How do you meet HIPAA standards?

Support Center > About SecureVideo Accounts and Service

Published 12/18/2013 at 6:36pm UTC

Page viewed 3371 times

Details

How does SecureVideo meet standards for the Health Insurance Portability and Accountability Act (HIPAA)?

Answer

  • 256-bit AES-encrypted signaling and media stream
  • Connections to web app and API through HTTPS only, using TSL 1.2 encryption for in-transit encryption, and TSL 1.0 encryption for older browsers that do not support TLS 1.2. (See our Qualys SSL Labs Report here.)
  • 128-bit AES-encrypted full database encryption using BitLocker
  • PHI encrypted at rest using AES-256.
  • Dedicated data center cage with biometric security, with no reliance on third parties for any routine network maintenance or management
  • Each session participant has his/her own individual session access code, which provides granular access and auditability
  • Auditing of all system logins and actions by IP addresses and user agents
  • No passwords stored on our system; we store salted one-way password hashes only
  • Notifications sent from our system, such as invites, notifications, and reminders, never include any PHI
  • For additional PCI compliance, no credit cards are stored on our system, nor does any credit card information pass through our system in unencrypted form; all credit card information is vaulted at our PCI-compliant merchant gateway
  • VSee integration: our media streams run point-to-point by default, instead of through a relay, which results in the videoconferencing streams not transiting our infrastructure in the vast majority of technical scenarios. We do use a secure relay when necessary, as in the case of multiple Network Address Translation (NAT) devices situated between the endpoints.
  • Zoom integration: our media streams run point-to-point in one-to-one calls, during which the videoconferencing streams not transiting our infrastructure unless a relay is required. Group calls are still encrypted end to end. 

Business Associate Agreement 
Because our system was built from the ground up to be HIPAA compliant, we will provide a signed Business Associate Agreement for all customers that have signed up for a non-trial account.