Is the video encrypted and is Double HIPAA compliant?

Yes, the video connection used in the Double client apps is encrypted and always secure.  It is based on the WebRTC video standard, through the third-party service OpenTok. The encryption used is an AES cipher with 128-bit keys to encrypt audio and video, plus HMAC-SHA1 to verify data integrity.

Furthermore, video is encrypted end-to-end. A direct peer-to-peer connection is attempted first and, only if it fails (likely due to blocked ports or network topology), a connection is attempted through a TURN server. The TURN server simply relays packets from one peer to the other - it doesn't decrypt anything.

OpenTok (the video platform used by Double) employs Transport Layer Security (TLS) to encrypt both voice and video data. TLS encryption is compliant with the HIPAA Security Rule for the transmission of patient health information over the Internet. However, Double does not sign "Business Associate Agreements" and does not specifically claim HIPAA or HITECH compliance.

In most customer use cases, Double is more appropriately considered a conduit in PHI transmission, so a BAA is typically not required. 

For more information on HIPAA compliance of our video platform, see: OpenTok HIPAA Compliance

For more information on WebRTC through OpenTok, see:

Last Updated: Dec 03, 2018 03:50PM PST