HIPAA compliant setup
A HIPAA compliant setup comes at no additional cost for customers on an annual plan. This page describes how to set up your meeting rooms in a compliant manner.
Last updated
A HIPAA compliant setup comes at no additional cost for customers on an annual plan. This page describes how to set up your meeting rooms in a compliant manner.
Last updated
Our HIPAA compliant setup information was updated in May 2023 to include rooms of all sizes (including our "group" roomMode), as well as cloud recording.
The HIPAA compliant on-demand capability for Whereby is available only on our Grow plans. For any questions about pricing options or enabling the HIPAA add-on, reach out to your Whereby contact or contact sales.
The following information describes what it means to use the HIPAA compliant capabilities of Whereby. Follow the steps below to get started:
Review all the information on this page to gain an understanding of our HIPAA capabilities and how can they be used.
Follow the instructions to create HIPAA compliant rooms.
Whereby has prepared and will sign a standard Business Associate Agreement that is adequate for all of our HIPAA compliant customers, at no extra charge. Should there be a need to sign a different BAA than what we offer, we are also open to having our legal counsel review it internally and proceed with it provided there are no issues.
To ensure a Business Associate Agreement is signed, reach out to your Whereby contact and they will provide the ready to be signed agreement.
Follow the steps below to verify you've created rooms that are HIPAA compliant. Additional information for some points is linked for further clarification.
In the API request set isLocked: true
Set the room name pattern in the API request roomNamePattern = uuid
Disable RTMP streaming and room integrations by including the following in your POST creation requests:
Consult our team for any additional security preferences or parameters
Note: As of May 2023, all room sizes on Whereby are HIPAA compliant. You no longer need to specify "normal" mode to remain compliant.
The recording capability means that the meeting, including audio, video and screen-share content will be captured and saved depending on the options chosen.
Update: Whereby is proud to now offer HIPAA compliant cloud recording, in addition to our previously available HIPAA compliant local recording. To remain HIPPA compliant while using cloud recording, you need to store the recordings in an S3 storage managed by your organisation.
The reason our recording options are considered compliant is that Whereby does not, in any way store the recordings.
To ensure that recording is enabled, refer to the Whereby REST API documentation to specify your desired recording.type equal to local or cloud. If you choose cloud recording type, make sure to setup your Amazon S3 account and configure the provider equal to s3 as the recordings destination for the meeting room.
The use of recording is not required and if preferred can be disabled entirely. Please refer to the Whereby REST API documentation and use recording.type = none
For our HIPAA compliant customers, we recommend the use of random names to avoid accidental usage of PHI (protected health information) or PII (personal identifiable information). This also ensures there is no pattern in place that can be used to identify the purpose of a meeting.
To do this, refer to the Whereby REST API documentation and use roomNamePattern = uuid
The client device communicates the display name when it joins the room and then there is a custom send_client_metadata event which is broadcast to all the participants in the room by the Signal server.
To ensure HIPAA compliance, the display name can simply be used as is.
For an added measure of pseudo-anonymization or as a way of more easily integrating Whereby Embedded with your own app, the display name for a participant can be preset. This can be useful in several scenarios:
Scenario 1: if you want to use various identifiers for a user rather than the actual name, e.g. instead of Jane Doe, it will be participant 1 , thus adding a pseudo-anonymization measure to fit in with your current setup.
Scenario 2: if you want a seamless integration with your user handling flow, where e.g. one user is logged into your web app and you would like to pick up their userId or userName and have it as the display name in Whereby.
To do either of the above, you can refer to the "Using URL parameters" section of the Whereby Developer documentation and use the URL parameter ?displayName=
The Whereby Embedded chat is HIPAA compliant by default, as information is not stored and is only available for the participants for the duration of the call.
Customers can choose to either rely on the Whereby chat knowing that the information will not be stored nor accessible after the call OR they can build their own elsewhere in their platform.
There is no need to do anything to enable the HIPAA compliant in-room chat as it is already enabled and available for all customers, regardless of using the Whereby Embedded HIPAA compliant package or not.
Sharing files through Whereby chat is considered to be HIPAA compliant, as files are securely stored and only available to the participants for the duration of the session. All files are permanently deleted within 1 minute from the end of the session or from the moment when there is only 1 participant left in the room. They are not backed up and cannot be retrieved after the session.
There is no need to do anything to enable the HIPAA compliant file sharing as it is already enabled and available for all customers, regardless of using the Whereby Embedded HIPAA compliant package or not.
By default and through enforcement of our infrastructure's encryption capabilities, Whereby is accessible only via TLS 1.2 with specific ciphers enabled, as described in our advisories and as it can be seen from our A+ grading on SSL Labs.
There is no action required to enable encryption in transit as it is already enabled and available for all customers, regardless of whether they are using the Whereby Embedded HIPAA compliant package or not.
As a covered entities, Whereby Embedded customers may require to audit their suppliers based on their internal policies but also to showcase that they have ensured they are using HIPAA compliant products and services.
To support the HIPAA compliance of our customers, we will gladly provide our ISO27001 certificate and our HIPAA compliance checklist, which documents how Whereby complies with specific HIPAA rules . For further information, reach out to your Whereby contact.
Whereby Embedded can be used in a HIPAA compliant setup by our customers, however this comes with limitations that need to be in place to have adequate security and compliance with the requirements of the law.
Streaming - Whereby meetings cannot be live streamed (using RTMP) and we also do not envision scenarios where a private, health related discussion will need to be live-streamed. Make sure you don't include any streaming config when you create rooms.
Integrations - We have integrations built with Miro and YouTube that can be used in Whereby meeting rooms. Because these providers are not HIPAA compliant, you must make sure to disable integrations with roomIntegrations=off unless you're using another parameter that hides them like ?minimal.
Transcriptions and Summaries - Whereby session transcriptions and summaries are stored in Whereby-provided storage, which is currently not considered to be HIPAA compliant. Avoid using session transcriptions and session summaries to maintain HIPAA compliance of your usage of Whereby.
Return to creating HIPAA compliant rooms
