HIPAA
Is your platform HIPAA compliant? How so?
Yes. For real-time digital communication of patient information, HIPAA requires that the communication channel be properly secured to protect patient confidentiality. Our platform ensures secure transmission by using:
A Secure Connection: The sessions established are secure (with secured tokens that are regenerated). Random AES keys are generated by clients at the beginning of the media connection, and, to increase security, additional keys are generated periodically throughout the session.
Data Transmission and Encryption: Our platform employs Transport Layer Security (TLS) to encrypt both voice and video data. The core protocols used are SRTP for media traffic encryption and DTLS-SRTP for key negotiation, both of which are defined by the IETF. The endpoints use AES cipher with 128-bit keys to encrypt audio and video and HMAC-SHA1 to verify data integrity.
Do you store PHI?
We do not store anything transmitted during the course of a telehealth session. We cannot access it at all, in realtime or after the fact. Our platform is designed to simply route messages between endpoints.
Will you sign a BAA?
Yes. To generate a signed BAA, log into your account and navigate to Your Account > BAA.
Anything else?
In the context of telehealth, a lot of emphasis is overly placed upon the underlying technology and not on provider behavior, which is actually the much more significant component of HIPAA compliance. For instance, in the same way you wouldn’t meet with a patient in a shared office with other people around, you also shouldn’t meet with a patient using telehealth when you’re in a public place. Even if others are not visible to the patient, the content of your conversation may be overheard. We recommend you seek information from the American Psychological Association, the AmericanPsychiatric Association, or other similar professional associations to become informed on best practices.