HIPAA-Compliant Video Conferencing

December 06, 2021
Written by
Reviewed by

HIPAA video

This article is for reference only. We're not onboarding new customers to Programmable Video. Existing customers can continue to use the product until December 5, 2024.

We recommend migrating your application to the API provided by our preferred video partner, Zoom. We've prepared this migration guide to assist you in minimizing any service disruption.

In 2020, when so many aspects of life moved to virtual spaces, we became more reliant on online tools like video conferencing than ever before. Video conferencing has proven to be an effective way to engage customers in all kinds of industries and has particular staying power in healthcare.

Telehealth has become an increasingly popular option for patients and providers to connect virtually—a big priority in the midst of a global pandemic. One of the biggest concerns when it comes to virtual communication is data security, which is especially vital in the healthcare industry due to the handling of sensitive data. That’s where HIPAA comes in.

The Health Insurance Portability and Accountability Act (HIPAA), signed into law in 1996, aims to provide security and data privacy protections in the healthcare industry. Any covered entities and business associates that process patient data, known as protected health information or personal health information (PHI), must comply with the HIPAA Privacy Rule.

HIPAA defines PHI as data that relates to:

  • The individual’s past, present, or future physical or mental health or condition
  • The provision of healthcare to the individual
  • The past, present, or future payment for the provision of healthcare to the individual

Complying with HIPAA means ensuring that all communications, including video chats, are private and secure to protect patients’ PHI.

This post will walk you through how to create a HIPAA-compliant video chat with Twilio’s API.

HIPAA compliance and Twilio

Wondering whether you’re a “covered entity” or “business associate” subject to HIPAA? We threw a lot of jargon at you, so let’s break it down.

Covered entities are certain healthcare providers, health plans, and healthcare clearinghouses that process PHI. Often, covered entities work with other individuals or businesses, known as business associates, to help them perform their functions.

For example, if you’re a healthcare provider engaging with patients via video conferencing, you’re a HIPAA-covered entity. And if you use Twilio to build your video conferencing platform, Twilio is your HIPAA business associate.

Under HIPAA’s Privacy Rule, covered entities may disclose PHI to business associates who have provided assurances about how they will use and protect this information. These assurances come in the form of Business Associate Addendums (BAA).

While the pandemic spurred communications innovation in the healthcare sector, Twilio quickly saw the need for HIPAA compliance for its key products. This gives healthcare providers the tools for patient engagement while protecting patients’ data.

As of April 2020, Twilio’s Programmable Video is HIPAA-eligible, along with our SMS and Voice APIs. This means that customers subject to HIPAA who utilize Twilio to build a video conferencing app can execute a BAA with Twilio, ensuring a commitment to data privacy and security.

HIPAA-eligible products and services

Twilio offers a variety of products and services that are HIPAA-eligible (when used in a compliant manner, which we’ll dive into next). When it comes to Programmable Video, which you can use to build a HIPAA video conferencing feature, eligible products and services include:

  • Small Group Rooms and Group Rooms
    • Datatrack
    • Recordings
    • Recording Compositions
    • Media Storage
  • Network Traversal Service

Head over to our full list of HIPAA-eligible products and services to learn more about Programmable Voice, Programmable SMS, and other offerings.

Architecting for HIPAA on Twilio

Whether you’re building a video conferencing platform or any other eligible product, there are a few requirements to ensure your workflows are HIPAA-compliant, along with some recommendations for optimal security.

Required for HIPAA:

  • Encrypted communication: Twilio supports encryption to ensure communications between Twilio and the application you build are protected. When architecting a HIPAA-compliant workflow, you’re required to use HTTPS to configure requests between your app and Twilio.
  • Signed webhook requests: When building a HIPAA-compliant workflow, you’re required to ensure that any requests to your application come from Twilio and not from malicious third parties. Twilio cryptographically signs its requests to ensure this level of security, and it’s your responsibility as the customer to verify the validity of the signature.

Recommended for HIPAA:

  • HTTP authentication (or Auth): Twilio recommends using HTTP Basic Authentication or Digest Authentication to password-protect the TwiML URLs on your server. This allows only you and Twilio to access them, further protecting your HIPAA-compliant workflow.
  • Static proxy: If you’re building with Voice, SMS TwiML, or TaskRouter products, static proxy routes all requests or webhooks from Twilio to your server via a static set of server addresses. This means you can have a predictable set of IP addresses and add them to your firewall or security device for additional protection.
  • Public key client validation: This mechanism introduces public/private keys to secure the communication between you and Twilio. It lets both parties know they’re talking to the intended services and that the requests have not been tampered with in any way.

Learn more about these requirements and recommendations for architecting for HIPAA on Twilio.

How to create a HIPAA-compliant video chat with Twilio API

Now that you have all the background, it’s time to create your HIPAA-compliant video chat using the Twilio API. Follow this roadmap to get started.

1. Build a high-quality video experience with Programmable Video

With Programmable Video, it only takes a few minutes to deploy your own video app. Twilio has open-sourced video collaboration applications for iOS, Android, and ReactJS for the web, all available on GitHub under the Apache License 2.0.

Twilio’s Video platform provides the building blocks to create a reliable, scalable, high-quality video experience. You can use it for any type of customer journey, including telehealth. Plus, with Twilio’s HIPAA-eligible Group Rooms (covered by Twilio’s BAA), you can connect providers with patients, family members, and interpreters.

Learn how to deploy your own video collaboration app and catch up on the latest passcode update.

2. Enforce HTTP Auth for accessing media recordings

HTTP Basic Auth is an additional requirement for building a HIPAA-compliant workflow that uses media recordings. You’re required to enforce HTTP Basic Auth using Twilio’s Account String Identifier (or Account SID) and Authentication token when you first request access to the media recording URL. While Twilio doesn’t enforce authentication on the returned URL that provides access to the recording, as the customer, you’re required to ensure that this URL is secure from unauthorized access.

Get started today with Twilio Video

Ready to start building your HIPAA-compliant video app? While you may find some free HIPAA-compliant video conferencing options, those likely won’t have the scalability and customization options Twilio provides. Learn more about Twilio’s commitment to HIPPA and get started with Twilio Video in less than 5 minutes.