Telehealth Security, Privacy and Compliance
Power Diary's Telehealth functionality is designed to provide health practitioners with a safe, secure, compliant and simple way to conduct telehealth sessions with their patients, no matter where in the world you practice. Here's some specific information about the security features of our Telehealth functionality:
How does it work?
- Our Telehealth functionality uses WebRTC technology that is built into modern web browsers.
This is a framework that allows browsers to securely send and receive live data to each other. We have designed our Telehealth system so that in nearly all circumstances data does not pass through any third-party servers.
Power Diary creates secure Telehealth 'rooms' for each client, along with a special key to access the room. When you and your client both enter the room, Power Diary 'introduces' your browser and your patient's browser. This introduction enables both browsers to identify and agree on how to best talk to each other. This happens automatically and usually in less than a second. The two browsers then develop a secure, encrypted, and direct connection with each other, which allows for video, audio and other data to be sent back and forth, i.e. your video call begins.
As the call data is being exchanged between you and your patient's browsers, this is not being streamed via our servers, nor any other media streaming services that could decrypt the data. This not only helps ensure optimal call quality but ensures that the content of your video call remains between you and your patient.
Importantly, to further enhance security and privacy we do not use any white-labelled third-party video conferencing systems for our Telehealth service. None of your client information, nor the secret key to access the room is shared with other parties.
Are Telehealth Calls Encrypted?
- Power Diary's Telehealth functionality is a peer-to-peer connection and is encrypted end-to-end.
Both during the 'introduction' phase and during video calls all data exchanged is encrypted. During the call all video, audio and other related data exchanged between the call participants are encrypted using DTLS-SRTP. This provides key security benefits including;
- Integrity (preventing interference in data during transmission)
- Authentication (enabling all parties to authenticate the identity of the other)
- Privacy (ensuring that all call data exchanged between browsers is encrypted end-to-end and therefore can not be intercepted and interpreted by others.)
In rare circumstances, if either party has a corporate firewall in place, the networking configuration can cause problems with setting up the peer-to-peer connection. This is a very small proportion of users. In that case only, the system will use a relay server which will take the encrypted video and audio and route it via something called a TURN server. Importantly a TURN server doesn't understand or have the ability to 'peek' into what it's actually routing. The encryption remains end-to-end, being set up directly between your computer and your patient's computer.
Can Telehealth calls be monitored by any third party, including Power Diary?
- Our Telehealth solution complies with ' No vendor access' privacy requirements.
Because the call data is being encrypted and exchanged directly between the browsers of the call participants, no one, including us can access the call data. Once the call has been established, the call data never passes through our servers or infrastructure.
Does Power Diary store Telehealth call data?
- Absolutely no audio, visual or other content exchanged during your Telehealth call is stored by Power Diary. We do not ever have access to this content.
Is Power Diary's Telehealth functionality HIPAA Compliant?
- Yes, the security features of our Telehealth functionality comply with all relevant HIPAA requirements.
Is Power Diary's Telehealth functionality GDPR Compliant?
- Yes, our Telehealth functionality complies with all GDPR requirements.
Is Power Diary's Telehealth functionality compliant with the Privacy and Security principles of my country?
Yes, Power Diary's Telehealth functionality has been designed and built to comply with the privacy and security requirements of the primary jurisdictions that we operate including
- The United Kingdom and countries within the European Union (and European Economic Area).
- United States of America
- South Africa
- New Zealand
I have another question about telehealth security, privacy and compliance - can you answer it?
- Yes - most definitely! Just jump on Live Chat or email us at firstname.lastname@example.org and ask us anything. If it's a question we think others might have we'll even add it right here.