HIPAA compliance details, for the Daily video call API

We’re proud to announce HIPAA compliance for our Daily video calling API.

Read the announcement. Here are some highlights:

• Our API stands out for its ease of implementation and active compliance.
• We have architected a specific HIPAA configuration that makes it simple for developers to add compliant video calls, in minutes. Advanced features, in-app controls, and layout customization are simple, too.

If you are a developer working with protected health information (PHI), we can set your API video calling domain to be HIPAA compliant. Daily can execute any agreements and provide any documentation you need, including a Business Associate Agreement (BAA).

This blog post is a follow-up to our announcement, and provides some background on recording and chat, for example. Developers and product teams can get code details below, in the last section of this post.

To learn more about how your organization can use the Daily API HIPAA product, please contact us. You can email help@daily.co, or talk with us at our website chat. HIPAA compliance is part of our $500/mo subscription plan. We're happy to give your team a 30-day free trial.

HIPAA compliance fundamentals

Our approach to HIPAA compliance is two-fold:

1. We adhere to the highest standards of server and operational security. For example, we store data encrypted both in flight and at rest, we use two-factor authentication for all of our internal systems, and we limit access to internal data and keep audit trails of access and code deployment.
2. For Daily domains that are configured for HIPAA use cases, we try to never store any data that might include Protected Health Information (PHI). Data that is not stored cannot be a security or privacy risk.

All of our video calls are encrypted and secure. We have no access to in-call audio and video data. We never share any data from the Daily API with anyone else, other than service providers that provide us with core functionality, and with which we have security and confidentiality agreements in place.

In addition, for Daily domains that are configured for HIPAA use cases, we do the following:

1. We do not set any web browser cookies or use web browser local storage.
2. Any user_name and user_id values that are set via API calls are scrubbed from our database and log files, and are available only during the video call. This means that meeting analytics will include only a randomly generated session_id and not any user_name or user_id data. You can correlate session IDs with your records of user names and IDs in your own code. Please contact us if you would like sample code or help with this.
3. We offer HIPAA-compliant text chat by default. Whether using Daily Prebuilt and the enable_chat property, or building your own text chat implementation on top of Daily's sendAppMessage() method, chat data is never stored on Daily's servers.
4. We offer three HIPAA-compliant recording options:
   • "local"
   • "output-byte-stream"
   • "cloud", when used with your own Amazon S3 bucket
   Cloud recordings which are not configured to use your own S3 bucket, by contrast, are stored on Daily's own infrastructure. Access to these recordings is restricted to a subset of our engineers, audited, and requires two-factor authentication. However, it is theoretically possible that a malicious attacker could gain access to these recordings, so HIPAA domains must either use "local" or "output-byte-stream" recording types, or configure "cloud" recordings into their own bucket.
5. We require that rooms created with the API are randomly named. We do not want developers to accidentally create room names that might include Personally Identifiable Information or Personal Health Information.

For developers

You can use the Daily API for HIPAA use cases just as you do in general. Both the Daily Prebuilt ready-to-use video interface and custom applications built on the Daily call object are HIPAA-compliant.

See the HIPAA page in our developer documentation, to get the latest on implementation requirements. A quick summary:

• Contact support to enable compliance. This requires our $500/mo healthcare add-on.

Reminder: For your video chat to be compliant, we must turn on compliance for your account, and calls must be embedded with our JS library.

Next steps, pricing and more

Read our API documentation here:

• Daily API docs, https://docs.daily.co/reference
• Demos and sample code, https://docs.daily.co/docs/demos
• HIPAA compliance, https://docs.daily.co/docs/hipaa

HIPAA compliance is part of our healthcare add-on, $500/mo.

To see a checklist of what to do, go to our HIPAA page in our developer docs. (It's pretty simple — you'll email us to request an upgrade and turn on compliance. The developer docs also underscore the requirement to embed with the front-end library.) The link is here: https://docs.daily.co/docs/hipaa

As developers know, working with PHI and attaining HIPAA compliance is a rigorous exercise. We’re proud to provide this HIPAA video calling resource!

Our customers can reach us anytime: email help@daily.co, or contact us at our website chat. We always are glad to answer developers' questions, and learn what your organization needs.