Developers can create HIPAA compliant video applications using Twilio's Programmable Video SDKs when media is routed using a peer-to-peer topology or TURN relayed media. Twilio is considered a “conduit” under this architecture and, as a conduit, does not require a signed BAA (Business Associate's Agreement) between your organization and Twilio.
Notice: Twilio is providing this information only as a courtesy, and this does not constitute the provision of legal advice. This information should not be used as a substitute for obtaining legal advice from a licensed attorney with appropriate expertise and authorization to practice in your jurisdiction. Twilio is not in a position to interpret any laws, rules, or regulations on behalf of its customers or other third parties. Determinations of whether you are using Twilio as a “conduit” will be fact specific based on how you use Programmable Video. You should consult with your legal advisors to ensure that your use of Programmable Video is compliant with HIPAA and all other applicable laws, regulations, and requirements.
Why HIPAA Compliancy Is Important for Communications Applications ?
HIPAA is the United States federal Health Insurance Portability and Accountability Act, which seeks to protect the confidentiality and security of healthcare information. When building an app that may be used for medical-related purposes, those communications may involve the exchange of PHI (protected health information), which is protected under HIPAA regulations. Under the HIPAA Privacy Rule, "covered entities" (including health plans, health care providers, and health care clearinghouses) are required to use appropriate safeguards to protect the privacy of PHI. When a covered entity uses a service provider - a “Business Associate” - such as a software provider to process PHI, it must make sure that the service provider agrees to properly secure PHI on behalf of the covered entity. This is typically achieved by contractually obligating the service provider to adhere to HIPAA privacy and security rules through use of a Business Associate's Agreement (BAA) or Business Associates Contract. However, there are a few defined exceptions to this requirement, and one of these is for conduit services (more info below).
How the Conduit Exception Works
There is an exception to requiring a BAA for companies transmitting PHI called the "conduit" exception. Per the U.S. Department of Health and Human Services (HHS), a BAA is not needed "with a person or organization that acts merely as a conduit for protected health information, for example, the US Postal Service, certain private couriers, and their electronic equivalents." The HHS went on to clarify this exception stating that, “entities that act as mere conduits for the transport of protected health information but do not access the information other than on a random or infrequent basis are not business associates."
Using Twilio Programmable Video as a Conduit
Programmable Video can be regarded as a conduit service when used with a peer-to-peer topology (or with TURN relayed media). By default Twilio's Programmable Video product attempts to route Video calls in a peer-to-peer manner, in which video and voice media flows directly between the two users and never touches any of Twilio’s infrastructure. In other words, there is no storage or processing of the contents of the communication on Twilio.
In the case where a user’s device is behind a symmetric NAT, which prevents a peer-to-peer connection from being established, Twilio will by default relay media through a TURN server. The TURN server only provides a media relay point without storing or processing the media. Furthermore the media packets being relayed remain encrypted and Twilio does not and can not decrypt them. Twilio uses WebRTC as the media stack in Programmable Video, which encrypts media 'end-to-end' using SRTP. This means that the contents of the communication remain encrypted until they reach the web or mobile application of the receiving user.
Signaling Encryption & Best Practices
Signaling is used to establish sessions, communicate events during a call (eg new microphone available), and teardown those sessions. Signaling is not used to pass any of the content of the call. Twilio has implemented secure signaling with TLS (Transport Layer Security). It is important to note that the Participant identity string, which you define in your application, is stored by Twilio. Therefore, these strings should not contain any PHI. As an example, if an email address or name constitutes PHI in your particular use case, you should not use those as the participant identity string. Instead you could use a randomly generated alphanumeric string.
Will Twilio sign a BAA?
Twilio's policy is not to sign BAAs for Programmable Video. However as described above, you shouldn't need a signed BAA to create a HIPAA compliant voice and video communications app using Twilio Programmable Video.