HIPAA Handbook
Ensuring the Security of Protected Health Information
roclub is HIPAA compliant and signs Business Associate Agreements with customers. This section describes the processing of (e)PHI over its full lifecycle and underlying procedures as well as infrastructure.
Context
Glossary
Remote Session: The web conferencing session in which the Remote Operator views the medical device’s video stream and remote controls it.
roclub Connector: The hardware at customer site, connected to the medical device via a video cable.
Teleoperation Platform: The system of roclub Connector and cloud backend which enables Remote Sessions.
HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. federal law enacted to protect sensitive Protected health information (PHI) from unauthorized access, use, or disclosure. It establishes rules for covered entities (such as healthcare providers, health plans, and clearinghouses) and their Business Associates (BA), requiring them to safeguard patient data through administrative, physical, and technical security measures.
HIPAA consists of key rules, including the Privacy Rule 45 CFR part 160 (regulating PHI access and disclosures), the Security Rule 45 CFR part 160 (setting standards for electronic PHI protection), the Transactions and Code Set rules 45 CFR part 162 (regulating for standardized PHI electronic exchange and coding of PHI to increase efficiencies and reduce administrative burden), the Unique Identifiers Rule 45 CFR part 162 (mandates the use of standardized, unique codes to identify healthcare entities, such as organizations, employees, and patients), the Enforcement Rule 45 CFR part 160 (procedures for investigating violations of HIPAA and imposes penalties for non-compliance), and the Breach Notification Rule 45 CFR 164.400-414 (requires healthcare entities to notify affected individuals, the Department of Health and Human Services (HHS), and sometimes the media, in the event of a breach involving unsecured Protected Health Information (PHI)).
roclub as a Business Associate
Role
roclub fulfills the role of a Business Associate (BA) to the Covered Entity. A Business Associate (BA) is an entity that performs services or functions involving the use or disclosure of protected health information (PHI) on behalf of a covered entity.
The service performed by roclub is the electronic transmission of ePHI in the form of a video stream, originating from a connected medical device at a customer site, to a person authorized by the Covered Entity. This video stream is not stored in any way. USB mouse and keyboard signals are transmitted from the authorized person to the connected medical device.
While roclub operates in the area of diagnostic imaging, roclub does not control or interfere with the technical image creation process or associated assets. The control and responsibility over the creation of images remains with the Covered Entity.
Obligations
A Business Associate must comply with the same HIPAA rules and standards as covered entities. In this page, roclub describes these obligations and the specific implementations to safeguard ‘Electronic Protected health information’ (ePHI) for the electronic transmission of ePHI through a videostream between the connected medical device at the customer site and the Covered Entity.
Considering the roclub scope of activities as BA, the Privacy-, Security-, and the Breach Notification Rule apply. How roclub ensures compliance is described further in this HIPAA handbook. (Note: the Enforcement Rule also applies to roclub in case of noncompliance and as mandated by the applicable regulatory authorities).
Security Management Process
Electronic Protected health information’ (ePHI) is processed electronically by roclub’s teleoperation platform on behalf of its customers.
This processing can be divided into two main areas:
Remote Scanning, Support and Education
ePHI is physically transmitted from the customer’s medical device to the roclub Connector at the customer site. Due to the specific use case of the Teleoperation Platform, the HIPAA Security Rule is applicable to the ePHI processing.
