HIPAA (the Health Insurance Portability and Accountability Act of 1996) is U.S. legislation created to improve healthcare standards.
Covered entities and their business associates must be HIPAA compliant to protect the rights and privacy of patients and their protected health information (PHI).
We know the HIPAA industry is vast and that it is important to properly showcase your organization while remaining safe and HIPAA compliant.
RELATED: Why is healthcare a juicy target for cybercrime?
Today, we will determine if YouTube is HIPAA compliant or not.
SEE ALSO: HIPAA compliant email
About YouTube
YouTube is an online video sharing and social media platform launched in 2005 and purchased by Google in 2006.
RELATED: Google & HIPAA compliance: the ultimate guide
YouTube is currently the second most visited website (after Google) with more than 2 billion monthly users. And a large part of its growth is because Google expanded YouTube into mobile applications and television/movies.
The platform easily links to and from other services, such as social media. Moreover, Google and other search engines tend to show videos frequently in searches.
RELATED: Social media & HIPAA compliance: the ultimate guide
YouTube and the business associate agreement
A major part of HIPAA compliance is ensuring a business associate will sign a business associate agreement (BAA). A business associate is a person or entity that performs certain functions or activities that involves the use or disclosure of PHI.
In this instance, YouTube is a business associate for a healthcare organization if it handles PHI.
RELATED: Is a name PHI?
Generally, the HIPAA Privacy Rule allows healthcare providers to disclose PHI to a business associate if they receive assurance that the information is protected through a signed BAA.
Google will sign a BAA for some of its products, but not YouTube. Furthermore, YouTube does not list a BAA on any of the Google security web pages nor on its website.
Moreover, a Google HIPAA document affirms, “Any Core Services not listed . . . may not be used . . . with PHI.” YouTube is not listed.
YouTube, data protection, and HIPAA marketing
Google utilizes encryption and has several physical layers of security around its data centers. User access is controlled through two-factor authentication but once signed in, a device can stay signed into an account.
And according to a YouTube data web page, signed-in activity (e.g., watch and search history) is saved to a Google account. However, account holders can control the settings as needed.
Google also reiterates that the company uses data to improve usability and to cater ads; YouTube insists it does not sell any data.
RELATED: HIPAA definition of marketing explained
Targeted PPC advertisements (based on keyword searches) are generally allowed under HIPAA though retargeting (using cookies to bring ads to users) is not.
YouTube is part of Google’s AdSense program, which generates revenue from targeted ads for both the advertiser and where the content is shown.
RELATED: Is Google Ads HIPAA compliant?
As a leader in PPC advertising, Google has firm rules when it comes to healthcare ads and does not utilize retargeting.
Is YouTube HIPAA compliant?
The BAA is a key component of HIPAA compliance and YouTube does not appear to offer a BAA.
Unfortunately, if a breach or HIPAA violation occurs and any PHI is visible, the covered entity is liable.
SEE ALSO: The best HIPAA compliant social media tools (and which to avoid)
Conclusion
YouTube is not HIPAA compliant.
