VideoSDK HIPAA Compliance Overview
What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) is a United States federal law that establishes strict standards for the protection of Protected Health Information (PHI). It governs how healthcare providers, partners, and service vendors collect, store, transmit, and manage sensitive patient data.
HIPAA requires organizations to implement strong physical, technical, and administrative safeguards to ensure the confidentiality, integrity, and availability of PHI.
How VideoSDK Ensures HIPAA Compliance
1. PHI Protection & Data Handling
VideoSDK can be deployed in a HIPAA-aligned environment to ensure that Protected Health Information is safeguarded across all stages of processing, routing, and communication.
2. Encryption (In-Transit & At-Rest)
All data including video, audio, metadata, and signaling is encrypted using industry-standard security protocols, including:
- Transport Layer Security (TLS) for secure network communication
- Secure Real-time Transport Protocol (SRTP) for media encryption
Where applicable, storage systems support encryption at rest to ensure PHI remains protected even when stored.
3. Access Controls & Authentication
VideoSDK uses secure authentication and access control mechanisms including:
- JSON Web Token (JWT)–based authentication
- Role-based permissions for enforcing least-privilege access
4. Business Associate Agreement (BAA)
VideoSDK offers a formal Business Associate Agreement (BAA) to covered entities and business associates. The BAA outlines required safeguards, shared responsibilities, confidentiality requirements, and HIPAA regulatory obligations.
5. Secure Media Routing
Media routing can be performed through HIPAA-aligned cloud infrastructure, featuring:
- Strict network isolation
- Limited administrative access
- Secure environment segmentation
- Configurable routing options designed to protect PHI
6. No Storage Without Explicit Enablement
- VideoSDK does not store any audio, video, or screen-sharing data unless customers explicitly enable features such as recording or archiving.
- Recordings are uploaded directly to the customer’s cloud storage bucket, minimizing exposure of Protected Health Information (PHI).
- This default behavior significantly reduces the risk of PHI exposure and ensures customers maintain full control over stored media.
Customer Responsibilities
While VideoSDK provides HIPAA-aligned infrastructure and security controls, customers acting as data controllers are responsible for:
- Proper management of PHI
- Configuring privacy settings and access controls
- Ensuring that only authorized end-users access PHI
- Handling patient consent, auditing, data retention, and lawful disclosure
- Ensuring HIPAA compliance within their own application logic and data workflows
HIPAA compliance is a shared responsibility, and customers must ensure their implementation meets regulatory requirements.
HIPAA-Compliant Features (Allowed)
- Composite Recording (customer’s cloud storage required)
- Recordings are uploaded directly to the customer’s bucket and deleted immediately from VideoSDK
- VideoSDK has write-only access and cannot read customer storage
- Noise Cancellation: Client-side; no PHI storage
- Whiteboard & Polls & Quizzes: No PHI stored.
- SIP Audio & Video: Encrypted and HIPAA-aligned.
- Chat: Not stored; disappears after session.
Disabled Features in HIPAA
The following services are not supported:
- Live Transcription
- Closed Captions
- Post-Call Transcription
- AI-Generated Summaries
- Live Streaming (HLS)
- Live Streaming (RTMP-Out)
- Live Transcription for HLS
Compliances (Add-Ons)
Contact & Documentation
For compliance questions, BAA requests, or security documentation, contact: security@videosdk.live
Got a Question? 
Ask us on discord
