We’re proud to announce HIPAA compliance for our Daily.co video calling API.

Read the announcement. Here are some highlights:

  • Our API stands out for its ease of implementation and active compliance.
  • We have architected a specific HIPAA configuration that makes it simple for developers to add compliant video calls, in minutes. Advanced features, in-app controls, and layout customization are simple, too.

If you are a developer working with protected health information (PHI), we can set your API video calling domain to be HIPAA compliant. Daily.co can execute any agreements and provide any documentation you need, including a Business Associate Agreement (BAA).

This blog post is a follow-up to our announcement, and provides some background on recording and chat, for example. Developers and product teams can get code details below, in the last section of this post.

To learn more about how your organization can use the Daily.co API HIPAA product, please contact us. You can email help@daily.co, or talk with us at our website chat. HIPAA compliance is part of our $199/mo subscription plan. We're happy to give your team a 30-day free trial.

HIPAA compliance fundamentals

Our approach to HIPAA compliance is two-fold:

  1. We adhere to the highest standards of server and operational security. For example, we store data encrypted both in flight and at rest, we use two-factor authentication for all of our internal systems, and we limit access to internal data and keep audit trails of access and code deployment.
  2. For Daily.co domains that are configured for HIPAA use cases, we try to never store any data that might include Protected Health Information (PHI). Data that is not stored cannot be a security or privacy risk.

All of our video calls are encrypted and secure. We have no access to in-call audio and video data. We never share any data from the Daily.co API with anyone else, other than service providers that provide us with core functionality, and with which we have security and confidentiality agreements in place.

In addition, for Daily.co domains that are configured for HIPAA use cases, we do the following:

  1. We do not set any web browser cookies or use web browser local storage.
  2. Any user_name and user_id values that are set via API calls are scrubbed from our database and log files, and are available only during the video call. This means that meeting analytics will include only a randomly generated session_id and not any user_name or user_id data. You can correlate session IDs with your records of user names and IDs in your own code. Please contact us if you would like sample code or help with this.
  3. We disable in-call text chat. For non-HIPAA domains, text chat data is encrypted and stored in encrypted form for approximately 15 minutes on our servers. Our employees are not able to view encrypted text chat data, but it is theoretically possible that a malicious attacker could gain control of our servers and decrypt text chat messages. Because text chat could contain PHI, we disable text chat for HIPAA use cases. If you need text chat as part of your use case, we recommend combining Daily.co video calling with text chat from a HIPAA-compliant text chat service provider.
  4. We disable call recording. For non-HIPAA domains, cloud recordings are stored in the AWS S3 cloud. Access to call recordings is restricted to a limited subset of our engineers, access is audited, and access requires two-factor authentication. But it is theoretically possible that a malicious attacker could gain access to cloud recordings. Because recordings could contain PHI, we disable recording for HIPAA use cases. If you need recording, please let us know. We can offer customized video storage options that are HIPAA-compliant.
  5. We require that rooms created with the API are randomly named. We do not want developers to accidentally create room names that might include Personally Identifiable Information or Personal Health Information.

For developers

Except for features that are disabled for HIPAA-configured domains (chat, recording, named rooms), you can use the Daily.co API for HIPAA use cases just as you do in general.

See the HIPAA page in our developer documentation, to get the latest on implementation requirements. A quick summary:

  • Contact us to turn on compliance. This requires the Scale $199/mo subscription. We can set your team up with a free 30-day trial.
  • You must use our front-end javascript library to embed and control video calls for HIPAA use cases. Warning: a video call link that is not embedded is not in compliance.

Here is sample code to embed a video call in a web page:

<script crossorigin src="<https://unpkg.com/@daily-co/daily-js>"></script>‍
<script>
    function createFrameAndJoinRoom() {
        window.callFrame = window.DailyIframe.createFrame();
        callFrame.join({ url: A_DAILY_CO_ROOM_URL });
    }
</script>

Reminder: For your video chat to be compliant, we must turn on compliance for your account, and calls must be embedded with our JS library.

Next steps, pricing and more

Read our API documentation here:

HIPAA compliance is part of our Scale tier, $199/mo. We can turn on a 30-day free trial, so any team can test securely.

To see a checklist of what to do, go to our HIPAA page in our developer docs. (It's pretty simple — you'll email us to request an upgrade and turn on compliance. The developer docs also underscore the requirement to embed with the front-end library.) The link is here: https://docs.daily.co/docs/hipaa

As developers know, working with PHI and attaining HIPAA compliance is a rigorous exercise. We’re proud to provide this HIPAA video calling resource!

Our customers can reach us anytime: email help@daily.co, or contact us at our website chat. We always are glad to answer developers' questions, and learn what your organization needs.