HIPAA Compliant Mobile Chat/Video Calling and Messaging Infrastructure

Posted on by Nate Macleitch

Most of QuickBlox clients coming from the Healthcare sector require HIPPA compliance.

How can a cloud-based messaging infrastructure be HIPPA compliant?

HIPAA logo


Key factors:

1. HIPAA compliant web hosting

In order to store your patients’ and customers’ information securely, first of all, you need to choose an appropriate hosting provider.

Note that when you choose a well-known hosting provider such as AWS or Rackspace you still need to make sure you choose the package that corresponds specifically to HIPAA requirements.

On AWS for example, you need to choose AWS dedicated instanced vs standard AWS instances. Dedicated instances may be 1.5x times more expensive.

Read more about HIPAA compliant AWS packages and conditions here:



There are also alternative hosting options that specialize in HIPAA compliant infrastructure hosting – some of them work on top of Amazon Web Services but can still provide better pricing compared to AWS dedicated. One of the  providers we worked with is Atlas Health and usually our clients choose between AWS dedicated, on-premises and specialized HIPAA hosters such as Atlas.

2. Your own hosting account + limited access for external staff

Most of QuickBlox enterprise clients choose to host the infrastructure within their own AWS account. While still fully covered by QuickBlox SLA (support agreement) and monitored by our SiteOps team, it gives our clients peace of mind they remain in control of their infrastructure including all users data. All users data stays at your servers and doesn’t go to any 3rd parties. Sometimes our clients choose to host on premises or in our cloud. The main thing here is it is paramount that you have your own application/chat/database server instances and your applications don’t share data with any other customers. To summarise, make sure your communication infrastructure is not in a shared cloud but you have your own dedicated servers and instances where your users’ data is stored.

3. Proper legal coverage

What you should look into doing is sign a Business Associate Agreement (BAA) with your hosting provider as well as NAA (Network Access Agreement) with your software/infrastructure provider (QuickBlox) specifying the names of technical support staff who have access to your instances.

This provides you with required legal protection and accountability from all sides in order to maintain HIPAA compliance at hosting, software, data and sysops level.

4. Encryption (server-side, client-side, transport)

QuickBlox infrastructure and client-side SDK libraries ensure to use latest industry encryption standards as well as secure HTTPS / TLS connection for client-server transport. Enterprise clients have the option of enabling additional SSE (server-side encryption) as well as extra layers of protection on the client such as integration with MDM whitelisting for sensitive data self-destruct in case device is stolen or build copied to an unauthorised device, storing chat history cache in encrypted SQLite database etc. Contact us to find out more about encryption and security options available.

5. Minimise sensitive data exposure

Last but not least – remember  you don’t actually have to pass sensitive data around every time. Some of our clients assume as we have QuickBlox Users API they have to duplicate all users profiles into QB Users entities. That is not the case – QB Users is only needed to identify users as device owners when you create chat sessions as well as for audio/video calling and push notifications. This doesn’t require however to store any personal information about users such as their names or phone numbers. You can keep it to random IDs and user external_ID property of QB Users API to link with your internal user’s database. Moreover, QB Users API allows operating user entities using external_ID. So you don’t have to store sensitive user profiles information within QB and you can use your own ID numbering to manipulate QB users when you interact with chat SDK.

Chat  history is another question. You have choices here too, from choosing not to store any server-side history at all, to applying server-side encryption or exporting via Apache Kafka to your secure storage and removing it from your QuickBlox infrastructure. Default option however server-side chat history is enabled as it enables a better experience for end users allowing seamless history sync between multiple devices. You and your technical staff have direct access to chat history storage via dashboard and database enabling you to wipe that data whenever required. All history is stored separately from user account’s; and if you need to do automatic or manual moderation or search queries, for example in compliance with a government body or police inquiry, you can ensure users privacy isn’t compromised unnecessarily.

To summarise, QuickBlox software and infrastructure is fully HIPAA compliant provided the required hosting, legal and configuration conditions are met as described above. We have extensive experience in setting up HIPAA compliant communication infrastructures enabling doctor-patient, doctor-doctor and patient-patient communication with users data stored in a secure and compliant way.

Get in touch to discuss your project requirement and benefit from our existing experience in this area – e-mail or call using numbers from our Contact page.