HIPAA Compliance for Vimeo Enterprise

Companies that operate in the healthcare industry (e.g. hospitals, laboratories, health insurance providers) and their business associates in the United States are subject to the U.S. Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH). HIPAA and HITECH regulate how companies may process, maintain, and store protected health information (PHI).

HIPAA provides federal protections for PHI held by covered entities and business associates, and gives patients an array of rights with respect to that information. Vimeo’s Business Associate Agreement (BAA) includes contractual terms required for covered entities and business associates to engage Vimeo as a provider in compliance with HIPAA. Vimeo’s BAA is only available to Enterprise Customers. Please reach out to our sales team for more information.

Vimeo has implemented controls and protections designed to protect PHI and meet the requirements of the HIPAA Security Rule. Vimeo’s internal network, infrastructure, applications, and processes and procedures are consistent with the required privacy and security controls specified by HIPAA and HITECH. Vimeo’s controls include, but are not limited to:

  • An information security management policy suite that is reviewed at least annually
  • Risk management programs designed to identify, assess, mitigate, and monitor security risks and ensure that Vimeo's suppliers, contractors, and partners comply with security measures no less stringent than Vimeo employs
  • Annual Security and Privacy trainings, including requirements for handling PHI
  • Application of Principle of Least Privilege
  • Regular User Access Review for critical services
  • Password requirements which include complexity, length, and multi-factor authentication
  • Data encryption in transit and at rest via GCP & AWS with TLS 1.2 protocols and/or AES 256 encryption
  • Formal incident response plan and notification process
  • Documented Business Continuity and Disaster Recovery Plans with data redundancy
  • Internal audit program to monitor ITGCs

As a Vimeo Enterprise customer, you may request copies of our SOC 2, SOC 3, and ISO 27001 Certifications through your sales representative or directly from our Security Documentation portal.

Vimeo has contracted with a third-party auditor to kick-off its HITRUST i1 Validated Assessment to begin the process of becoming HITRUST Certified.

FAQ:

1. What is HIPAA and HITECH?

The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. law that governs individually identifiable health information. It applies broadly to certain health care entities and their service providers. The Department of Health and Human Services (HHS) promulgates related regulations, including the HIPAA Privacy Rule, which applies to the collection, use, and disclosure of protected health information (PHI), and the HIPAA Security Rule, which provides standards for protecting PHI. HIPAA also includes a Breach Notification Rule, which requires covered entities and business associates to report breaches of unsecured PHI. HITECH is a US law enacted in 2009 that helped expand certain aspects of HIPAA, as it relates to the security and privacy of electronic PHI.

2. What is a business associate agreement (BAA)?

Under HIPAA, SaaS companies such as Vimeo could be considered business associates. A BAA is a legal agreement between a healthcare provider or covered entity and a third-party service provider or business associate. Where a customer’s use of Vimeo may involve PHI, a BAA is required to ensure that Vimeo appropriately safeguards protected health information (PHI).

3. Will Vimeo sign a BAA?

Yes, Vimeo’s BAA can be shared with eligible Enterprise customers for review and signature. To view Vimeo’s BAA please contact a member of the sales team.

4. Has Vimeo obtained a HIPAA Certification?

No, there is no HIPAA compliance certification. Vimeo performs an annual security risk analysis to assess its compliance with the HIPAA regulation. To provide additional validation to customers, Vimeo is undergoing a HITRUST i1 validated assessment.

5. What is HITRUST?

HITRUST or the Health Information Trust Alliance Common Security Framework is a security and privacy certification obtained by Healthcare Organizations and their Business Associates to validate practices around protecting health information.