Teleo HIPAA Compliance Datasheet

Updated automatically every 5 minutes

HIPAA Compliance

The Health Insurance Portability and Accountability Act of 1996 and the regulations promulgated thereunder, including the HITECH Act and Omnibus Rule (collectively, “HIPAA”) lay out privacy and security standards that protect the confidentiality of protected health information (PHI). For software systems, the solution and security architecture must comply with HIPAA’s applicable standards, implementation specifications and requirements with respect to electronic PHI of a covered entity.

The general requirements of HIPAA Security Standards state that covered entities must:

  1. Ensure the confidentiality, integrity, and availability of all ePHI Teleo receives, maintains, processes, and/or transmits for its Customers;
  2. Protect against any reasonably anticipated threats or hazards to the security or integrity of Customer ePHI;
  3. Protect against any reasonably anticipated uses or disclosures of Customer ePHI that are not permitted or required; and
  4. Ensure compliance by all workforce members.

How Teleo Enables HIPAA Compliance for Covered Entities

Teleo enables HIPAA compliance to the covered entities (i.e. behavioral health professionals) it serves. In provisioning and operating the Teleo Platform, Teleo complies with the provisions of the HIPAA Security Rule that are required and applicable to it in its role as a business associate. Teleo is responsible for enforcing the administrative, technical and physical safeguards to prevent any unauthorized access to or disclosure of PHI in the Teleo environment. The following table demonstrates how Teleo supports HIPAA compliance based on the HIPAA Security Rule published in the Federal Register on February 20, 2003 (45 CFR Parts 160, 162, and 164 Health Insurance Reform: Security Standards; Final Rule).

HIPAA Standard

How Teleo enables compliance with the standard

Access control

  • Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to authorized persons or software programs.
  • Unique User Identification: Assign a unique name and/or number for identifying and tracking user identity.
  • Emergency Access Procedure: Establish (and implement as needed) procedures for obtaining necessary electronic health information during an emergency.
  • Automatic Logoff: Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.
  • Encryption and Decryption: Implement a mechanism to encrypt and decrypt electronic protected health information

Access control

  • All data transmission is encrypted end to end. Encryption is not terminated at the network endpoint, and is carried through to the application.
  • Teleo uses the WebRTC protocol to ensure data encryption for real-time communication.
  • Encryption keys and machines that generate keys are protected from unauthorized access.
  • Teleo maintains system logs of all Production Data access. These logs must be available for audit.
  • Sessions are not listed publicly by Teleo.
  • Therapists (session hosts) can easily terminate meeting sessions; only one client (attendee) can join at a time.
  • Session hosts (i.e. therapists) can lock the client's ability to enter content (potentially including PHI) at any time.
  • Sessions end automatically with timeouts.
  • Session hosts must log in to Teleo using a unique email address and account password.
  • Session access is protected by a unique link.
  • On all production infrastructure and development systems in the Teleo environment, authentication configurations are set to require that passwords have a minimum of 8 character length, multi-factor authentication is used, and accounts are logged out automatically after a period of inactivity.
  • All system and application passwords are hashed, and are never stored in plain text.
  • All default system, application, and Partner passwords are changed before deployment.
  • All passwords used in configuration scripts are secured and encrypted.

Audit controls

  • Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.

Audit controls

  • Teleo maintains system logs of all Production Data access. These logs are always available for audit.
  • Access to Teleo infrastructure and infrastructure configuration is logged.
  • Teleo uses Amazon GuardDuty to continuously monitor AWS production infrastructure and accounts for malicious activity.
  • Logs are reviewed monthly by Teleo.

Integrity controls

  • Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.
  • Mechanism to authenticate electronic protected health information.
  • Implemented methods to corroborate that information has not been destroyed or altered.

Integrity controls

  • Session hosts must log in to Teleo using a unique email address and account password.
  • Teleo uses the WebRTC protocol to ensure data encryption for real-time communication.

Person or entity authentication

  • Verify that the person or entity seeking access is the one claimed.

Person or entity authentication

  • Each Customer and Partner has and uses a unique user ID and password that identifies him/her as the user of the information system.
  • Each workforce member has and uses a unique user ID and password that identifies him/her as the user of the information system.

