Is the video encrypted and is Double HIPAA compliant?
Yes, the video connection used in the Double client apps is encrypted and always secure. It is based on the WebRTC video standard. The encryption used is an AES cipher with 256-bit or 128-bit keys to encrypt audio and video, plus HMAC-SHA1 to verify data integrity.
Furthermore, video is encrypted end-to-end. A direct peer-to-peer connection is attempted first and, only if it fails (likely due to blocked ports or network topology), a connection is attempted through a TURN server. The TURN server simply relays packets from one peer to the other - it cannot decrypt the video or audio data.
The first generation Double and Double 2 both use the OpenTok video backend, which is a layer on top of standard WebRTC and they operate the TURN servers.
Double 3 uses standard WebRTC directly and Double Robotics operates the TURN servers.
Both versions employ Transport Layer Security (TLS) to encrypt both voice and video data. TLS encryption is compliant with the HIPAA Security Rule for the transmission of patient health information over the Internet. However, Double does not typically sign "Business Associate Agreements" and does not specifically claim HIPAA or HITECH compliance.
In most customer use cases, Double is more appropriately considered a conduit in PHI transmission, so a BAA is typically not required.
For more information on HIPAA compliance through OpenTok, see: OpenTok HIPAA Compliance
For more information on WebRTC through OpenTok, see: http://tokbox.com/about-webrtc/
Last Updated: Oct 29, 2019 02:32PM PDT