The Daily API for video calls is HIPAA compliant!
Our compliance stands out for its ease to developers and providers. We are proud to offer an API product that is specifically architected for HIPAA.
Simply ask us to turn on the HIPAA configuration for your organization. With our HIPAA product, a developer can add compliant video calls in minutes. It’s also simple to customize your users' experience, with our API's advanced features, in-app controls, and complete layout control.
Not only are we proud to announce compliance, we value clean implementation. The Daily video calling API is easy to use. Our customers can stay focused on their mission — not take on onerous development, or compliance risks unique to video calling.
If your organization is interested in HIPAA compliance, please contact us. You can email us at firstname.lastname@example.org, or talk to us via our website chat.
What this means
A Covered Entity that requires compliant video calls for protected health information (PHI) can use the Daily API HIPAA configuration. This includes telehealth providers, virtual care platforms, health plans, and mobile app developers.
If you are a developer working with PHI, you can use the Daily video chat API. Daily will sign a Business Associate Agreement (BAA).
Specifically, our company and API product adhere to the guidelines set forth by Health and Human Services, in HITECH in 2013:
- We have instituted the required Organizational, Administration, Technical, and Physical safeguards.
- We have documented policies and procedures to monitor, report breaches, assess risk, and improve our information management and data systems.
Contact us, via email@example.com or our website chat, to ask about your organization's HIPAA compliance.
How our active compliance differs from “conduit” policies
The Daily video chat API is actively compliant. We have done the work to architect each piece of the HIPAA product, so that when you use this configuration, your video calls are compliant.
Other vendors, in contrast, pass on the burden of compliance to your organization. This happens through a couple mechanisms. In its 2013 rules, HITECH lays out a ‘conduit’ exception. This is for organizations that transport a call (like a telephone provider). They primarily transmit a call; they don’t access its information. A vendor may claim to be only a conduit — in particular, they advise your developers build an integration that does not hand off certain information to them.
For example, in a digital platform it’s typical to create tokens and identifiers for your users. These are included in transmission, and your vendor may store these. Your developers have to take the additional steps to make sure to use the API in a compliant manner.
That means that the technical debt to configure tokens and strings properly is entirely upon your organization. It is paramount to check that no string associated with a call participant is stored on a vendor server.
The Daily API does not expose you to this risk. As a baseline, all of our video calls are encrypted and secure. We do not have access to in-call audio and video data. Furthermore, for a customer set up with our HIPAA configuration:
- We do not set any web browser cookies or use web browser local storage.
- We generate random identifier strings for your meetings. We do not store your user name and values on our servers. They are scrubbed from our servers.
- We disable in-call text chat, to be rigorous in our compliance (even though our non-HIPAA chat is encrypted). Learn details in this blog post here. If you need text chat as part of your use case, we recommend combining Daily video calling with text chat from a HIPAA-compliant text chat service provider.
- We disable recording for the default HIPAA configuration. Learn details in this post here. We can offer customized video storage options that are HIPAA-compliant.
- We require that rooms created with the API are randomly named, and make it easy to do so. (We do not want developers to accidentally create room names that might include personally identifying information (PII) or PHI.)
The above precautions are included, seamlessly, in our HIPAA product.
Process and pricing
Here are key details and links, to learn more and move forward:
- Go to the HIPAA page in our developer documentation. This is an updated page. It notes compliance requirements, pricing, and how to get started, https://docs.daily.co/docs/hipaa
- Learn more about the technical architecture in our technical blog post here, https://www.daily.co/blog/hipaa-compliance-details-for-the-daily-co-video-call-api
- HIPAA compliance is part our $199/mo Scale plan. Get a 30-day free trial — learn more.
Helping build better care
Our team here at Daily is proud to support the privacy safeguards afforded by HIPAA. Contact us to learn about a BAA, and check out our developer resources, like support and sample code and tutorials. The best place to get started is our developer docs, https://docs.daily.co
Our work at Daily is grounded in the simple idea that people value talking to each other, face-to-face; it's exciting to make that easier, in a field as vital as healthcare. With our HIPAA configuration, your organization confidently can add secure video chat, to help your patients, users and providers connect better.