HIPAA kompatibel Video Streaming / Conferencing on WordPress

HIPAA is the United States federal Health Insurance Portability and Accountability Act of 1996. The primary goal of the law is to make it easier for people to keep health insurance, protect the confidentiality and security of healthcare information and help the healthcare industry control administrative costs in United States.

The HIPAA Privacy Rule is composed of US national regulations for the use and disclosure of Protected Health Information (PHI) in healthcare treatment, payment and operations by covered entities

When Is A Software Vendor Considered a Business Associate Under HIPAA?

If a vendor or subcontractor transmits, maintains, or has routine access to protected health information (PHI) when providing its services to a covered entity then it is considered a business associate. Till exempel, a vendor that hosts the software containing patient information on its own server or accesses patient information when troubleshooting the software, then it is considered a business associate and must have a business associate agreement with the covered entity as specified under the HIPAA Privacy Rule 45 C.F.R. § 164.504(e).

The only exception under HITECH section 13408 is in the case of a data transmission organization that acts as a conduit, in that it only transports information but does not access it, such as the US Postal Service or its electronic equivalentInternet Service Providers (ISPs), a telecommunication company, etc. While these may have access to PHI, they only access PHI on a random or infrequent basis as necessary for the performance of the transportation service or as required by law: “[D]ata transmission organizations that do not require access to protected health information on a routine basis would not be treated as business associates” (Persson. 22)

Using VideoWhisper Software for HIPAA Projects

For VideoWhisper software, data sent by clients is communicated with hosting server, not software provider. Security compliance requirements refer to site and hosting setup where customer data is stored.
So you can get the videochat software and deploy it on your HIPAA compliant host that meets software requirements and safeguards client data.

Exception under HITECH section 13408 may also apply to a remote streaming provider as telecommunication company that only transports the streaming data and does not access it.
If such usage fits your project requirements, you could also take a look at HostRTMP.com service that provides remote RTMP hosting for the live streams. On such setup, customer data would be on HIPAA compliant web host and only the live streaming would be done trough the external service.

Here are some considerations/ideas for building a HIPAA compliant video streaming / conferencing service:

Secure Streaming Data for Videoconferencing Applications

  • Video streaming occurs between client applications and streaming server (värd) and access to applications can be restricted based on authentication.
  • Additionally, transfers can be protected and data encrypted using RTMPE/RTMPS on a dedicated Wowza server .
  • User streaming to server can be archived as video files on RTMP server. Access to video archives and text chat logs needs to be restricted. If folders containing these are publicly accessible, restriction can be applied with a .htaccess file (that can be generated with CPanel folder protect feature).

These mentions also apply to VideoWhisper video streaming and conferencing applications.

HIPAA Hosting

  • You need to host your WordPress site with a hosting provider that provides HIPAA compliance and who will sign your HIPAA Business Associate Agreement. This means that HIPAA WordPress hosting with regular providers like GoDaddy is not possible right away.
  • Using a dedicated server managed by your own administrators or a HIPPA provider is best.
  • If server or site software is setup by a 3rd party provider, passwords need to be changed and your own staff needs to review changes before using site for sensitive data.

Setup VideoWhisper and 3rd party HIPAA Hosting

  • A regular license for VideoWhisper will remove all limitations and intrusive ads from the flash application when run from licensed domain. Also includes one installation on compatible hosting (see requirements).
  • VideoWhisper administrators can take care of server setup.
    A complete service with complete original setup and 6 months administration/assistance and also installation services separately are available.
    After original setup, password can be changed or access can be restricted in other ways (by keys, IP) to protect server during usage with real user data.

Server and Hosting Software Required

  • A HIPAA dedicated server or VPS with CentOS 7 and root SSH access will be needed to configure requirements.
    HIPAA servers can be ordered from: AWS, RackSpace, LiquidWeb.
  • As described in krav, for HTML5/mobile support Wowza Streaming Engine is required.
    Projects can start with a free Wowza SE trial license key during development.
  • For the web hosting part VideoWhisper recommends WHM/CPanel usually available from hosting provider (but can also be ordered separately https://cpanel.net/pricing/).
  • Optional: WordPress can be easily setup and backed up automatically with Softaculous.


  • Get a SSL certificate and dedicated IP address for your web site so that traffic to/from it can be encrypted in transit.
  • Ensure that your WordPress site cannot be accessed without SSL (.htaccess redirect)

Restrict Access to Electronic Protected Health Information (ePHI)

Electronic protected health information (ePHI) refers to any protected health information (PHI) that is covered under Health Insurance Portability and Accountability Act of 1996 (HIPAA) security regulations and is produced, saved, transferred or received in an electronic form.

Protection depends on site setup, staff and operation procedures.

