LogoLogo
WherebyStatusCommunity
  • ๐Ÿ“นWhereby 101
    • Create Your Video Experience
      • Get started in 3 steps
      • Embedding Whereby in a web app
        • Using Whereby's Web Component & Pre-built UI
          • Script Tags
          • With Low Code
            • Embedding in Squarespace or Wordpress
            • No code video conferencing in Bubble
        • Using Whereby's Browser SDK with React Hooks for a fully custom UI
      • Embedding Whereby in a mobile app
        • Embedding Whereby in iOS
          • Using Whereby's Native iOS SDK
        • Embedding Whereby in Android
          • Using Whereby's Native SDK
        • Using Flutter
        • Using React Native
      • Github SDK Examples
      • Meeting scheduling with Cronofy
    • Generating Room URLs
      • Name prefixes
      • Using โ€œCreate a roomโ€
      • Using Postman
    • Customize Your Video Experience
      • During room creation
      • Using Attributes/URL Params
      • Global preferences
      • Branding elements
      • Dial-In
      • File sharing
      • Breakout Groups with Embedded
      • Waiting Rooms
    • User roles & Meeting Permissions
    • FAQ
      • Accessibility
      • Whereby Words
      • Firewall & Security
      • HIPAA compliant setup
      • Allowed Domains & Localhost
      • Whereby Embedded Feature Comparison
  • ๐Ÿ”Meeting Content & Quality
    • Recording
      • Cloud Recording
      • Local Recording
    • Transcribing
      • Session Transcription
      • Recording Transcription
    • Live Captions
    • Session summaries
    • Live streaming RTMP
    • Quality Insights
      • Real-time troubleshooting
      • Using the Insights dashboard
      • Improving call quality
      • Tracking room events with Webhooks
  • ๐ŸคทEnd User
    • End User Support Guides
      • Supported Browsers & Devices
      • Screen Sharing Setup & Usage
      • Using Breakout Groups
      • Troubleshooting & Basics
  • ๐ŸššDeveloper Guides
    • Quickly deploy Whereby to your domain
    • Tracking Customer Usage
    • Migrating from Twilio
      • Twilio JS SDK Quick Migration
      • Twilio JS SDK Direct Migration
  • ๐Ÿ–ฅ๏ธReference
    • REST API Reference
      • /meetings
      • /insights
      • /recordings
      • /transcriptions
      • /summaries
      • /rooms
    • Web Component Reference
    • React Hooks Reference
      • Quick Start
        • Getting started with the Browser SDK
      • Guides & Tutorials
        • Migrate from version 2.x to 3
        • Grid logic
        • Custom Video Tiles with React
        • Usage with Next.js
        • How to customize the toolbar
      • API Reference
        • WherebyProvider
        • VideoView
        • VideoGrid
        • useLocalMedia
        • useRoomConnection
      • Types
    • React Native Reference
      • Quick Start
      • WherebyEmbed
    • Webhooks Reference
Powered by GitBook
On this page
  • Pricing and packaging
  • HIPAA compliance prerequisites
  • Creating HIPAA compliant rooms
  • HIPAA Compliant Recording
  • Room names
  • Display name
  • Additional information
  • In-room Chat text
  • File sharing
  • Session Transcriptions
  • Encryption in transit
  • Audit information
  • Features you cannot use with a HIPAA compliant setup

Was this helpful?

Edit on GitHub
  1. Whereby 101
  2. FAQ

HIPAA compliant setup

A HIPAA compliant setup comes at no additional cost for customers on an annual plan. This page describes how to set up your meeting rooms in a compliant manner.

Last updated 2 months ago

Was this helpful?

Our HIPAA compliant setup information was updated in May 2023 to include rooms of all sizes (including our "group" roomMode), as well as .

Pricing and packaging

The HIPAA compliant on-demand capability for Whereby is available only on our . For any questions about pricing options or enabling the HIPAA add-on, reach out to your Whereby contact or .

HIPAA compliance prerequisites

The following information describes what it means to use the HIPAA compliant capabilities of Whereby. Follow the steps below to get started:

  1. Review all the information on this page to gain an understanding of our HIPAA capabilities and how can they be used.

  2. Sign our by .

  3. Follow the instructions to .

Business Associate Agreement

Whereby has prepared and will sign a standard Business Associate Agreement that is adequate for all of our HIPAA compliant customers, at no extra charge. Should there be a need to sign a different BAA than what we offer, we are also open to having our legal counsel review it internally and proceed with it provided there are no issues.

Creating HIPAA compliant rooms

Follow the steps below to verify you've created rooms that are HIPAA compliant. Additional information for some points is linked for further clarification.

  1. In the API request set isLocked: true

  2.     "roomPreferences": {
          "streaming": false,
          "roomIntegrations": false
      }
  3. Consult our team for any additional security preferences or parameters

Note: As of May 2023, all room sizes on Whereby are HIPAA compliant. You no longer need to specify "normal" mode to remain compliant.

HIPAA Compliant Recording

The recording capability means that the meeting, including audio, video and screen-share content will be captured and saved depending on the options chosen.

The reason our recording options are considered compliant is that Whereby does not, in any way store the recordings.