| Stage | Description | Implementation | Safeguard Responsibility | roclub | Customer |
|---|---|---|---|---|---|
| Creation | The initial generation or recording of ePHI | The connected medical device (e.g. MRI device) creates the video stream | Customer | n/a | Customer is responsible for physical safeguards at customer site. |
| Receipt | ePHI is accepted or obtained from external sources | The video stream is transmitted via HDMI/DP to the roclub connector on customer site. | Customer | Customer is responsible for physical safeguards at customer site. | |
| Transmission | The process of sending ePHI electronically from one system or location to another. | The encrypted video stream is transmitted from the connector to the Remote Operator. A VPN service routes the encrypted video stream to the web conferencing service. | roclub | End-to-end encryption with DTLS 1.3 in line with the internal policy Usage of cryptographic means roclub personnel during transmission is not possible, unless roclub is requested to join the actual decrypted session for troubleshooting reasons. See the roclub application support processes for details on how roclub manages access to ePHI in this situation to ensure HIPAA compliance. | n/a |
| Access | The retrieval or viewing of ePHI by authorized individuals or systems for legitimate purposes. | Role-based access controls are organized before video streaming as directed by the customer. | roclub & customer | roclub’s internal policy of Access Control Teleoperation Platform uses a role-based access control concept. roclub personnel are never allocated the role of retrieval or viewing of the ePHI. | Customer administrator users manage the registration and role allocation of users. roclub personnel are not considered users that can retrieve and review the ePHI. |
| Disclosure | The release or sharing of ePHI with other entities or individuals, in accordance with HIPAA regulations and patient authorizations | The video stream is encrypted and thus cannot be released nor shared with other entities or individuals in any other way than by joining the remote session controlled by the customer’s local operator. | roclub & Customer | End-to-end encryption with DTLS 1.3 in line with the internal policy Usage of cryptographic means by roclub personnel during transmission is not possible. At no point can roclub decrypt and display the video stream, hence roclub cannot disclose ePHI through the streaming. However, roclub could release or share ePHI through ePHI that is unwillingly shared via the customer ticketing system. See roclub application support processes. | Customer is responsible for managing the release or sharing of ePHI with other entities or individuals in accordance with HIPAA regulations and patient authorizations. At all times, the Local Operator at site stays in control of the Remote Session. Remote Session participants with a role authorizing them to decrypt and display the video stream need to be manually authorized by the customer upon joining the Remote Session. roclub personnel are not allowed such authorizations. |
| Storage | The retention of ePHI in electronic systems or media, ensuring it is securely maintained and accessible as needed | roclub only transmits the video stream from the connector to the Remote Operator. No PHI is stored at any times. | n/a | n/a | n/a |
| Maintenance | The ongoing management and updating of ePHI to ensure its accuracy, integrity, and relevance over time | roclub only transmits the video stream from the connector to the Remote Operator. No PHI is stored at any times. No storage of PHI implies no need for maintenance | n/a | n/a | n/a |
| Deletion | The secure and permanent removal of ePHI from electronic systems or media when it is no longer needed or required to be retained | roclub only transmits the video stream from the connector to the Remote Operator. No PHI is stored at any times. No storage of PHI implies no need for deletion | n/a | n/a | n/a |
The respective data flow is defined in e https://knowledgebase.roclub.io/en-en/requirements-fio6fuu/connectorV2/solution_architecture/
roclub application support processes
ePHI is not accessible to roclub personnel or systems from within the cloud backend or the roclub Connector. Technical support processes and insights are limited to the technical functioning of the Teleoperation Platform.
The Teleoperation Platform allows for creating support tickets, indicating the user’s need for roclub support. Users are obliged to not include any ePHI in support tickets. The confirmation that the created support ticket does not include any ePHI is a required checkbox before a support ticket can be created and be transmitted to roclub. Should ePHI still be shared by a customer in a support ticket, the below ‘roclub Policies and Procedures’ are in place to safeguard ePHI in this scenario.
On the customer’s request, a roclub support representative can be invited to join remote sessions for troubleshooting purposes. Customers are responsible for making sure no patient data is accessible to the representative prior to approving them joining the remote session. In case customers require immediate support and can’t rule out ePHI being visible in the video stream, the roclub representatives might come into contact with ePHI. The below ‘roclub Policies and Procedures’ are in place to safeguard ePHI also in this scenario.
Interoperability considerations
Data Exchange
The processed ePHI is encrypted and transmitted by roclub, and only decrypted by the authorized Remote Operator at the customer’s side. This procedure does not require any data exchange external to the closed system of the Teleoperation Platform.