  • Ensure that ePHI is never publicly available –users must login to access that content.
  • Ensure that users with access to ePHI are properly granted / revoked access by your HIPAA administrators.
    Ex: It should not be possible for someone to sign-up and get access without explicit review / approval.
  • Ensure that users have access to only the ePHI they need and should have access.
  • Ensure that all WordPress logins are monitored and are logged. (ex. User Login Log plugin)

Secure WordPress

  • Ensure that all WordPress logins are monitored and are logged.
  • Keeping your WordPress and all plugins up-to-date.
  • Use plugins like “Duo Security” to add 2-factor authentication to your site.
  • Ensure that user logins to WordPress will automatically log users off due to inactivity.
  • Log access to ePHI, if possible. An easy way is to make sure web and rtmp access logs are enabled.
  • Review your procedures and users periodically.
  • Ensuring that WordPress does not cache copies of ePHI-pages insecurely on disk, especially if you are in a shared environment. Wordpress content is normally stored in a database, but if it is cached insecurely on disk that will weaken security and in a shared environment could provide access to unauthorised persons. That’s an extra reason why you should have your own dedicated server.
  • Ensure that there are good backups of your site and its content. Most hosting providers offer automated site backups. These should also be downloaded periodically and stored on a different secure machine.

Extra Security

If you are restricting access to a specific set of users, consider locking down access to the site by IP address .

VideoWhisper RTMP nätet Session Check

För platser och integrationer där ytterligare säkerhetsåtgärder krävs, VideoWhisper webbapplikationer stöd för inloggning sessionskontroll på Wowza RTMP-sidan.

Detta används för att se till att inga klienter kommer att kunna ansluta till rtmp-servern utan att tidigare ha loggat in på webbplatsen (med _login.php skript för php-utgåvor).
När en ny klient försöker ansluta till RTMP-servern med ett sessionsnamn, rtmp-programmet kontrollerar på webbservern om den klientsessionen finns. Om webbservern inte bekräftar att klienten är inloggad, rtmp-servern avvisar anslutningen. RTMP-servern söker också efter en webKey som måste konfigureras på samma sätt på rtmp och webbserver: detta förhindrar anslutningar vid kapning av webbdomäner (endast webbserver och rtmp-server känner till nyckeln, klientappen gör det inte).


  • Detta inaktiverar anslutningar från externa kodare (ie. FMLE) och spelare (ie. Jw-spelare) till den rtmp-adressen, eftersom dessa inte kommer att ge ett sessionsnamn för att kontrollera giltigheten. Dessa appar kan stödjas med en mer avancerad lösning som gör det möjligt att infoga en nyckel i rtmp-adress och även kontinuerlig rtmp-sessionskontroll från webben (rtmp rapporterar online-sessioner till webbskript och dessa kan avsluta alla rtmp-sessioner): RTMP Session kontroll
  • Vanligen, varje installation kräver sin egen rtmp-sida som kontrollerar sessionsinformationen med den installationen. Annars måste du justera skript för att kontrollera alla installationer.
  • Denna Wowza SE-funktion är valfri och kan inaktiveras genom att lämna dessa egenskaper tomma.


Rtmp-sidans webbsessionskontroll stöds för närvarande för Wowza rtmp-sidan. Ladda ner senaste version av Wowza rtmp sida, distribuera till din server och uppdatera dessa inställningar i conf/videowhisper-web/Application.xml :


Starta sedan om WowzaMediaServer-tjänsten. För felsökning kontrollera Wowza-åtkomstloggar. Om fel uppstår i felloggarna skicka in en biljett till VideoWhisper om detta.


Ladda ner senaste Video Conference php edition och kontrollera dessa integrationsfiler:
rtmp.inc.php – lagrar sessionsinformation när användaren autentiserar från vc_login.php ; innehåller $webKey om du vill ändra den
rtmp_login.php – uppringd av rtmp-servern för att se om ett sessionsnamn är giltigt (Autentiserade); får också canKick-tillstånd för att tillåta användare att sparka klienter
rtmp_logout.php – anropas av rtmp-servern när klienten med ett sessionsnamn är frånkopplat (till rensningssession)

Konfigurera inställningar.php för att använda rtmp-adressen videowhisper-web.

För att integrera detta på andra utgåvor eller installationer måste du kopiera 3 filer som nämns ovan för att installera mappen och inkludera rtmp.inc.php i _login.php skript som auktoriserar användaren.
Andra ändringar kan krävas beroende på särdragen för varje integration.

Exempel på demokonfiguration

Url för installation: http://www.videowhisper.com/demos/vc_web
Använda rtmp-adress: RTMP://videowhisper.com/videowhisper-web


RTMP Session kontroll (inklusive efter inloggning och för 3: e parts kodare / appar)

Förutom sessionsinloggningskontroll, VideoWhisper rtmp sida för Wowza kan också ge RTMP-session Control (särskild licensiering krävs för 3: e parts servrar).

Detta kan användas för att övervaka 3: e parts klienter, andra än VideoWhisper-applikationer, som Wirecast, Flash Media Live-kodare (FMLE), Öppna Broadcaster Software (OBS), iOS/Android GoCoder-app för rtmp-direktsändning.

I exemplet, om en sändare ansluter direkt till ett externt kodarprogram, webbplatsskripten kan meddelas om detta för att visa sin kanal som LIVE.
Även webbskript kan kommunicera tillbaka till rtmp-servern för att koppla bort en klient vid behov.