top of page

HIPAA Compliance

The Health Insurance Portability and Accountability Act (HIPAA) lays out privacy and security standards that protect the confidentiality of patient health information. In terms of video conferencing and telepresence, the solution and security architecture must provide end-to-end encryption and meeting access controls so data in transit cannot be intercepted.

The general requirements of HIPAA Security Standards state that covered entities must:

  1. Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits.

  2. Protect against any reasonably-anticipated threats or hazards to the security or integrity of such information.

  3. Protect against any reasonably-anticipated uses or disclosures of such information that are not permitted or required under the privacy regulations.

  4. Ensure compliance by its workforce


We sign the HIPAA Business Associate Agreement (BAA) for our healthcare providers (minimum

20 cases per month), meaning we are responsible for keeping your patient information secure and reporting security breaches involving personal healthcare information. We do not have access to identifiable health information and we protect and encrypt all audio, video, and screen sharing data.


The following table demonstrates how Virtual Vendor™ supports HIPAA compliance based on the HIPAA Security Rule published in the Federal Register on February 20, 2003 (45 CFR Parts 160, 162, and 164 Health Insurance Reform: Security Standards; Final Rule).






Only users authorized by ACH \ ASC account administrators can open case sessions in the operating room. The OR host controls case attendance through the use of case IDs, passwords, fingerprint and facial recognition. Each case has only one OR host unless a co-host is purposefully added by the ACH\ASC administrator. The OR host can enable video or lock video access. The OR host has complete control of the case and case attendees, with features such as lock case, expel attendees, mute/unmute all, lock video & screen sharing, and end case communications.

Virtual Vendor™ employs industry-standard end-to-end Advanced Encryption Standard (AES) encryption using 256-bit keys to protect operating rooms. Virtual Vendor™ encryption fully complies with HIPAA Security Standards to ensure the security and privacy of patient data.


Medical professionals, device representatives and authorized healthcare partners can use Virtual Vendor™ to provide technical support to surgeons and the clinical team during surgery to video conference, screen-share surgical tray details including implant equipment, tools and other relevant documentation. Virtual Vendor™ does not distribute the actual patient data. Screen sharing transmits encrypted screen capture along with mouse and keyboard strokes only, not the actual patient data. Virtual First, Inc further protects data confidentiality through a combination of encryption, strong access control, and other protection methods.


Currently, the agencies that certify health technology – the Office of the National Coordinator for Health Information Technology and the National Institute of Standards and Technology – do “not assume the task of certifying software and off-the-shelf products” (p.  8352 of the Security Rule), nor accredit independent agencies to do HIPAA certifications. Additionally, the HITECH Act only provides for testing and certification of Electronic Health Records (EHR) programs and modules. Thus, as Virtual Vendor™ is not an EHR software or module, our type of technology is not certifiable by these unregulated agencies.



The SOC 2 report provides third-party assurance that the design of Virtual Vendor™ and our internal processes and controls, meet the strict audit requirements set forth by the American Institute of Certified Public Accountants (AICPA) standards for security, availability, confidentiality, and privacy. The SOC 2 report is the de facto assurance standard for cloud service providers.


TRUSTe has certified the privacy practices and statements for Virtual Vendor™ and also will act as dispute resolution provider for privacy complaints.   Virtual First is committed to respecting your privacy. If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third-party dispute resolution provider (free of charge) at

privacy shield.png

Virtual Vendor™ participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework. Virtual Vendor™ has committed to subjecting all personal data received from European Union (EU) member countries, in reliance on the Privacy Shield Framework, to the Framework’s applicable principles. To learn more about the Privacy Shield Framework, visit the U.S. Department of Commerce’s Privacy Shield List

bottom of page