HIPAA Compliance for Healthcare

Learn how to turn on HIPAA compliance, with the Daily API

With just a few lines of code, developers can embed HIPAA compliant video calls. Both Daily Prebuilt, our ready-to-use embeddable video chat interface, and custom applications built on the Daily call object are HIPAA compliant. We designed our APIs to be secure and compliant from the ground up, so we will sign a HIPAA Business Associate Agreement (BAA). Our infrastructure lets you scale, and our blog posts and tutorials help you get support. You also can reach us for support.

Please read these sections, to understand how compliance works:

We are glad to answer any questions about compliance. Ping us! And our answers can be more insightful if you can provide context on your use case. We also are happy to schedule a call.

Mandatory: Requirements & Violation Warning

The below is required for HIPAA compliance:

  1. HIPAA compliance is part of our Scale plan, $199/mo. Please upgrade. Fill out this quick form. We'll then refund your payment, so you get a free 30-day trial.
  2. We must turn on compliance for your account, and confirm it's done. (The free trial and compliance form are the same. Once you fill it out, we'll follow up in 1 business day.)

Please be aware that room names must be randomly generated in HIPAA, and only certain recording types are HIPAA compliant.

More information on HIPAA compliance & technical architecture

Room names

  • To create rooms, you must create them programmatically via the API. You cannot create rooms via the dashboard.
  • Rooms must be named randomly by our API in order to prevent room name information from including any PII or PHI.

HIPAA compliant recording types

We offer two HIPAA compliant recording options: either the "local" or "output-byte-stream" recording type. These recordings are not stored on Daily. The other recording types ("cloud" and "rtp-tracks"), by contrast, are stored in the AWS S3 cloud. Access to cloud recordings is restricted to a subset of our engineers, audited, and requires two-factor authentication. However, it is theoretically possible that a malicious attacker could gain access to these recordings, so HIPAA domains must use "local" or "output-byte-stream" recording types.

Text chat

We offer HIPAA compliant text chat by default. Whether using Daily Prebuilt and the enable_chat room property, or building your own text chat implementation on top of Daily's sendAppMessage() method, chat data is never stored on Daily's servers.

Pricing & Free Trial

  • HIPAA compliance requires our Scale plan, $199/mo upgrade. Learn more about pricing.
  • We are happy to give a 30-day free trial. Please upgrade. When you fill out your form requesting compliance, we'll also refund your upgrade. See the form.

Get started: How to turn on compliance

  1. Sign up and claim your subdomain at https://daily.co.
  2. Generate your API key. (That's free.)
  3. Upgrade to Scale.
  4. Fill out this form.
  5. In 1 business day, we refund your upgrade for a 30-day free trial, and also enable HIPAA compliance for your subdomain. We will confirm this is done.
  6. During implementation, use our JS library to embed calls.

How can we help?

Let us know if you'd like to touch base on our roadmap, and what other features or help we can provide. Contact us anytime!

Suggested HIPAA posts