A full explanation of HIPAA requirements is beyond the scope of this FAQ. We recommend becoming familiar with HIPAA requirements and technical best practices, as they apply to you based on your legal assessment.
In general it is relatively simple to comply with HIPAA requirements when using Pusher products.
Pusher does not currently sign Business Associate Agreements with customers. Instead, we recommend that you avoid transmitting Protected Health Information (PHI) via Pusher products. When using Pusher in this way, Pusher is not a business associate, because its activities do not “involve the use or disclosure of protected health information”.
A typical practice to achieve this is to instead transmit opaque identifiers of PHI, which recipients can then use to fetch the PHI from your system. For example, suppose you are building a postal prescription service, which needs to display a realtime list of pending orders in each pharmacy. You can implement this using Pusher Channels. Since these orders contain PHI, you should not transmit their details via Pusher Channels. Instead, give each order an opaque ID, and transmit this ID to the client. When the client receives a new order ID, it should then use it to fetch the order details from your server (using your existing auth mechanisms).
While the example above is for Pusher Channels, the same practice applies to Pusher’s other products including Beams and Chatkit.
If you have further questions, we're happy to help! Please contact firstname.lastname@example.org