal-of-phi/
- Employees should never copy PHI to external media or locations that are not prior approved by the HSC ITS. This includes flash drives, external hard drives, OneDrive, Google Drive, Dropbox, unapproved cloud locations, personal devices etc.
- HSC ITS audits account access and remote activity, and reviews this periodically. HSC ITS must be notified immediately of any user voluntary or involuntary account terminations in order to ensure access is removed
- Employees must be reminded that violation of these procedures will be subject to the HSC Sanction Policy and/or civil and criminal penalties. (https://intranet.hsc.wvu.edu/hsc-standards-policies-procedures-and-interim-hipaa-privacy-and-security-policies/sanction-policy-and-procedures-reviewed-4-22-2019/sanction-policy/ )
Reference:
https://www.totalhipaa.com/hipaa-compliance-working-remotely/
https://it.wustl.edu/telecommuting/wusm-telecommuting/
https://its.yale.edu/remote-work-clinical-faculty-and-staff-working-covered-entity
Interested in Learning More? Contact Us Today: 304-293-6926 or mdtv@hsc.wvu.edu