HIPAA Compliance for Healthcare
With just a few lines of code, developers can embed HIPAA compliant video calls. Both Daily Prebuilt, our ready-to-use embeddable video chat interface, and custom applications built on the Daily call object are HIPAA compliant. We designed our APIs to be secure and compliant from the ground up, so we will sign a HIPAA Business Associate Agreement (BAA). Our infrastructure lets you scale, and our blog posts and tutorials help you get support. You also can reach us for support.
Please read these sections, to understand how compliance works:
- Mandatory: Compliance requirements & Violation warning
- HIPAA compliance & technical architecture
- Room names
- HIPAA compliant recording types
- Text chat
- Pricing & free trial
- Get started: how to turn on compliance
We are glad to answer any questions about compliance. Ping us! And our answers can be more insightful if you can provide context on your use case. We also are happy to schedule a call.
The below is required for HIPAA compliance:
- HIPAA compliance is part of our Scale plan, $199/mo. Please upgrade. Fill out this quick form. We'll then refund your payment, so you get a free 30-day trial.
- We must turn on compliance for your account, and confirm it's done. (The free trial and compliance form are the same. Once you fill it out, we'll follow up in 1 business day.)
- See our overview blog post on HIPAA compliance
- For more details, please read our detailed blog post by our CEO and lead engineer Kwin.
- Our engineering team is always happy to answer questions about our architecture compliance.
- To create rooms, you must create them programmatically via the API. You cannot create rooms via the dashboard.
- Rooms must be named randomly by our API in order to prevent room name information from including any PII or PHI.
We offer two HIPAA compliant recording options: either the
"output-byte-stream" recording type. These recordings are not stored on Daily. The other recording types (
"rtp-tracks"), by contrast, are stored in the AWS S3 cloud. Access to cloud recordings is restricted to a subset of our engineers, audited, and requires two-factor authentication. However, it is theoretically possible that a malicious attacker could gain access to these recordings, so HIPAA domains must use
"output-byte-stream" recording types.
We offer HIPAA compliant text chat by default. Whether using Daily Prebuilt and the
enable_chat room property, or building your own text chat implementation on top of Daily's
sendAppMessage() method, chat data is never stored on Daily's servers.
- HIPAA compliance requires our Scale plan, $199/mo upgrade. Learn more about pricing.
- We are happy to give a 30-day free trial. Please upgrade. When you fill out your form requesting compliance, we'll also refund your upgrade. See the form.
- Sign up and claim your subdomain at https://daily.co.
- Generate your API key. (That's free.)
- Upgrade to Scale.
- Fill out this form.
- In 1 business day, we refund your upgrade for a 30-day free trial, and also enable HIPAA compliance for your subdomain. We will confirm this is done.
- During implementation, use our JS library to embed calls.
Let us know if you'd like to touch base on our roadmap, and what other features or help we can provide. Contact us anytime!