Announcing HIPAA compliance for the Daily video chat API

‍

The Daily API for video calls is HIPAA compliant!

Our compliance stands out for its ease to developers and providers. We are proud to offer an API product that is specifically architected for HIPAA.

Simply ask us to turn on the HIPAA configuration for your organization. With our HIPAA product, a developer can add compliant video calls in minutes. It’s also simple to customize your users' experience, with our API's advanced features, in-app controls, and complete layout control.

The rules governing compliance are robust and enforced, as anyone working with protected health information (PHI) must know. Video chat compliance, like any HIPAA piece, is a rigorous exercise.

Not only are we proud to announce compliance, we value clean implementation. The Daily video calling API is easy to use. Our customers can stay focused on their mission — not take on onerous development, or compliance risks unique to video calling.

If your organization is interested in HIPAA compliance, please contact us. You can email us at help@daily.co, or talk to us via our website chat.

What this means

A Covered Entity that requires compliant video calls for protected health information (PHI) can use the Daily API HIPAA configuration. This includes telehealth providers, virtual care platforms, health plans, and mobile app developers.

If you are a developer working with PHI, you can use the Daily video chat API. Daily will sign a Business Associate Agreement (BAA).

Specifically, our company and API product adhere to the guidelines set forth by Health and Human Services, in HITECH in 2013:

• We have instituted the required Organizational, Administration, Technical, and Physical safeguards.
• We have documented policies and procedures to monitor, report breaches, assess risk, and improve our information management and data systems.

Contact us, via help@daily.co or our website chat, to ask about your organization's HIPAA compliance.

Developers can view the API documentation here and see code samples and tutorials at our blog.

How our active compliance differs from “conduit” policies

The Daily video chat API is actively compliant. We have done the work to architect each piece of the HIPAA product, so that when you use this configuration, your video calls are compliant.

Other vendors, in contrast, pass on the burden of compliance to your organization. This happens through a couple mechanisms. In its 2013 rules, HITECH lays out a ‘conduit’ exception. This is for organizations that transport a call (like a telephone provider). They primarily transmit a call; they don’t access its information. A vendor may claim to be only a conduit — in particular, they advise your developers build an integration that does not hand off certain information to them.

For example, in a digital platform it’s typical to create tokens and identifiers for your users. These are included in transmission, and your vendor may store these. Your developers have to take the additional steps to make sure to use the API in a compliant manner.

That means that the technical debt to configure tokens and strings properly is entirely upon your organization. It is paramount to check that no string associated with a call participant is stored on a vendor server.

The Daily API does not expose you to this risk. As a baseline, all of our video calls are encrypted and secure. We do not have access to in-call audio and video data. Furthermore, for a customer set up with our HIPAA configuration:

• We do not set any web browser cookies or use web browser local storage.
• We generate random identifier strings for your meetings. We do not store your user name and values on our servers. They are scrubbed from our servers.
• We disable recording for the default HIPAA configuration. Learn details in this post here. We can offer customized video storage options that are HIPAA-compliant.
• We require that rooms created with the API are randomly named, and make it easy to do so. (We do not want developers to accidentally create room names that might include personally identifying information (PII) or PHI.)

The above precautions are included, seamlessly, in our HIPAA product.

Process and pricing

Here are key details and links, to learn more and move forward:

• Go to the HIPAA page in our developer documentation. This is an updated page. It notes compliance requirements, pricing, and how to get started, https://docs.daily.co/docs/hipaa
• Learn more about the technical architecture in our technical blog post here, https://www.daily.co/blog/hipaa-compliance-details-for-the-daily-co-video-call-api
• HIPAA compliance enablement requires our $500/mo healthcare add-on. Learn more at our pricing page.

Helping build better care

Our team here at Daily is proud to support the privacy safeguards afforded by HIPAA. Contact us to learn about a BAA, and check out our developer resources, like support and sample code and tutorials. The best place to get started is our developer docs, https://docs.daily.co

Our work at Daily is grounded in the simple idea that people value talking to each other, face-to-face; it's exciting to make that easier, in a field as vital as healthcare. With our HIPAA configuration, your organization confidently can add secure video chat, to help your patients, users and providers connect better.