How does SecureVideo meet HIPAA standards?

Support Center > About SecureVideo Accounts and Service

Published 12/18/2013 at 6:36pm UTC

Page viewed 7946 times

Details

How does SecureVideo meet standards for the Health Insurance Portability and Accountability Act (HIPAA)?

Answer

  • 256-bit AES-encrypted signaling and media stream
  • Connections to web app and API through HTTPS only, using TSL 1.3 or 1.2 encryption for in-transit encryption, and TSL 1.0 encryption for older browsers that do not support TLS 1.3 or 1.2. (See our Qualys SSL Labs Report here.)
  • 128-bit AES-encrypted full database encryption using BitLocker
  • PHI encrypted at rest using AES-256.
  • Dedicated data center cage with biometric security, with no reliance on third parties for any routine network maintenance or management
  • Each session participant has his/her own individual session access code, which provides granular access and auditability
  • Auditing of all system logins and actions by IP addresses and user agents
  • No passwords stored on our system; we store salted one-way password hashes only
  • Notifications sent from our system, such as invites, notifications, and reminders, never include any PHI
  • For additional PCI compliance, no credit cards are stored on our system, nor does any credit card information pass through our system in unencrypted form; all credit card information is vaulted at our PCI-compliant merchant gateway
  • VSee integration: our media streams run point-to-point by default, instead of through a relay, which results in the videoconferencing streams not transiting our infrastructure in the vast majority of technical scenarios. We do use a secure relay when necessary, as in the case of multiple Network Address Translation (NAT) devices situated between the endpoints.
  • Zoom integration: our media streams run point-to-point in one-to-one calls, during which the videoconferencing streams not transiting our infrastructure unless a relay is required. Group calls are still encrypted end to end. 
  • Unless Customer has chosen to add the SecureVideo HIPAA Compliant Cloud Recording feature to their account, video streams are not recorded or stored on SecureVideo servers. 

Business Associate Agreement 
Because our system was built from the ground up to be HIPAA compliant, we will provide a signed Business Associate Agreement for all customers that have signed up for a non-trial account.