Standards for Electronic Transactions
No ePHI is stored, hence there are no processes that create stored data which could be subject to standardized data transmission formats.
Patient Access to Health Information
No ePHI is stored. Hence, there are no processes that create stored data which could be accessed by patients.
Security and Privacy
Within the processing of ePHI in the scope of the roclub Teleoperation Platform, numerous safeguards exist to keep ePHI secure and confidential through the below ‘roclub Policies and Procedures’. Security and privacy considerations related to the stored produced diagnostic images at the customer site fall under the responsibility of the customer.
roclub Policies and Procedures
roclub operates on an ISO 27001 certified Information Security Management System (ISMS) with yearly audits.
The roclub Teleoperation Platform is certified as a medical device by the US Food and Drug Administration (FDA) for the US market.
A Quality Management System (QMS) for the development of the medical devices is implemented. The certification of the same is in progress and expected to be completed in mid 2025. The assembly of the hardware is outsourced to a certified medical device manufacturer.
A number of guidelines, policies and procedure govern the management of ePHI at roclub, ensuring risk management, physical and technical protective systems:
- 6.1.2 Information security risk assessment: Risk identification, assessment
- Workplace Security policy: Visitor control, work site security
- Access Control: Assignment, review and termination of access.
- Information security awareness, education and training: Information Security awareness and training sessions.
- HIPAA Safeguards: General physical and network (technical) safeguards
- Information Security incidents & Data Privacy breaches: Handling of data breaches and notification procedure
- Secure development, procurement and maintenance policy: Unique identification of users and systems, categorization of authorized personell
- Vulnerability Management: Identification, assessment and addressing of vulnerabilities
- Information Security Policy for Suppliers: Information security provisions for suppliers
Policies are not published publicly. Please contact privacy@roclub.com for inquiries.
Business Associate Agreement
roclub signs Business Associate Agreements (BAA) with US-based customers. This agreement outlines the responsibilities and the permitted uses and disclosures of PHI to uphold the Covered Entity’s compliance to HIPAA when contracting roclub.
Roles within roclub
Safety & Privacy Officer
Responsible for administrative measures, training and supervision regarding procedures and guidelines and oversees compliance with HIPAA privacy rules.
Information Security Officer
Implements, trains and oversees security measures to protect electronic PHI and manages security incidents and breaches.
Patient Rights
roclub takes patient’s rights seriously as defined by HIPAA. Due to the nature of our services no ePHI is stored at roclub. We therefore require patients to contact the Covered Entity to fulfill their HIPAA related patient’s rights ( access, change, etc.).
Subcontractors
roclub employs several subcontractors to support in offering its services. In this chapter, subcontractors that process ePHI are discussed.
We leverage the Web Conferencing services by LiveKit, Inc., San Francisco Lab 2, Marina Blvd B300, San Francisco, CA 94123, USA. LiveKit’s service consists of the provisioning of web conferencing service, handling the distribution and routing of media streams between participants with minimal latency and high reliability. LiveKit acts as a selective forwarding unit (SFU), meaning it routes these encrypted streams between participants without decoding, viewing, or otherwise processing their content. roclub signed a BAA with LiveKit, Inc.
Furthermore, we use the services by Tailscale, Inc., 12151 Saraglen Drive, Saratoga, California, 95070, USA to create a virtual private network (VPN). This VPN forms an encrypted communication tunnel through which all data, including the audio and video streams priorly encrypted, are securely transmitted. Tailscale itself does not have access to any unencrypted data. It does not inspect, store, or process the media content—it merely provides the networking layer that ensures traffic flows securely between endpoints. At no point does Tailscale have visibility into the contents of the signal. Hence, Tailscale functions purely as a secure conduit for encrypted data. As such, under the HIPAA Conduit Exception Rule, Tailscale qualifies as a conduit and is not considered a business associate. This exemption applies because Tailscale does not store or access protected health information (PHI), and its role is limited to the transmission of encrypted data in a manner analogous to common carriers like internet service providers.