Cloud Recording
{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "AllowListAndPutRecordings",
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::<aws_account_id>:user/<aws_user>"
			},
			"Action": [
				"s3:ListBucket",
				"s3:PutObject"
			],
			"Resource": [
				"arn:aws:s3:::<recording_bucket>",
				"arn:aws:s3:::<recording_bucket>/*"
			]
		}
	]
}
Local Recording

It is the responsibility of the person that initiated the recording and saved it locally to adhere to HIPAA requirements. Be sure to assess internally if this is something that can be accept per your HIPAA compliant policies.

Whereby cannot control what happens to a local recording.

Room names

Display name

The client device communicates the display name when it joins the room and then there is a custom send_client_metadata event which is broadcast to all the participants in the room by the Signal server.

To ensure HIPAA compliance, the display name can simply be used as is.

For an added measure of pseudo-anonymization or as a way of more easily integrating Whereby Embedded with your own app, the display name for a participant can be preset. This can be useful in several scenarios:

  • Scenario 1: if you want to use various identifiers for a user rather than the actual name, e.g. instead of Jane Doe, it will be participant 1 , thus adding a pseudo-anonymization measure to fit in with your current setup.

  • Scenario 2: if you want a seamless integration with your user handling flow, where e.g. one user is logged into your web app and you would like to pick up their userId or userName and have it as the display name in Whereby.

Additional information

In-room Chat text

The Whereby Embedded chat is HIPAA compliant, as long as you have 'Make chat downloadable' toggled off in your Configuration settings and do not use the URL parameters to turn on chat export. With these settings turned off, information is not stored and is only available for the participants for the duration of the call.

Customers can choose to either rely on the Whereby chat knowing that the information will not be stored nor accessible after the call OR they can build their own elsewhere in their platform.

There is no need to do anything to enable the HIPAA compliant in-room chat as it is already enabled and available for all customers, regardless of using the Whereby Embedded HIPAA compliant package or not.

File sharing

There is no need to do anything to enable the HIPAA compliant file sharing as it is already enabled and available for all customers, regardless of using the Whereby Embedded HIPAA compliant package or not.

Session Transcriptions

Encryption in transit

There is no action required to enable encryption in transit as it is already enabled and available for all customers, regardless of whether they are using the Whereby Embedded HIPAA compliant package or not.

Audit information

As a covered entities, Whereby Embedded customers may require to audit their suppliers based on their internal policies but also to showcase that they have ensured they are using HIPAA compliant products and services.

Features you cannot use with a HIPAA compliant setup

Whereby Embedded can be used in a HIPAA compliant setup by our customers, however this comes with limitations that need to be in place to have adequate security and compliance with the requirements of the law.

  • Live Streaming - Whereby meetings cannot be live streamed (using RTMP), and we also do not envision scenarios where a private, health-related discussion will need to be live streamed. Make sure you don't include any live streaming config when you create rooms.

To ensure a Business Associate Agreement is signed, and they will provide the ready to be signed agreement.

Set the pattern in the API request roomNamePattern = uuid

Disable and room integrations by including the following in your POST creation requests:

Update: Whereby is proud to now offer HIPAA compliant , in addition to our previously available HIPAA compliant . To remain HIPAA compliant while using cloud recording, you need to store the recordings in an S3 storage managed by your organisation.

To ensure that recording is enabled, refer to the to specify your desired recording.type equal to local or cloud. If you choose cloud recording type, make sure to setup your Amazon S3 account and configure the provider equal to s3 as the recordings destination for the meeting room.

Cloud recording is considered HIPAA compliant as long as the recording files are saved to a customer owned and controlled S3 storage buckets. We also request that you create a bucket with a specific to ensure compliance:

The use of recording is not required and if preferred can be disabled entirely. Please refer to the and use recording.type = none

For our HIPAA compliant customers, we recommend the use of random names to avoid accidental usage of (protected health information) or PII (personal identifiable information). This also ensures there is no pattern in place that can be used to identify the purpose of a meeting.

To do this, refer to the and use roomNamePattern = uuid

To do either of the above, you can refer to the "" section of the Whereby Developer documentation and use the URL parameter ?displayName=

is considered to be HIPAA compliant, as files are securely stored and only available to the participants for the duration of the session. All files are permanently deleted within 1 minute from the end of the session or from the moment when there is only 1 participant left in the room. They are not backed up and cannot be retrieved after the session.

is designed to protect ePHI (Electronic protected health information) and supports compliance with the HIPAA Security Rule.

By default and through enforcement of our infrastructure's encryption capabilities, Whereby is accessible only via TLS 1.2 with specific ciphers enabled, and as it can be seen from our .

To support the HIPAA compliance of our customers, we will gladly provide our ISO27001 certificate and our HIPAA compliance checklist, which documents how Whereby complies with specific HIPAA rules . For further information, .

Integrations - We have integrations built with Miro and YouTube that can be used in Whereby meeting rooms. Because these providers are not HIPAA compliant, you must make sure to disable integrations with unless you're using another parameter that hides them like ?minimal.

Return to

๐Ÿ“น
reach out to your Whereby contact
cloud recording
local recording
Whereby REST API documentation
bucket policy
Whereby REST API documentation
PHI
Whereby REST API documentation
Using URL parameters
Session Transcriptions
as described in our advisories
A+ grading on SSL Labs
reach out to your Whereby contact
room name
RTMP live streaming
Sharing files through Whereby chat
creating HIPAA compliant rooms
Grow plans
contact sales
reaching out to your Whereby contact
cloud recording
Business Associate Agreement
create HIPAA compliant rooms
roomIntegrations=off
Local recording setup and instruction