HIPAA compliance details, for the Daily.co video call API

More on how our HIPAA API product delivers compliance

We’re proud to announce HIPAA compliance for our Daily.co video calling API.

Read the announcement. Here are some highlights:

  • Our API stands out for its ease of implementation and active compliance.
  • We have architected a specific HIPAA configuration that makes it simple for developers to add compliant video calls, in minutes. Advanced features, in-app controls, and layout customization are simple, too.

If you are a developer working with protected health information (PHI), we can set your API video calling domain to be HIPAA compliant. Daily.co can execute any agreements and provide any documentation you need, including a Business Associate Agreement (BAA).

This blog post is a follow-up to our announcement, and provides some background on recording and chat, for example. Developers and product teams can get code details below, in the last section of this post.

To learn more about how your organization can use the Daily.co API HIPAA product, please contact us. You can email help@daily.co, or talk with us at our website chat.

# HIPAA compliance fundamentals

Our approach to HIPAA compliance is two-fold:

  1. We adhere to the highest standards of server and operational security. For example, we store data encrypted both in flight and at rest, we use two-factor authentication for all of our internal systems, and we limit access to internal data and keep audit trails of access and code deployment.
  2. For Daily.co domains that are configured for HIPAA use cases, we try to never store any data that might include Protected Health Information (PHI). Data that is not stored cannot be a security or privacy risk.

All of our video calls are encrypted and secure. We have no access to in-call audio and video data. We never share any data from the Daily.co API with anyone else, other than service providers that provide us with core functionality, and with which we have security and confidentiality agreements in place.

In addition, for Daily.co domains that are configured for HIPAA use cases, we do the following:

  1. We do not set any web browser cookies or use web browser local storage.
  2. Any user_name and user_id values that are set via API calls are scrubbed from our database and log files, and are available only during the video call. This means that meeting analytics will include only a randomly generated session_id and not any user_name or user_id data. You can correlate session IDs with your records of user names and IDs in your own code. Please contact us if you would like sample code or help with this.
  3. We disable in-call text chat. For non-HIPAA domains, text chat data is encrypted and stored in encrypted form for approximately 15 minutes on our servers. Our employees are not able to view encrypted text chat data, but it is theoretically possible that a malicious attacker could gain control of our servers and decrypt text chat messages. Because text chat could contain PHI, we disable text chat for HIPAA use cases. If you need text chat as part of your use case, we recommend combining Daily.co video calling with text chat from a HIPAA-compliant text chat service provider like Sendbird.
  4. We disable call recording. For non-HIPAA domains, cloud recordings are stored in the AWS S3 cloud. Access to call recordings is restricted to a limited subset of our engineers, access is audited, and access requires two-factor authentication. But it is theoretically possible that a malicious attacker could gain access to cloud recordings. Because recordings could contain PHI, we disable recording for HIPAA use cases. If you need recording, please let us know. We can offer customized video storage options that are HIPAA-compliant.
  5. We require that rooms created with the API are randomly named. We do not want developers to accidentally create room names that might include Personally Identifiable Information or Personal Health Information.

# For developers

Except for features that are disabled for HIPAA-configured domains (chat, recording, named rooms), you can use the Daily.co API for HIPAA use cases just as you do in general, with one exception.

The one implementation exception is your `<iframe>` use. You must use our front-end javascript library to embed and control video calls for HIPAA use cases.

- For non-HIPAA use cases you can create `<iframe>` elements directly, for embedded video calls.
- But for HIPAA we want to ensure that all mode and privacy flags are set correctly, so we require that you make use of our wrapper library. (This is a good idea, anyway, as the library has lots of helpful features and functions!)

Here is sample code to embed a video call in a web page:

    -- CODE language-markup --
<script crossorigin src="<https://unpkg.com/@daily-co/daily-js>"></script>‍
<script>
function createFrameAndJoinRoom() {
window.callFrame = window.DailyIframe.createFrame();
callFrame.join({ url: A_DAILY_CO_ROOM_URL });
}
</script>

# Next steps

Read our API documentation here:

To make your integration HIPAA compliant, contact us. We will turn on HIPAA compliance for your video calling domain. Daily.co also can sign a BAA or provide further documentation.

As developers know, working with PHI and attaining HIPAA compliance is a rigorous exercise. We’re proud to provide this HIPAA video calling resource!

Our customers can reach us anytime: email help@daily.co, or contact us at our website chat. We always are glad to answer developers' questions, and learn what your organization needs.

Recent posts