Webex by Cisco can be used in a HIPAA compliant manner when a Business Associate Agreement is in place and the platform is configured and used under organizational policies that control disclosures of Protected Health Information during provider-to-provider conferencing and telehealth encounters.
HIPAA permits use of video conferencing tools for communications that involve Protected Health Information when the tool supports safeguards and the HIPAA Covered Entity or Business Associate applies appropriate administrative, technical, and physical controls. Webex is a collaboration platform for meetings, training, and remote coordination, and it can support telehealth interactions when configured for regulated use.
Cisco has implemented security controls intended to prevent interception of communications between the Webex application and the Webex cloud. Information sent from a Webex application to the Webex cloud transits an encrypted channel that supports TLS 1.0, TLS 1.1, and TLS 1.2 and uses high strength ciphers such as AES-256. Media packets are encrypted using AES 128. Webex also offers end-to-end encryption, and when end-to-end encryption is enabled Cisco does not decrypt media streams.
Webex can record media streams for later reference and to support audit needs. Data at rest is protected with encryption, and audio, video, and data streams are stored separately. These capabilities support audit controls and retention controls when aligned with internal policies that define recording, access, retention periods, and disposal.
Configuration and account governance determine whether the deployment supports HIPAA compliance. Administrators can apply rate limiting to login attempts, enforce password policies, enable two-factor authentication, and apply strict access controls that limit platform access to authorized users. Accounts can be automatically deactivated after a defined period of inactivity to reduce exposure from dormant accounts.
Cisco provides documentation on Webex functionality, technology, and security to support risk analysis and vendor due diligence. A Business Associate Agreement with Cisco covering use of Webex for Healthcare is required before using the platform for activities that involve Protected Health Information. Covered Entities and Business Associates remain responsible for workforce training, role-based access decisions, and procedures that reduce incidental disclosures during calls and when handling recordings.