How does SecureVideo meet HIPAA standards?

Support Center > About SecureVideo Accounts and Service

Published 12/18/2013 at 6:36pm UTC

Page viewed 42521 times


How does SecureVideo meet standards for the Health Insurance Portability and Accountability Act (HIPAA)?


  • 256-bit AES-encrypted signaling and media stream
  • Connections to web app and API through HTTPS only, using TLS 1.3 or 1.2 encryption for in-transit encryption. (See our Qualys SSL Labs Report here.)
  • 128-bit AES-encrypted full database encryption using BitLocker
  • PHI encrypted at rest using AES-256.
  • Amazon Web Services data center; their security measures can be found in detail on the AWS Security page.
  • Each session participant has his/her own individual session access code, which provides granular access and auditability
  • Auditing of all system logins and actions by IP addresses and user agents
  • No passwords stored on our system; we store salted one-way password hashes only
  • Notifications sent from our system, such as invites, notifications, and reminders, never include any PHI
  • For additional PCI compliance, no credit cards are stored on our system, nor does any credit card information pass through our system in unencrypted form; all credit card information is vaulted at our PCI-compliant merchant gateway
  • One-Click video engine, through Twilio integration: this WebRTC technology runs peer-to-peer by default, instead of through a relay, which results in the videoconferencing streams not transiting our infrastructure in the vast majority of technical scenarios. We do use a secure relay when necessary, as in the case of multiple Network Address Translation (NAT) devices situated between the endpoints. For group sessions of 3 or more participants (including the host), each participant negotiates its own DTLS/SRTP connection to Twilio's media servers, and all media published to or subscribed from the Room is transported through this secure connection. 
  • Zoom video engine: our media streams run point-to-point in one-to-one calls, during which the videoconferencing streams not transiting our infrastructure unless a relay is required. 
  • Unless Customer has chosen to add the SecureVideo HIPAA Compliant Cloud Recording feature to their account, video streams are not recorded or stored on SecureVideo servers. 

Business Associate Agreement 
Because our system was built from the ground up to be HIPAA compliant, we will provide a signed Business Associate Agreement for all customers that have signed up for an account.