Is YouTube HIPAA compliant?

YouTube logo

HIPAA (the Health Insurance Portability and Accountability Act of 1996) is U.S. legislation created to improve healthcare standards.

Covered entities and their business associates must be HIPAA compliant to protect the rights and privacy of patients and their protected health information (PHI).

We know the HIPAA industry is vast and that it is important to properly showcase your organization while remaining safe and HIPAA compliant.

RELATED: Why is healthcare a juicy target for cybercrime?

Today, we will determine if YouTube is HIPAA compliant or not.

SEE ALSO: HIPAA compliant email

About YouTube

YouTube is an online video sharing and social media platform launched in 2005 and purchased by Google in 2006.

RELATED: Google & HIPAA compliance: the ultimate guide

YouTube is currently the second most visited website (after Google) with more than 2 billion monthly users. And a large part of its growth is because Google expanded YouTube into mobile applications and television/movies.

The platform easily links to and from other services, such as social media. Moreover, Google and other search engines tend to show videos frequently in searches.

RELATED: Social media & HIPAA compliance: the ultimate guide

YouTube and the business associate agreement

A major part of HIPAA compliance is ensuring a business associate will sign a business associate agreement (BAA). A business associate is a person or entity that performs certain functions or activities that involves the use or disclosure of PHI.

In this instance, YouTube is a business associate for a healthcare organization if it handles PHI.

RELATED: Is a name PHI?

Generally, the HIPAA Privacy Rule allows healthcare providers to disclose PHI to a business associate if they receive assurance that the information is protected through a signed BAA.

Google will sign a BAA for some of its products, but not YouTube. Furthermore, YouTube does not list a BAA on any of the Google security web pages nor on its website.

Moreover, a Google HIPAA document affirms, “Any Core Services not listed . . . may not be used . . . with PHI.” YouTube is not listed.

YouTube, data protection, and HIPAA marketing

Google utilizes encryption and has several physical layers of security around its data centers. User access is controlled through two-factor authentication but once signed in, a device can stay signed into an account.

And according to a YouTube data web page, signed-in activity (e.g., watch and search history) is saved to a Google account. However, account holders can control the settings as needed.

Google also reiterates that the company uses data to improve usability and to cater ads; YouTube insists it does not sell any data.

RELATEDHIPAA definition of marketing explained

Targeted PPC advertisements (based on keyword searches) are generally allowed under HIPAA though retargeting (using cookies to bring ads to users) is not.

YouTube is part of Google’s AdSense program, which generates revenue from targeted ads for both the advertiser and where the content is shown.

RELATED: Is Google Ads HIPAA compliant?

As a leader in PPC advertising, Google has firm rules when it comes to healthcare ads and does not utilize retargeting.

Is YouTube HIPAA compliant?

The BAA is a key component of HIPAA compliance and YouTube does not appear to offer a BAA.

Unfortunately, if a breach or HIPAA violation occurs and any PHI is visible, the covered entity is liable.

SEE ALSO: The best HIPAA compliant social media tools (and which to avoid)

Conclusion

YouTube is not HIPAA compliant.

Try Paubox Email Suite for FREE today.

About the author

Kapua Iao

Read more by Kapua Iao

Get started with
end-to-end protection

Bolster your organization's security with state-of-the-art email encryption and inbound email security.

Highest rated HIPAA compliant messaging solution on G2

EmailEncryption BestMeetsRequirements MeetsRequirements
SecureEmailGateway MostImplementable Total
SecureEmailGateway Leader Leader
SecureEmailGateway EasiestToUse EaseOfUse
SecureEmailGateway EasiestAdmin EaseOfAdmin
SecureEmailGateway BestUsability Total
SecureEmailGateway BestResults Total
SecureEmailGateway BestRelationship Total
EmailEncryption UsersMostLikelyToRecommend Nps
EmailEncryption MomentumLeader Leader
SecureEmailGateway BestSupport Mid Market QualityOfSupport
EmailEncryption BestMeetsRequirements MeetsRequirements
SecureEmailGateway MostImplementable Total
SecureEmailGateway Leader Leader
SecureEmailGateway EasiestToUse EaseOfUse
SecureEmailGateway EasiestAdmin EaseOfAdmin
SecureEmailGateway BestUsability Total
SecureEmailGateway BestResults Total
SecureEmailGateway BestRelationship Total
EmailEncryption UsersMostLikelyToRecommend Nps
EmailEncryption MomentumLeader Leader
SecureEmailGateway BestSupport Mid Market QualityOfSupport