Is Whereby HIPAA Compliant? BAA, Security, and Telehealth Explained

HIPAA-Compliant Telehealth Features

Whether your use of Whereby is HIPAA compliant depends on contractual commitments and the way you configure the platform. You must ensure every feature that touches Protected Health Information (PHI) aligns with HIPAA’s Privacy and Security Rules and your own policies.

Evaluate Whereby (or any video platform) for the following telehealth security capabilities before using it with PHI:

• Business Associate Agreement availability that covers the specific product, features, data flows, and subprocessors you will use.
• Encryption in transit by default and optional End-to-End Encryption for sessions where feasible.
• Strong access controls: unique meeting links, waiting rooms/admission control, meeting locks, passcodes, role-based permissions, and host moderation.
• Audit logs for administrative actions, meeting access, configuration changes, and integrations, with retention and export options.
• Data minimization and retention controls, including the ability to disable or strictly manage recordings, chat, and file transfer.
• Identity and authentication options such as SSO/SAML and multifactor authentication for administrators and clinicians.
• Transparent data residency and subprocessor disclosures to support your risk analysis and vendor management.

Business Associate Agreement Requirements

A Business Associate Agreement (BAA) is mandatory before any PHI is created, received, maintained, or transmitted through Whereby. Without a signed BAA, you should not use the platform for PHI under any circumstances.

Confirm that the BAA you execute includes the following essentials:

• Permitted uses and disclosures of PHI, including any analytics or telemetry and how identifiers are handled.
• Administrative, physical, and technical safeguards the vendor will maintain, mapped to the HIPAA Security Rule.
• Breach and security incident notification timelines and cooperation duties.
• Subcontractor flow-down obligations so every supporting service is bound to HIPAA terms.
• Return or destruction of PHI at termination and data retention timeframes.
• Audit rights or documentation availability to support your compliance program.

Verify that the BAA explicitly covers the plan and features you intend to use (for example, recordings, group sessions, chat, or embedded workflows). If an item is excluded, treat it as out of scope for PHI.

Technical Security Safeguards

Encryption and key management

Use strong encryption in transit for all sessions, and enable End-to-End Encryption when your clinical workflow allows it. Ensure any stored metadata or recordings are encrypted at rest with robust key management and restricted access.

Identity and access controls

Harden access with SSO/SAML, multifactor authentication, and least-privilege roles. Use waiting rooms, host admission, meeting locks, and expiring one-time links to prevent unauthorized entry to visits.

Audit logs and monitoring

Enable audit logs that capture who accessed PHI, when meetings were joined, configuration changes, and administrative actions. Monitor logs, set alerts for anomalies, and retain records per your policy to support investigations.

Data retention and recordings

Default to no recording unless clinically and legally necessary. If you must record, document a lawful purpose, store recordings in a HIPAA-governed repository, restrict access, and define retention and destruction schedules.

Secure configuration and integrations

Limit PHI in meeting titles, invites, or URLs. Review and secure webhooks, APIs, and third-party integrations used with Whereby; each integration that handles PHI requires its own BAA and controls.

Risk assessment

Perform and document a HIPAA Risk Assessment of your Whereby implementation, addressing threats, likelihood, impact, and mitigations. Reassess after feature changes, new integrations, or notable security events.

Telehealth Use Cases

1:1 clinical visits

Use unique, expiring links with admission control, disable recordings, and verify patient identity at entry. Minimize PHI shared on-screen and in chat, and document consent when needed.

Group therapy or education

Apply strict host controls, waiting rooms, and participant muting. Avoid recording unless policy requires it and all participants consent; share only the minimum necessary PHI.

Specialist consults and care coordination

Invite only essential participants, use role-based permissions, and capture access in audit logs. If sharing images or documents, send via a HIPAA-compliant repository rather than meeting chat.

Interpreter or caregiver participation

Record authorization to include support persons, restrict their access to minimum necessary PHI, and remove them promptly when their role ends.

Provider Compliance Responsibilities

Vendor controls alone do not make you compliant. You must pair Whereby’s capabilities with policies, training, and governance to protect PHI and meet HIPAA requirements.

• Execute a Business Associate Agreement covering your exact use of Whereby and any integrations.
• Complete a documented Risk Assessment and implement risk management actions for identified gaps.
• Publish policies for identity verification, consent, recording, data retention, and incident response.
• Train staff on Telehealth Security, privacy practices, secure configurations, and phishing awareness.
• Enforce access controls, SSO/MFA, and least privilege; review access rights regularly.
• Enable and review audit logs; investigate anomalies and keep evidence per retention rules.
• Test your breach response plan, including vendor coordination and notification workflows.
• Avoid placing PHI in invites, meeting names, or unsecured notes; use approved systems for documentation.

Conclusion

Is Whereby HIPAA compliant? It can support HIPAA-compliant use when you have a signed BAA, implement strong access controls and encryption, manage audit logs and retention, and operate under disciplined policies and training. Without a BAA or proper safeguards, do not use Whereby for PHI.

FAQs

What is required to make Whereby HIPAA compliant?

You need a signed Business Associate Agreement, secure configuration (encryption, access controls, and logging), disciplined workflows that minimize PHI exposure, documented policies, workforce training, and a completed Risk Assessment with ongoing monitoring and remediation.

How does Whereby protect patient data?

When configured appropriately, Whereby can protect patient data through encryption in transit, options for End-to-End Encryption in suitable scenarios, host and admission controls, meeting locks, and administrative settings that generate Audit Logs and enforce retention rules. Confirm these protections in your contract and implementation.

What is a BAA and why is it necessary?

A Business Associate Agreement is a HIPAA-required contract that binds a vendor handling PHI to specific privacy and security obligations. It defines permitted uses, safeguards, breach notification duties, and data disposition—making it essential before any PHI flows through the service.

How can providers ensure compliance using Whereby?

Map your telehealth workflow, execute a BAA, enable strong access controls, restrict recordings, enforce SSO/MFA, and retain comprehensive Audit Logs. Train staff, avoid PHI in invites or titles, use approved repositories for files, and periodically reassess risks to keep your Whereby deployment aligned with HIPAA.