HIPAA Compliant Chat API & SDK for Messaging and Video Conferencing

Vladlen Shulepov posted on Mar 19, 2020
HIPAA Compliant Chat API and SDK

Are you planning to build a healthcare application? It might be just the right time! The global mobile medical apps market is thriving and estimated to grow to over 11 billion dollars by 2025.  

Being a promising endeavor, healthcare app development is somewhat challenging, though. The most demanding issue you might face is making your software HIPAA compliant. If you are planning to include communication features in your app (like messaging or video conferencing), you’ve got to use HIPAA compliant chat SDK or API for this. 

At Riseapps, we have a wealth of experience in building healthcare and telemedicine apps. In this article, we’ll list a couple of tools you might find useful when building a healthcare app with communication features. We’ll also cover some basic questions on the topic. 

What you should know about HIPAA compliance? What tools offer in-app chat and messaging protected by the privacy and security rules of HIPAA? Read on to learn more. 

Would you like to build your own HIPAA compliant app?

What is HIPAA compliance? 

Basically, a HIPAA compliant tool is the one that works according to the measures set in the HIPAA regulations

There are two basic components of HIPAA: privacy and security. Both rules are about protecting the confidential use of personal healthcare information (PHI).

What is PHI?

PHI is any health information that can be tied to an individual. Protected health information includes one or more of 18 identifiers like names, dates, account numbers, etc. 

If the identifiers are removed the information is considered de-identified protected health information. Then they are not subject to the restrictions of the HIPAA Privacy Rule.  

Here are some examples of PHI:

  • Medical records; 
  • Video, audio chats of patient and physicians (nurses)
  • Patient’s billing information
  • Insurance information 

Does my tool need to be HIPAA compliant? 

Disclaimer: this article is written for informational purposes and can’t be used as legal advice. We suggest you consult your lawyer about HIPAA compliance and get an expert opinion on your particular case from a qualified software engineering company.

According to HIPAA, if you belong to the category of “covered entities” or “business associates” and handle PHI your tool needs to be HIPAA compliant. 

Check out this table. Do you belong to any of these categories? Are you engaged in any of those activities? Then you are most likely to fall under HIPAA rules. 

Covered entities  Business associates (examples)
  • Healthcare providers (clinics, hospitals, pharmacies, nursing homes, physicians, surgeons, etc.)  
  • Health care clearinghouses (billing services, health management information systems)
  • Health plans (HMOs, company health plans, Medicare, Medicaid)
  • Data transmission providers 
  • Data processing firms
  • Medical transcription services
  • Data storage companies
  • External accountants (auditors)

You can learn more about all categories of covered entities and business associates by checking out this link.  

If you are still not sure whether your tool should be HIPAA compliant or not, we suggest you consult a qualified lawyer or experienced software development company like Riseapps. 

Would you like to build your own HIPAA compliant app?

How to choose HIPAA Compliant Chat API & SDK?

If you found out your software does need to be HIPAA compliant, let’s see what tools you can use to build it and how to choose them? 

With these questions, we turned to Riseapps expert Dmytro, a senior iOS developer with 15-year experience in software engineering.

Wrapping up his answer, there are 3 key factors to pay attention to: 

  1. Claims about being HIPAA compliant 
  2. Price
  3. Support 

Here’s Dmytro’s full answer: 

“First, I would pay close attention to whether a tool is claimed to be HIPAA compliant. If so, you can feel much safer when building your software. Second, it’s all about the cost of an API or SDK. Clearly, the cheapest tools on the market might be seriously limited in capabilities. The third factor, which is especially important at the development stage, is the quality of support. How quickly and willingly their experts respond to issues and questions you developers might have? It’s a good idea to consider all 3 aspects before building a tool.”

Now, as we have some guidelines on how to choose the right SDK and APIs, let’s review some of the most noticeable tools on the market.  

APIs and SDKs for messaging and video conferencing in healthcare apps

Solution 1. Twilio 

Basically, Twilio is a developer platform for communication. Software engineers use its APIs to add capabilities like messaging, audio and video to their apps.

Twilio can offer a video chat SDK

Is Twilio HIPAA compliant? 

Twilio does not claim to be a HIPAA-compliant tool. As of March 2020, you won’t even find the ‘Healthcare’ section in the list of ‘Solutions’ on their official website. However, as noted you can build ‘a HIPAA compliant workflow’ using Twilio’s offerings. 

The list of HIPAA Eligible Products and Services includes “Peer to Peer Rooms”, “TURN Relay” and “Group Rooms” for implementing programmable video. 

If you consider using Twilio, you might also be interested in its overview on how to architect for HIPAA. 

Pricing 

Twilio’s ‘Programmable video’ pricing starts at $0.004/min per participant for Small Group Rooms (up to 4 participants). 

‘Peer-to-peer Room’ pricing is based on the number of minutes your participants are connected to a Room. For now, it’s $0.0015 per participant per minute. 

You can find more information on Twilio pricing for Programmable video here.  

Should I use Twilio? 

If you need a multifunctional solution and ready to fully share responsibility with Twilio for security and compliance, you can definitely use their suite of SDKs.  

