HIPAA compliance requires a shared responsibility model. While Vimeo helps enforce HIPAA requirements for covered customers, our customers are required to use our services and configure them in compliance with HIPAA requirements. See HIPAA configuration requirements for Vimeo Enterprise.
Vimeo Enterprise provides multiple capabilities that our customers should take advantage of when using our service under HIPAA:
Authentication: Vimeo supports single-sign-on (SSO) and two-factor authentication (2FA) to manage access and authorization for Vimeo users. Please see Vimeo’s guides to configure access and security, such as Vimeo’s SSO guide and Two Factor Authentication.
- In-depth User Management: Vimeo allows you to set default libraries for a new user to automatically join. For more information, please see our articles on Folder Role Permissions, Enterprise Team Library, SSO Group permissions for Enterprise teams.
- Video Privacy Settings: Vimeo offers various privacy settings that you can configure based on the content of each video. For an in depth understanding of Vimeo’s video privacy settings please see the Video Privacy Explained Blog post and the article for step-by-step instructions on how to change the settings.
Data Encryption: All Vimeo application endpoints are encrypted and authenticated prior to the exchange or derivation of session keys. Public keys must be authenticated prior to use. All externally facing servers and applications must use a minimum of TLS 1.2 where possible.\
- Data in Transit: All video and other data transmitted to Vimeo from users is encrypted in transit using strong encryption protocols. Vimeo supports secure channels to encrypt all traffic in transit equivalent to TLS 1.2 protocols and/or AES 256 encryption.
- Data at Rest: All data except video data within Vimeo’s production database is encrypted at rest. Video data is encrypted where technologically feasible. All encryption keys are stored in a secure server with very limited access. Vimeo has implemented safeguards to protect all Vimeo user data from creation to deletion.
- Data Retention: Vimeo’s Enterprise Data Retention Tool allows customers to customize video retention policies according to their needs and HIPAA obligations. Unless earlier deleted by a member of your account, Vimeo will maintain your video data for ninety (90) days after your Vimeo account is deleted. You are responsible for downloading a copy of any data you wish to retain prior to expiration or termination of your Enterprise agreement. For help obtaining copies, please contact support. If you downgrade your Enterprise account to a free or self-serve account, you must immediately remove all content that could subject Vimeo to compliance with HIPAA.
- Data Availability: Vimeo has established controls to respond quickly and efficiently in the event of an incident that results in a compromise of Vimeo services. These controls have been codified through Vimeo Security policies and procedures. They provide system-specific response teams and procedures for each type of incident. They include protocols for assessing incident severity, remediating incidents, and where necessary, notifying affected customers. Vimeo uses cloud infrastructure, which in turn uses distributed physical data centers that can be leveraged in the event of a natural disaster or other significant event to mitigate against loss of service. Distributed locations allow for server failover in the event of location-specific disasters. Tests of failover procedures and walkthroughs of Vimeo’s established system-specific disaster recovery plans take place annually.