Comment on page
HIPAA compliant setup
A HIPAA compliant setup comes at no additional cost for customers on an annual plan. This page describes how to set up your meeting rooms in a compliant manner.
Our HIPAA compliant setup information was updated in May 2023 to include rooms of all sizes (including our "group" roomMode), as well as cloud recording.
The HIPAA compliant on-demand capability for Whereby is available only on our Grow plans. For any questions about pricing options or enabling the HIPAA add-on, reach out to your Whereby contact or contact sales.
The following information describes what it means to use the HIPAA compliant capabilities of Whereby. Follow the steps below to get started:
- 1.Review all the information on this page to gain an understanding of our HIPAA capabilities and how can they be used.
- 2.
- 3.
Whereby has prepared and will sign a standard Business Associate Agreement that is adequate for all of our HIPAA compliant customers, at no extra charge. Should there be a need to sign a different BAA than what we offer, we are also open to having our legal counsel review it internally and proceed with it provided there are no issues.
To ensure a Business Associate Agreement is signed, reach out to your Whereby contact and they will provide the ready to be signed agreement.
Follow the steps below to verify you've created rooms that are HIPAA compliant. Additional information for some points is linked for further clarification.
- 1.In the API request set
isLocked: true - 2.
- 3."roomPreferences": {"streaming": false}
- 4.Consult our team for any additional security preferences or parameters
Note: As of May 2023, all room sizes on Whereby are HIPAA compliant. You no longer need to specify "normal" mode to remain compliant.
The recording capability means that the meeting, including audio, video and screen-share content will be captured and saved depending on the options chosen.
Update: Whereby is proud to now offer HIPAA compliant cloud recording, in addition to our previously available HIPAA compliant local recording. To remain HIPPA compliant while using cloud recording, you need to store the recordings in an S3 storage managed by your organisation.
The reason our recording options are considered compliant is that Whereby does not, in any way store the recordings.
To ensure that recording is enabled, refer to the Whereby REST API documentation to specify your desired
recording.type equal to local or cloud. If you choose cloud recording type, make sure to setup your Amazon S3 account and configure the provider equal to s3 as the recordings destination for the meeting room. Cloud recording is considered HIPAA compliant as long as the recording files are saved to a customer owned and controlled S3 storage buckets.
We also request that you create a bucket with a specific bucket policy to ensure compliance:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowListAndPutRecordings",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<aws_account_id>:user/<aws_user>"
},
"Action": [
"s3:ListBucket",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::<recording_bucket>",
"arn:aws:s3:::<recording_bucket>/*"
]
}
]
}
It is the responsibility of the person that initiated the recording and saved it locally to adhere to HIPAA requirements. Be sure to assess internally if this is something that can be accept per your HIPAA compliant policies.
Whereby cannot control what happens to a local recording.
The use of recording is not required and if preferred can be disabled entirely. Please refer to the Whereby REST API documentation and use
recording.type = none For our HIPAA compliant customers, we recommend the use of random names to avoid accidental usage of PHI (protected health information) or PII (personal identifiable information). This also ensures there is no pattern in place that can be used to identify the purpose of a meeting.
The client device communicates the display name when it joins the room and then there is a custom
send_client_metadata event which is broadcast to all the participants in the room by the Signal server.To ensure HIPAA compliance, the display name can simply be used as is.
For an added measure of pseudo-anonymization or as a way of more easily integrating Whereby Embedded with your own app, the display name for a participant can be preset. This can be useful in several scenarios:
- Scenario 1: if you want to use various identifiers for a user rather than the actual name, e.g. instead of
Jane Doe, it will beparticipant 1, thus adding a pseudo-anonymization measure to fit in with your current setup. - Scenario 2: if you want a seamless integration with with your user handling flow, where e.g. one user is logged into your web app and you would like to pick up their
userIdoruserNameand have it as the display name in Whereby.
To do either of the above, you can refer to the "Using URL parameters" section of the Whereby Developer documentation and use the URL parameter
?displayName= The Whereby Embedded chat is HIPAA compliant by default, as information is not stored and is only available for the participants for the duration of the call.
Customers can choose to either rely on the Whereby chat knowing that the information will not be stored nor accessible after the call OR they can build their own elsewhere in their platform.
There is no need to do anything to enable the HIPAA compliant in-room chat as it is already enabled and available for all customers, regardless of using the Whereby Embedded HIPAA compliant package or not.
By default and through enforcement of our infrastructure's encryption capabilities, Whereby is accessible only via TLS 1.2 with specific ciphers enabled, as described in our advisories and as it can be seen from our A+ grading on SSL Labs.
There is no action required to enable encryption in transit as it is already enabled and available for all customers, regardless of whether they are using the Whereby Embedded HIPAA compliant package or not.
As a covered entities, Whereby Embedded customers may require to audit their suppliers based on their internal policies but also to showcase that they have ensured they are using HIPAA compliant products and services.
To support the HIPAA compliance of our customers, we will gladly provide our ISO27001 certificate and our HIPAA compliance checklist, which documents how Whereby complies with specific HIPAA rules . For further information, reach out to your Whereby contact.
Whereby Embedded can be used in a HIPAA compliant setup by our customers, however this comes with limitations that need to be in place to have adequate security and compliance with the requirements of the law.
- Streaming - Whereby meetings cannot be live streamed (using RTMP) and we also do not envision scenarios where a private, health related discussion will need to be live-streamed. Make sure you don't include any streaming config when you create rooms.
Last modified 30d ago