Skip to main content
Return to Campus Tech Tips

Video Conferencing Policies & Guidelines

Conferencing Platforms Vetted and Approved by UNC for Transmitting, Recording, and Sharing Protected Health Information (PHI)

Important! Using a UNC vetted and approved platform for transmitting, recording, and sharing PHI does not mean your specific use case is appropriate. You need to consider all HIPAA guidelines and policies found in the Privacy of Protected Health Information Policy, as well as the Information Security Controls Standard.

For questions or more information, please contact the School of Medicine Information Security and Privacy Office by opening a Help Request.

School of Medicine Webex (SOM Webex)

  • Recordings are securely stored in and streamed from the Webex cloud.
  • When recordings begin, meeting attendees are prompted to accept being recorded or leave the meeting.
  • Cloud recordings are stored for 3,600 days (less than ten years), then deleted permanently.
  • Cloud recordings can be downloaded.
    • Recordings with PHI can be downloaded to a School of Medicine managed computer that meets the Information Security Controls Standard.
      • It is recommended that downloaded recordings with PHI be uploaded to a vetted and approved storage platform (e.g., OneDrive, Teams) and then deleted from your local computer.
    • Downloaded recordings with no PHI can be uploaded to Panopto* for streaming.
      • *Note: Panopto cannot store or stream recordings with PHI, even with patient authorization.
    • Important! Downloading of recordings by viewers is enabled by default.
      • Downloading must be disabled in your SOM Webex Recordings settings before sharing links to recordings containing PHI.
  • If you reassign your recordings to another user, the user must be authorized to view the patient information and be responsible for managing the recording as stated above.

Zoom HIPAA Account

Users whose primary affiliation is with the School of Medicine should be placed into a Zoom HIPAA account.

  • Signing Into Your Zoom Account
    • You must sign into your Zoom account with Single Sign-On (SSO), not your email and password.
    • You must be signed in to use the Host controls
    • You can only be signed into one device (e.g., PC, tablet, phone) at a time.
  • If you are not sure if you have a Zoom HIPAA account, you can check by visiting your Zoom Account Profile page. The Account Name will display “HIPAA.” Standard (non-HIPAA) Zoom accounts will display “University of North Carolina Chapel Hill” (UNC).
    • If you schedule meetings or assign Alternate Hosts for other account owners, you must be in the same account type (e.g., a UNC account owner cannot schedule a meeting for a HIPAA account owner).
    • If you want to opt out of your HIPAA account for a UNC account, or if you need to be moved to a HIPAA account from your UNC account, please visit our SOM Zoom Support page for instructions.
  • UNC requires all meetings be secured with one security option in your Zoom account.
    • You can access the Meeting Security settings by clicking “Settings” in the left-side menu, the “Meeting” tab at the top of the page, and “Security” in that section.
      Zoom meeting settings
    • School of Medicine IT recommends enabling Meeting Passcode and Embed passcode in invite link for one-click join.
      Meeting passcode enabled Embed passcode in invite link for one-click join
    • Please note: If you don’t select either Meeting Passcode or Waiting Room, Zoom will select Waiting Room by default.
  • Recording Zoom Meetings
    • Users can record to the Zoom cloud or locally to their computer.
      • Participant reporting and transcription are not available when recording locally.
    • When recordings begin, meeting attendees are prompted to accept being recorded or leave the meeting.
    • If recording locally, recordings containing PHI can be recorded to a School of Medicine managed computer that meets the Information Security Control Standard.
      • It is recommended that local recordings with PHI be uploaded to a vetted and approved storage platform (e.g., OneDrive, Teams) and then deleted from your local computer.
      • Local recordings with no PHI can be uploaded into Panopto* for streaming.
        • *Note: Panopto cannot store or stream recordings with PHI, even with patient authorization.
    • Cloud recordings are stored for 30 days, then moved to the trash for 30 days where they can be recovered if needed, then deleted permanently.
    • Cloud recordings can be downloaded.
      • Recordings containing PHI can be downloaded to a School of Medicine managed computer that meets the Information Security Controls Standard.
        • It is recommended that downloaded recordings with PHI be uploaded to a vetted and approved storage platform (e.g., OneDrive, Teams) and then deleted from your local computer.
      • Downloaded recordings with no PHI can be uploaded into Panopto* for streaming
        • *Note: Panopto cannot store or stream recordings with PHI, even with patient authorization.
  • Zoom Webinar
    • The Zoom Webinar feature requires an additional license on your UNC Zoom account, regardless of which account type you have. For assistance, please visit our Classroom Support page and click the Request Help button.
    • Webinar creates separate links for Presenters and Attendees.
      • When you add a Presenter, Zoom will email them their link. Please request that the Presenter not share this link. It is only intended for their use.
      • The Attendee link is the one intended for sharing with your Webinar audience.
  • More detailed Zoom HIPAA information can be found in the Zoom HIPAA Compliance Datasheet.

Microsoft Teams

Please refer to UNC Storage Offerings for detailed information.

