How do I configure Vimeo Enterprise for HIPAA?

​​This guide is intended for Vimeo Enterprise customers who have entered (or intend to enter) into a Business Associate Agreement (BAA) with us.

Use of Vimeo Enterprise

We provide you with self-controlled configurations to support you with your HIPAA compliance.  This means that it’s your responsibility to ensure you’re using Vimeo Enterprise in a HIPAA-compliant way.  We don’t monitor the data that you input, so you need to have the required procedures in place to ensure all users adhere to end-to-end compliance.

If you choose to enable any third-party integrations with Vimeo Enterprise, you must ensure they operate in a HIPAA-compliant way.  This means, at a minimum, you must have a signed Business Associate Agreement (BAA) with the third-party service provider.

The BAA that you sign with us only covers the Vimeo Enterprise account identified on your order form with an associated BAA SKU.  Any other products or features aren't automatically covered by the BAA unless otherwise indicated in our documentation.  This includes our artificial intelligence tools and any products or product features that are part of an early access offering.

Configuration requirements

To configure your Vimeo Enterprise account to meet HIPAA requirements, you must:

1. Enter into a BAA with us. Contact your account manager for assistance.
2. Ensure that you don't upload or submit any content to your account that, by itself, contains PHI, including any video files, filenames, descriptions, custom links, folder names, user profile data, etc.
3. Set all videos shared with patients to the Hide from Vimeo privacy setting and share them with patients through an embedded Vimeo player for viewing (such as on your or a (third-party’s) website) using the DNT parameter.
4. Disable comments for all videos and any third-party integrations.
5. Disable comments for all videos.
6. Require single-sign-on (SSO) and two-factor authentication (2FA) to manage access and authorization to your Vimeo account.
7. Grant users access to only the information and resources that are necessary to perform their job function. See Folder Role Permissions, Enterprise Team Library, and SSO Group permissions for Enterprise teams.
8. Regularly review user activity and audit logs.
9. Customize video retention policies according to your needs and obligations using our Enterprise Data Retention Tool.
10. Ensure that you don’t submit any PHI when initiating or responding to a support request through our “Contact Us” links, by emailing Vimeo support, or communicating through our live chat feature.

It’s important to remember that HIPAA compliance is a shared responsibility between Vimeo and you. Completing these steps won't automatically guarantee your compliance with HIPAA, you must also ensure that you follow HIPAA best practices.

Limitations

• You may not use Vimeo to receive communications from patients, plan members, or their families or employers. Please contact our sales team if more information is required.
• You may not submit recordings or summaries of patient communications, even if set to private. Please contact our sales team if more information is required.
• You are responsible for implementing backup and recovery procedures for emergency access and archiving of PHI. Vimeo cannot serve as your system of record for PHI.

Disclaimer

Due to the changes in law or regulation or changes in Vimeo’s products or services, we may update or revise this guide from time to time.  We will provide you with notice of material changes and an updated copy through your account owner or administrator.

This document contains Vimeo’s requirements for certain minimum effective product configurations for its customers' protection of PHI within Vimeo Enterprise at this time.  This document does not constitute an exhaustive template for all controls over such data nor does it constitute legal advice.  Each Vimeo Enterprise customer should seek its own legal counsel with regard to HIPAA compliance obligations applicable to their specific situations and should make any additional changes to its security configurations in accordance with its own independent review and risk analysis, so long as such changes don't conflict with or undermine the security of the configurations outlined in this document.