Can HIPAA-Covered Entities Use GoToMeeting?

GoToMeeting is an online meeting and video conferencing tool offered by LogMeIn. It helps businesses improve communication and collaboration with their associates, customers and other entities. Healthcare organizations can also benefit using GoToMeeting provided it is HIPAA compliant. Using a service that is not HIPAA compliant will result in the violation of patients’ privacy, breach of HIPAA rules and potential payment of a sizable financial penalty.

Is GoToMeeting HIPAA compliant? Before looking at the technical safeguard features of GoToMeeting, it should be noted that it is possible to use HIPAA compliant software and tools in a non-compliant way. The HIPAA-covered entity or business associate is responsible to make sure that any software or program it uses is configured properly and used appropriately. It is their job to make sure that PHI is only shared to authorized people and the minimum required standard is in place.

GoToMeeting mentioned on its website that ““the technical security controls employed in the GoToMeeting service and associated host and client software meet or exceed HIPAA technical standards.” Now, here are the reasons why GoToMeeting is considered HIPAA compliant:

  • GoToMeeting uses full end-to-end data encryption. All data in transit are protected using HMAC-SHA-1 message authentication codes. Chat, audio, video and control data in transit are protected using AES 128-bit encryption.
  • GoToMeeting has audit controls. It creates logs of connection and session activity with access to reporting and management tools for account managers.
  • GoToMeeting uses unique meeting codes and offers the option to set strong passwords to ensure that authorized persons only can gain access to the system. Meetings are not publicly listed and meeting organizers can restrict who can and cannot join the meetings. Users who want to join the meeting are identified using a unique email address or number with password. Users are also automatically logged out if inactive for a certain time period.

Aside from the technical features of GoToMeeting that meet HIPAA requirements, covered entities must have a Business Associate Agreement (BAA) with GoToMeeting before using the platform for communicating PHI.

So, can HIPAA-covered entities and business associates use GoToMeeting? Certainly. Just make sure to configure the settings appropriately to meet the needs of the specific environment and user population. Also, there must be a signed BAA prior to using the service.