What healthcare providers need to know about video and HIPAA

November 15th, 2023
Vimeo’s Chief Information Security Officer announces new HIPAA-compliant video solutions for healthcare companies.

Want to create an interactive clinical training? Or share video testimonials on your website? Or maybe you want to encourage internal learning with a secure video library?

From interactive training to live and on-demand communication to education, video is a powerful tool for healthcare professionals trying to serve patients and communities. But being in a HIPAA-regulated industry adds a layer of complexity to video management and third-party tooling.

HIPAA, or the Health Insurance Portability and Accountability Act, is a U.S. federal law that establishes national standards for protecting individuals’ personal health information. As more healthcare companies look to use video to engage and educate their communities, it's crucial to select a video hosting provider as committed to data security as you are.

That’s where Vimeo comes in. To better serve healthcare customers, we are now offering enterprise customers a HIPAA-compliant video solution for video hosting.

The solution includes Vimeo entering into business associate agreements (BAAs) with covered entities and business associates on eligible plans, giving healthcare customers the confidence to use Vimeo's hosting platform to embed videos, share medical advancements and updates, and better distribute content across teams in a secure and compliant manner.

How Vimeo supports healthcare customers

Here at Vimeo, keeping your data safe and secure has always been a top priority. We follow industry-wide best practices for security and compliance, and we have the SOC 2 report and ISO 27001 certification to prove it. Some of our existing controls include:

  • Authenticated login: Vimeo uses robust security measures like single-sign on (SSO) and two-factor authentication (2FA) to make sure your videos can only be viewed by your intended audience — and no one else.
  • User management and privacy settings: Granular role-based access controls, folder management, and video privacy settings allow you to control not only who can publish your videos, but also how and where.
  • Data processing: Both video content and user data are encrypted using industry best practice such as AES 256 and TLS 1.2. Custom data retention settings allow you to automate deletion of video content on Vimeo according to your unique compliance needs, making it easier to adhere to your organization’s data retention policy.

As part of our commitment to helping healthcare organizations use video, Vimeo completed the security risk analysis provided by the U.S. Department of Health and Human Services (HHS). The analysis helped us validate Vimeo’s compliance with HIPAA’s administrative, physical, and technical safeguards as outlined in the HIPAA Security Rule. For more in-depth information around how to configure Vimeo for HIPAA-compliant use, please see our help center documentation here.

To further strengthen our offering for healthcare companies, Vimeo took the following additional steps:

1. We signed BAAs with our third-party data processors.

Business associate agreements (BAAs) establish a legal framework that outlines the obligations and responsibilities regarding protected health information (PHI) for sub-processors who store or process customer data. This agreement signifies that both Vimeo and our sub-processors understand the importance of protecting PHI and are committed to complying with HIPAA regulations by:

  • Limiting sub-processors’ use of PHI to only what is necessary for the agreed-upon services 
  • Requiring sub-processors to implement appropriate security measures to safeguard PHI, including administrative, physical, and technical safeguards 
  • Establishing accountability and liability, ensuring appropriate actions are taken to mitigate risks in the event of a data breach or non-compliance

2. We established a HIPAA security policy and internal training.

Protecting PHI isn’t just our security team’s job — it’s everyone’s job. While we have long stressed the importance of data security internally at Vimeo, we also took the step of codifying all procedures, practices, and safeguards related to PHI in a formal HIPAA security policy. By requiring employees to sign and acknowledge this policy, we established a shared understanding of the responsibilities and obligations expected of everyone at Vimeo.

In addition, we rolled out an internal HIPAA training program designed to educate all employees on the importance of maintaining confidentiality and integrity of PHI, safeguards and best practices for handling PHI, as well as the potential consequences of non-compliance.

3. We now offer a BAA to Vimeo customers.

Finally, Vimeo offers enterprise customers in HIPAA-regulated industries a HIPAA business associate agreement. HIPAA requires healthcare providers (or “covered entities,” in HIPAA talk) to enter into such agreements with any and all business associates (in this case, Vimeo) who will be processing protected health data. Vimeo’s BAA outlines the standards we employ to safeguard PHI and empowers our customers in the healthcare space to invest in video within a secure and compliant healthcare ecosystem.

To learn more about entering into a BAA with Vimeo, please contact us to discuss your healthcare video needs with our team. For more details on how we secure our platform, check out our enterprise security offerings and certifications.

Learn more about Vimeo's HIPAA-compliant video solution