Other Resources for Sharing PHI

  • Sharing Tier 3 Information Other Than PHI – If you are sharing any Tier 3 information other than PHI (e.g., Social Security numbers, payment card information), please review the Information Classification Standard beforehand.
  • Virtual Care Operations should be performed under the guidance of UNC Health. Please refer to the VCC intranet site for updates and resources.
  • For Security questions or more information, please contact the School of Medicine Information Security and Privacy Office by opening a Help Request. 
  • For Video Conferencing support, please click the Request Help or Report Conferencing Issues button on the Video Conferencing home page.

Guidelines for Including Protected Health Information (PHI) and other sensitive information (SI) within a Video Conference

When including patient Protected Health Information (PHI) and other sensitive information (SI) in a video conference, you must adhere to the following guidelines to ensure the security of the information:

  1. You must have patient authorization to share their information and be able to provide documentation if requested.
  2. Only invite attendees or share the conference links with individuals who are authorized to view the content.
  3. The ability to join the conference cannot be made publicly available.
  4. You may not include PHI or SI in the meeting title or in the email invitation.
  5. Limit your data! Only include patient information relevant to the conference meeting.
  6. Emails sent within the UNC Chapel Hill (UNC) system or to UNC Health (UNCH) are considered secure.
  7. For emails containing PHI or SI sent outside the UNC system or UNCH, send using the “secure” function in Outlook.  For instructions on how to send secure emails, see the UNC Encrypted Email (Encryption) help article.
  8. If the video conference is recorded, please refer to the Platforms Approved for Sharing PHI tab above.
  9. If you reassign your recordings to another user, the user must be authorized to view the patient or sensitive information and be responsible for managing the recording as stated above.

UNC Policies and Procedures

UNC School of Medicine IT Academic Technology Services

User Agreement and Acceptable Usage Policy for UNC School of Medicine Webex

Effective January 1, 2021

Acceptance of Agreement

Webex is a web and video conferencing service provided by the UNC School of Medicine IT (SOM IT), Academic Technology Services (ATS). This agreement governs the use of the Webex service and is in place to ensure compliance with all applicable University of North Carolina At Chapel Hill (UNC) security policies and standards.

ANY USER SIGNING INTO WEBEX WILL BE ASSUMED TO UNDERSTAND AND AGREE WITH THIS USER AGREEMENT AND ACCEPTABLE USAGE POLICY.

Any User who does not understand or agree with the policy should not login to the system. For clarification of policies, please submit a ticket to Academic Technology Services (select “Report a Video Conferencing Issue” from the “How can we help you?” field) or call 919-843-9086.

Updates to Agreement

ATS may update this User Agreement at any time and without notification to reflect its organizational needs.

Service Description

Webex is a service provided by ATS for the UNC School of Medicine.

Services to be provided include:

  1. Secure web and video conferencing and telepresence.
  2. Prescheduled conference set up and support.
  3. Password protected meetings.
  4. Permanent personal Webex rooms, which are always open and do not require prescheduling of conferences.
  5. Meeting recording and secure streaming playback.

Acceptable Usage Policy

  1. Use of Webex is for the purpose of university business only.
  2. User will not use or present any content that is in violation of state or federal laws or UNC policies.
  3. When recording, it is the responsibility of the User to make all attendees aware in advance of any conference being recorded.
  4. Inclusion and sharing of Protected Health Information (PHI) must adhere to all HIPAA policies and guidelines.
  5. User must obtain authorization from appropriate parties prior to including, recording, or sharing any content containing sensitive information (e.g. protected health information (PHI), intellectual property, copyright material).
  6. Any use of this service is the responsibility of the User. SOM IT will not assume responsibility for the misuse of content.
  7. User agrees to comply with all applicable UNC security policies and procedures.
  8. SOM IT will not assume responsibility for content that is reported or discovered to be in violation of any aforementioned policies or laws. Any recorded content will be removed pending review, and appropriate action taken if necessary.

Limitation of Liability

SOM IT will have no liability or responsibility in the event of any loss or interruption of the services and/or media content described within this agreement due to causes beyond its reasonable control or ability to foresee.

Denial or Termination of Service

While generally available to all UNC affiliates, the following are potential conditions that may require the denial or termination of service.

  1. Denial of service will be at the discretion of SOM IT Management based on the following:
    1. The intended use of the service by the client is not for university business.
    2. The intended use of the service by the client causes a situation where SOM IT resources are overwhelmed technically, in terms of necessary staffing or otherwise.
    3. The intended use of the service by the client does not match the services that ATS is approved to support.
    4. The client has not followed through with the proper procedure for requesting the necessary service.
    5. The client has been previously found to be in violation of any IT policy within the university such that the action could be repeated.
    6. Any other reason agreed to be appropriate by SOM IT management.
  2. Termination of service will be at the discretion of SOM IT management based on the following:
    1. Violation of the effective User Agreement or any Service Level Agreement (SLA) in place.
    2. It has been determined that the client’s use of the service is matching circumstances that would have ordinarily caused a denial of service.
    3. The client’s use of the service is directly causing a negative impact on the quality of service for other users.
    4. Any other reason agreed to be appropriate by SOM IT management.

Support

  1. Users can request support for video conferencing by entering a ticket a ticket to Academic Technology Services (select “Report a Video Conferencing Issue” from the “How can we help you?” field) or by calling 919-843-9086.
  2. Information is available on the video conferencing site at med.unc.edu/webex.