HIPAA compliant setup

A HIPAA compliant setup comes at no additional cost for customers on an annual plan. This page describes how to set up your meeting rooms in a compliant manner.

Our HIPAA compliant setup information was updated in May 2023 to include rooms of all sizes (including our "group" roomMode), as well as cloud recording.

Pricing and packaging

The HIPAA compliant on-demand capability for Whereby is available only on our Grow plans. For any questions about pricing options or enabling the HIPAA add-on, reach out to your Whereby contact or contact sales.

HIPAA compliance prerequisites

The following information describes what it means to use the HIPAA compliant capabilities of Whereby. Follow the steps below to get started:

Review all the information on this page to gain an understanding of our HIPAA capabilities and how can they be used.
Sign our Business Associate Agreement by reaching out to your Whereby contact.
Follow the instructions to create HIPAA compliant rooms.

Business Associate Agreement

Whereby has prepared and will sign a standard Business Associate Agreement that is adequate for all of our HIPAA compliant customers, at no extra charge. Should there be a need to sign a different BAA than what we offer, we are also open to having our legal counsel review it internally and proceed with it provided there are no issues.

To ensure a Business Associate Agreement is signed, reach out to your Whereby contact and they will provide the ready to be signed agreement.

Creating HIPAA compliant rooms

Follow the steps below to verify you've created rooms that are HIPAA compliant. Additional information for some points is linked for further clarification.

In the API request set isLocked: true
Set the room name pattern in the API request roomNamePattern = uuid
Disable RTMP streaming by including the following in your POST creation requests:
```
    "roomPreferences": {
      "streaming": false
  }
```
Consult our team for any additional security preferences or parameters

Note: As of May 2023, all room sizes on Whereby are HIPAA compliant. You no longer need to specify "normal" mode to remain compliant.

HIPAA Compliant Recording

The recording capability means that the meeting, including audio, video and screen-share content will be captured and saved depending on the options chosen.

Update: Whereby is proud to now offer HIPAA compliant cloud recording, in addition to our previously available HIPAA compliant local recording. To remain HIPPA compliant while using cloud recording, you need to store the recordings in an S3 storage managed by your organisation.

The reason our recording options are considered compliant is that Whereby does not, in any way store the recordings.

To ensure that recording is enabled, refer to the Whereby REST API documentation to specify your desired recording.type equal to local or cloud. If you choose cloud recording type, make sure to setup your Amazon S3 account and configure the provider equal to s3 as the recordings destination for the meeting room.

Cloud Recording

Cloud recording is considered HIPAA compliant as long as the recording files are saved to a customer owned and controlled S3 storage buckets. We also request that you create a bucket with a specific bucket policy to ensure compliance:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "AllowListAndPutRecordings",
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::<aws_account_id>:user/<aws_user>"
			},
			"Action": [
				"s3:ListBucket",
				"s3:PutObject"
			],
			"Resource": [
				"arn:aws:s3:::<recording_bucket>",
				"arn:aws:s3:::<recording_bucket>/*"
			]
		}
	]
}

Local Recording

It is the responsibility of the person that initiated the recording and saved it locally to adhere to HIPAA requirements. Be sure to assess internally if this is something that can be accept per your HIPAA compliant policies.

Whereby cannot control what happens to a local recording.

Local recording setup and instruction

The use of recording is not required and if preferred can be disabled entirely. Please refer to the Whereby REST API documentation and use recording.type = none

Room names

For our HIPAA compliant customers, we recommend the use of random names to avoid accidental usage of PHI (protected health information) or PII (personal identifiable information). This also ensures there is no pattern in place that can be used to identify the purpose of a meeting.

To do this, refer to the Whereby REST API documentation and use roomNamePattern = uuid

Display name

The client device communicates the display name when it joins the room and then there is a custom send_client_metadata event which is broadcast to all the participants in the room by the Signal server.

To ensure HIPAA compliance, the display name can simply be used as is.

For an added measure of pseudo-anonymization or as a way of more easily integrating Whereby Embedded with your own app, the display name for a participant can be preset. This can be useful in several scenarios:

Scenario 1: if you want to use various identifiers for a user rather than the actual name, e.g. instead of Jane Doe, it will be participant 1 , thus adding a pseudo-anonymization measure to fit in with your current setup.
Scenario 2: if you want a seamless integration with with your user handling flow, where e.g. one user is logged into your web app and you would like to pick up their userId or userName and have it as the display name in Whereby.

To do either of the above, you can refer to the "Using URL parameters" section of the Whereby Developer documentation and use the URL parameter ?displayName=

Additional information

In-room Chat text

The Whereby Embedded chat is HIPAA compliant by default, as information is not stored and is only available for the participants for the duration of the call.

Customers can choose to either rely on the Whereby chat knowing that the information will not be stored nor accessible after the call OR they can build their own elsewhere in their platform.

There is no need to do anything to enable the HIPAA compliant in-room chat as it is already enabled and available for all customers, regardless of using the Whereby Embedded HIPAA compliant package or not.

Encryption in transit

By default and through enforcement of our infrastructure's encryption capabilities, Whereby is accessible only via TLS 1.2 with specific ciphers enabled, as described in our advisories and as it can be seen from our A+ grading on SSL Labs.

There is no action required to enable encryption in transit as it is already enabled and available for all customers, regardless of whether they are using the Whereby Embedded HIPAA compliant package or not.

Audit information

As a covered entities, Whereby Embedded customers may require to audit their suppliers based on their internal policies but also to showcase that they have ensured they are using HIPAA compliant products and services.

To support the HIPAA compliance of our customers, we will gladly provide our ISO27001 certificate and our HIPAA compliance checklist, which documents how Whereby complies with specific HIPAA rules . For further information, reach out to your Whereby contact.

Features you cannot use with a HIPAA compliant setup

Whereby Embedded can be used in a HIPAA compliant setup by our customers, however this comes with limitations that need to be in place to have adequate security and compliance with the requirements of the law.

Streaming - Whereby meetings cannot be live streamed (using RTMP) and we also do not envision scenarios where a private, health related discussion will need to be live-streamed. Make sure you don't include any streaming config when you create rooms.
Integrations - We have integrations built with Miro and YouTube that can be used in Whereby meeting rooms. Because these providers are not HIPAA compliant, you must make sure to disable integrations with roomIntegrations=off unless you're using another parameter that hides them like ?minimal.
Transcriptions and Summaries - Whereby session transcriptions and summaries are derived from session recordings stored in Whereby-provided storage. Since cloud recordings stored in Whereby-provided storage are not considered to be HIPAA compliant, therefore features that require such recording setup are not HIPAA compliant either. Avoid using session transcriptions and session summaries to maintain HIPAA compliance of your usage of Whereby.

Return to creating HIPAA compliant rooms

Last updated 1 month ago