HIPAA compliant setup
A HIPAA compliant setup comes at no additional cost for customers on an annual plan. This page describes how to set up your meeting rooms in a compliant manner.
Last updated
Was this helpful?
A HIPAA compliant setup comes at no additional cost for customers on an annual plan. This page describes how to set up your meeting rooms in a compliant manner.
Last updated
Was this helpful?
The HIPAA compliant on-demand capability for Whereby is available only on our . For any questions about pricing options or enabling the HIPAA add-on, reach out to your Whereby contact or .
The following information describes what it means to use the HIPAA compliant capabilities of Whereby. Follow the steps below to get started:
Review all the information on this page to gain an understanding of our HIPAA capabilities and how can they be used.
Sign our by .
Follow the instructions to .
Whereby has prepared and will sign a standard Business Associate Agreement that is adequate for all of our HIPAA compliant customers, at no extra charge. Should there be a need to sign a different BAA than what we offer, we are also open to having our legal counsel review it internally and proceed with it provided there are no issues.
Follow the steps below to verify you've created rooms that are HIPAA compliant. Additional information for some points is linked for further clarification.
In the API request set isLocked: true
Consult our team for any additional security preferences or parameters
Note: As of May 2023, all room sizes on Whereby are HIPAA compliant. You no longer need to specify "normal" mode to remain compliant.
The recording capability means that the meeting, including audio, video and screen-share content will be captured and saved depending on the options chosen.
The reason our recording options are considered compliant is that Whereby does not, in any way store the recordings.
The client device communicates the display name when it joins the room and then there is a custom send_client_metadata event which is broadcast to all the participants in the room by the Signal server.
To ensure HIPAA compliance, the display name can simply be used as is.
For an added measure of pseudo-anonymization or as a way of more easily integrating Whereby Embedded with your own app, the display name for a participant can be preset. This can be useful in several scenarios:
Scenario 1: if you want to use various identifiers for a user rather than the actual name, e.g. instead of Jane Doe, it will be participant 1 , thus adding a pseudo-anonymization measure to fit in with your current setup.
Scenario 2: if you want a seamless integration with your user handling flow, where e.g. one user is logged into your web app and you would like to pick up their userId or userName and have it as the display name in Whereby.
The Whereby Embedded chat is HIPAA compliant, as long as you have 'Make chat downloadable' toggled off in your Configuration settings and do not use the URL parameters to turn on chat export. With these settings turned off, information is not stored and is only available for the participants for the duration of the call.
Customers can choose to either rely on the Whereby chat knowing that the information will not be stored nor accessible after the call OR they can build their own elsewhere in their platform.
There is no need to do anything to enable the HIPAA compliant in-room chat as it is already enabled and available for all customers, regardless of using the Whereby Embedded HIPAA compliant package or not.
There is no need to do anything to enable the HIPAA compliant file sharing as it is already enabled and available for all customers, regardless of using the Whereby Embedded HIPAA compliant package or not.
There is no action required to enable encryption in transit as it is already enabled and available for all customers, regardless of whether they are using the Whereby Embedded HIPAA compliant package or not.
As a covered entities, Whereby Embedded customers may require to audit their suppliers based on their internal policies but also to showcase that they have ensured they are using HIPAA compliant products and services.
Whereby Embedded can be used in a HIPAA compliant setup by our customers, however this comes with limitations that need to be in place to have adequate security and compliance with the requirements of the law.
Live Streaming - Whereby meetings cannot be live streamed (using RTMP), and we also do not envision scenarios where a private, health-related discussion will need to be live streamed. Make sure you don't include any live streaming config when you create rooms.
To ensure a Business Associate Agreement is signed, and they will provide the ready to be signed agreement.
Set the pattern in the API request roomNamePattern = uuid
Disable and room integrations by including the following in your POST creation requests:
Update: Whereby is proud to now offer HIPAA compliant , in addition to our previously available HIPAA compliant . To remain HIPAA compliant while using cloud recording, you need to store the recordings in an S3 storage managed by your organisation.
To ensure that recording is enabled, refer to the to specify your desired recording.type equal to local or cloud. If you choose cloud recording type, make sure to setup your Amazon S3 account and configure the provider equal to s3 as the recordings destination for the meeting room.
Cloud recording is considered HIPAA compliant as long as the recording files are saved to a customer owned and controlled S3 storage buckets. We also request that you create a bucket with a specific to ensure compliance:
The use of recording is not required and if preferred can be disabled entirely. Please refer to the and use recording.type = none
For our HIPAA compliant customers, we recommend the use of random names to avoid accidental usage of (protected health information) or PII (personal identifiable information). This also ensures there is no pattern in place that can be used to identify the purpose of a meeting.
To do this, refer to the and use roomNamePattern = uuid
To do either of the above, you can refer to the "" section of the Whereby Developer documentation and use the URL parameter ?displayName=
is considered to be HIPAA compliant, as files are securely stored and only available to the participants for the duration of the session. All files are permanently deleted within 1 minute from the end of the session or from the moment when there is only 1 participant left in the room. They are not backed up and cannot be retrieved after the session.
is designed to protect ePHI (Electronic protected health information) and supports compliance with the HIPAA Security Rule.
By default and through enforcement of our infrastructure's encryption capabilities, Whereby is accessible only via TLS 1.2 with specific ciphers enabled, and as it can be seen from our .
To support the HIPAA compliance of our customers, we will gladly provide our ISO27001 certificate and our HIPAA compliance checklist, which documents how Whereby complies with specific HIPAA rules . For further information, .
Integrations - We have integrations built with Miro and YouTube that can be used in Whereby meeting rooms. Because these providers are not HIPAA compliant, you must make sure to disable integrations with unless you're using another parameter that hides them like ?minimal.
Return to