As for our experience of working with the tool, you might be interested to know that we appreciated prompt responses from their support team. Let us know if you’d like to learn more about our take on Twilio or any other SDK. 

Would you like to build your own HIPAA compliant app?

Solution 2. SendBird

SendBird is a chat and messaging platform with an infrastructure for enterprise, consumer, mobile and web applications. As of 2020, it doesn’t support video and audio calling – you can only use it for messaging. 

SendBird features for chat include push notifications, typing indicators, sending and receiving structured media, auto-thumbnail generation, and more. 

SendBird can offer a messaging SDK

Is SendBird HIPAA compliant? 

Yes, in January 2019 SendBird announced that its chat and messaging platform is HIPAA compliant. They created safeguards required to enable covered entities to protect PHI over in-app chat and messaging. They also claim to have documented the policies for reporting breaches, monitoring, assessing risk, etc., providing HIPAA compliant messaging SDK. 

Pricing 

SendBird has a Free plan. Needless to say, it has limited functionality. The price of Custom plan is not provided by the vendor. Potential customers are suggested to contact them to learn more about the cost.  

However, there is some public info about the specific features of SendBird’s Free and Custom plans. 

Should I use SendBird? 

If you are looking for a HIPAA compliant messaging API, SendBird might definitely be your choice. In case you are on the hunt for a HIPAA compliant video conferencing API, this tool can’t meet your needs. 

Riseapps’ experience of dealing with SendBird can be characterized as satisfying. Though, we didn’t find this platform as multifunctional as Twilio. 

Solution 3. OpenTok 

OpenTok is TokBox’s WebRTC Platform for Video, Voice, and Messaging.  

It assists you in adding live video, voice and messaging to websites, iOS, and Android apps. 

One of its features is that OpenTok can dynamically shape audio and video traffic to maximize the experience of the callers. 

OpenTok can offer a video API

Is OpenTok HIPAA compliant? 

OpenTok can be compatible with the HIPAA standards and it is possible to build a HIPAA compliant application on the OpenTok platform. You might be interested to have a look at the list of best practices securing the tool. 

Actually, HIPAA compliance goes as an individual OpenTok feature. It’s noted that TokBox signs BAAs with companies for an additional fee, the amount of which is not disclosed, though. 

However, OpenTok is not designed to be a repository of any health information accessed by or transmitted through your application.

Pricing 

There are a lot of pricing options for those using OpenTok starting at $9.99 a month. You can find them here. А 30-day free trial is also available. 

Should I use OpenTok? 

OpenTok platform provides a wide variety of features that can be used to develop innovative use-cases. You can definitely consider it as an option, but be sure your developer architects your application in a secure way.

Now, as we reviewed all 3 tools, let’s put the info about them in the comparative table.  

 

Video Messaging  Pricing HIPAA compliance claims
Twilio yes yes $0.0015/min per participant (for programmable videos)  No (however, compatible with the HIPAA standards)
SendBird  no yes Not provided Yes
OpenTok platform yes yes ‘Per Minute’ feature pricing starts at $9.99

 

Yes 

(HIPAA compliance is available as an individual feature)

Our experience in implementing chat API and SDK for messaging and videoconferencing 

Among the multitude of Riseapps cases in building HIPAA compliant healthcare apps, let’s mention Kego

It’s the on-demand service – an ‘urgent care clinic’ – where patients can consult a doctor via video conference. The mobile and web apps allow patients to book appointments, chat with experts, and store their medical data in digital form. 

Riseapps built Kego apps for iOS, Android and web. 

As we implemented a multitude of solutions for privacy and security, we’ll list just a couple of them here, without going into much detail. 

  1. We used Twilio and its SDK for messaging and videoconferencing. (As mentioned, it’s not HIPAA compliant by itself, but we can use it for building a HIPAA compliant app).  
  2. When building the iOS app, we used a Keychain framework that allows storing encrypted PHI data. 
  3. Speaking of PHI transmission, we used HTTPS – communication protocol encrypting data with SSL/TLS. 
  4. We implemented automatic logoff when the app is left unattended for a long period of time. This serves as an effective way to prevent unauthorized users from accessing PHI.   

As a result, we built a safe and solid HIPAA compliant app allowing people to get quick medical help from home. 

Conclusion

In this article, we’ve made a quick review on what ‘HIPAA compliant’ means and had a brief look at how to choose a HIPAA compliant texting messaging API or HIPAA compliant video API. 

As mentioned, the claims on HIPAA compliance, price and quality of support might be 3 key factors for you to consider when choosing the best tool. 

Twilio, being one of the most convenient solutions, doesn’t claim to be HIPAA compliant, however, you can build a HIPAA compliant app using it. SendBird is HIPAA-compliant, but as of spring 2020, it doesn’t support voice and video calls. You can also consider using OpenTok but be ready to pay an additional fee for using a HIPAA compliant video API

If you are going to create a HIPAA compliant healthcare app, we are ready to help. Riseapps is a European software company with deep expertise in building mobile and web apps. We’ll do our best to come up with the most sensible solution for you, offering high-quality services at a reasonable price. 

Ping us using the form below to ask any possible questions you have about building your tool.

464