Transmission security

  • Protect electronic health information that is stored on the Teleo platform (currently none)
  • Integrity controls: Ensure that protected health information is not improperly modified without detection.
  • Encryption: Encrypt protected health information.

Transmission security

  • All data transmission is encrypted end to end. Encryption is not terminated at the network endpoint, and is carried through to the application.
  • Teleo uses the WebRTC protocol to ensure data encryption for real-time communication.
  • Encryption keys and machines that generate keys are protected from unauthorized access.
  • Teleo maintains system logs of all Production Data access. These logs must be available for audit.

Incident response and breaches

  • Implement policies and procedures to address security incidents.
  • Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence.

Incident response and breaches

  • Teleo implements an information security incident response process to consistently detect, respond, and report incidents, minimize loss and destruction, mitigate the weaknesses that were exploited, and restore information system functionality and business continuity as soon as possible.
  • The Teleo incident response process follows the process recommended by SANS, an industry leader in security (www.sans.org) – including identification, containment, eradication, recovery, and follow-up phases
  • The incident response plan is tested annually.
  • In the case of a breach, Teleo shall notify all affected Customers.

Policy and risk management

  • Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements.
  • Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented.

Policy and risk management

  • Teleo has a formal process to store, update and modify policies to maintain compliance with HIPAA, NIST, and other relevant standards.
  • Changes to Teleo’s compliance policies are tracked for a minimum of 6 years and Teleo reviews and audits its policies manually.
  • Teleo performs periodic technical and non-technical risk assessments of the security rule requirements throughout product life cycles as well as in response to environmental or operational changes affecting the security of ePHI.

Third parties

  • Teleo makes every effort to assure all 3rd party organizations are compliant and do not compromise the integrity, security, and privacy of Teleo or Teleo Customer data.
  • 3rd Parties include Customers, Partners, Subcontractors, and Contracted Developers.

Third parties

  • Teleo has acquired BAAs with each vendor that could have exposure to ePHI.

Auditing

Teleo audits access and activity of electronic protected health information (ePHI) applications and systems in order to ensure compliance. The Security Rule requires healthcare organizations to implement reasonable hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI. Audit activities may be limited by application, system, and/or network auditing capabilities and resources. Teleo makes reasonable and good-faith efforts to safeguard information privacy and security through a well-thought-out approach to auditing that is consistent with available resources.

It is Teleo’s policy to safeguard the confidentiality, integrity, and availability of applications, systems, and networks. To ensure that appropriate safeguards are in place and effective, Teleo audits access and activity to detect, report, and guard against:

  • Network vulnerabilities and intrusions;
  • Breaches in confidentiality and security of patient protected health information;
  • Performance problems and flaws in applications;
  • Improper alteration or destruction of ePHI;
  • Out of date software and/or software known to have vulnerabilities.

Teleo’s Auditing policy applies to all Teleo infrastructure that transmits or processes ePHI. Teleo currently does not store ePHI.

HIPAA Certification

Currently, the agencies that certify health technology – the Office of the National Coordinator for Health Information Technology and the National Institute of Standards and Technology – do “not assume the task of certifying software and off-the-shelf products” (p. 8352 of the HIPAA Security Rule), nor accredit independent agencies to do HIPAA certifications. Additionally, the HITECH Act only provides for testing and certification of Electronic Health Records (EHR) programs and modules. Thus, as Teleo is not an EHR software or module, our type of technology is not certifiable by these unregulated agencies. Saying this, Teleo reviewed and affirmed that it implements the controls needed to secure protected health information (PHI) according to the requirements of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, Breach Notification Rule, and the applicable parts of the Privacy Rule.

HIPAA Compliance Data Sheet

Transform your standard of care virtually

Improve engagement, quality, and access

Create unlimited rooms for free

Navigation

Platform

Enterprise

Support

Pricing

Contact

team@teleo.space

+1 (914) 844 9628

Documents

Terms of service

Privacy policy

BAA

HIPAA compliance

Technical specifications

Teleo is a public benefit corporation whose mission is to make quality mental healthcare accessible everywhere.

© Teleo 2025. All rights reserved.