Frequently Asked Questions

Yes, all media traffic is encrypted no matter the endpoint you use (web or mobile) or the session setup you choose (P2P or multiparty). That means that you are safe when using NousTalk solution even if use is in an open public hotspot.

You need to generate a session ID to initiate a call. The tokens that enable the participants to join are unique to a session ID. The tokens have an expiry but it may be longer than the duration of your call. Therefore, if you have consecutive meetings using the same session ID, earlier users may still be able to connect to the new meeting.

To avoid this:

• Generate a unique session ID for each new meeting
• Generate a unique token for each participant of that meeting.
• Use the Calendar function to book a unique session ID with each participant

No, everything happens under the hood without any interaction with the user.

It does, but it is very low. It increases the length of each audio and video packet by 8 bytes, but that is less than 1% of the typical bitrate of a NousTalk session. Regarding the delay, the SRTP encryption framework was designed specifically for real-time applications, and the impact is not noticeable at all.

Yes, but the cost of encoding and decoding audio and video is significantly higher than the cost of encrypting and decrypting.

By default NousTalk compatible endpoints use the AES cipher with 128-bit keys to encrypt audio and video.

For enhanced security, NousTalk also supports the AES-256 level of encryption on media streams. When a client is connecting to an another client, the cipher to use will be negotiated. If the client supports AES-256 then this will be the cipher negotiated for the media traffic. If the client does not support it, then AES-128 will be used.

The endpoints generate random keys at the beginning of the session and in addition they change periodically during the conversation to make it even safer.

Yes, NousTalk  is happy to provide expert guidance and white-glove assistance for your practice implementation and integration needs.  Our expert technical support staff will assist you before, during and after your NousTalk implementation.

Contact us to schedule a consultation and let us help you assess your needs and recommend the optimal services to suit you.

Yes – NousTalk will assist you with integrating your website with your online scheduling/calendar, add website content and buttons to promote your online practice services.

NousTalk also offers e-mail marketing services to promote and inform your existing clients of your new online services as well as client brochures, flyers, postcards, social media images, call to action buttons and more. Contact us to learn more.

No. NousTalk was designed to make it easy for you and your clients to meet online. No software downloads are required for you or your clients.

Canada’s federal law, the Personal Information Protection and Electronic Documents Act (PIPEDA), is comparable in many ways to the Health Insurance Portability and Accountability Act (HIPAA) in the United States. However, there are several differences to keep in mind.

NousTalk’s servers and data center are located in Canada (Montreal).

HIPAA is a US federal law that governs the privacy and security of personal health information (PHI) for only certain entities in the health industry – mainly healthcare providers, health insurers, and health exchange organizations. On top of that, health information is also governed by any additional state laws.

In Canada, PIPEDA applies to all personal data, health or otherwise regardless of the entity. However, it is wise to note that the specifics of PIPEDA may not apply to every province. Each individual province has the right to have its own rules and regulations as long as they are “substantially similar” to PIPEDA. You can check out our list below which provinces choose to use PIPEDA and which have their own governances.

All Canadian provinces, with the exception of British Columbia and Nova Scotia, allow health data to reside in the United States. So providers who don’t practice in either British Columbia or Nova Scotia don’t need to worry about the locations of their servers. British Columbia* and Nova Scotia do not allow their residents’ health data to be stored in the USA, even when the data is encrypted.

In the US, HIPAA applies to only certain “covered entities” that handle PHI, mainly healthcare providers, health insurers, and health exchange organizations. Data uploaded by citizens to private devices for personal use is a grey area. For example, if you use a FitBit and upload that data to the FitBit mobile health app, that data isn’t protected by HIPAA. Data protection in that case is very likely to be governed by the terms of agreement with FitBit.

HIPAA covers any personally identifiable information that is created or received by a “health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse” and relates to past, present, and future health conditions, treatments, or payments. Demographics would be a subset of identifiable health information.

In Canada, any data, including users, statistics, and volume, must be available to the covered entities in Canada. This data is important in accountability procedures in cases of privacy violations. In addition, sensitive or Personally Identifiable Information (PII) such as age, name, ID numbers, income, ethnic origin, or blood type, medical records, opinions, evaluations, comments, social status, payment information, etc.

Alberta has its Personal Information Protection Act, which is not significantly different than PIPEDA. Alberta is unique in that, instead of individual covered entities, the province’s entire health system is considered the Health Information Custodian.

British Columbia’s provincial law is called the Personal Information Protection Act. BC is one of only two provinces that do not allow PHI to be saved in the USA, even when encrypted.

Manitoba does not have its own provincial law, so only PIPEDA applies here.

New Brunswick’s law is the Personal Health Information Privacy and Access Act.

Newfoundland and Labrador are covered under the Personal Health Information Act.

Nova Scotia’s provincial law is the Personal Information International Disclosure Act . Like British Columbia, Nova Scotia forbids storing patient data in the USA, even if encrypted.

Ontario’s law is called the Personal Health Information Protection Act. It provides for several different classifications of service providers, so it’s important to know into which category a particular vendor might fit.

Prince Edward Island does not have its own provincial law, so only PHIPA applies here.

Quebec has passed An Act Respecting the Protection of Personal Information in the Private Sector, in addition to a couple of other laws that make Quebec unique and significantly different from other provinces.

Saskatchewan does not have its own provincial law, so only PHIPA applies here.

The Northwest Territories, Nunavut, and Yukon are territories, not provinces, so only PHIPA applies in these areas.

* British Columbia has several laws that govern privacy. The one that requires personal data to be stored in Canada is the Freedom of Information and Protection of Privacy Act (which applies to public bodies). Under section 30.1(a) there appears to be allowance for storing personal information outside of Canada as long as the individual has consented. NousTalk is PIPA compliant.

HIPAA is a federal law that protects the privacy of your personal health information. At the same time it allows health care providers and certain related operations enough access to the information they need to do their jobs effectively. HIPAA includes several rules and provisions that set guidelines and requirements for the administration and enforcement of HIPAA. The relevant ones for the implementation of health information technology and the exchange of protected health information in an electronic environment are the Privacy Rule and the Security Rule , as well as the HITECH Act which further enforced the two in 2009.

*State laws may have more stringent requirements than federal laws, however, in cases of conflict, federal law supersedes state law.

1. The Privacy Rule, applies to protected health information (PHI) in any form whether paper, oral, electronic, etc. While it requires covered entities to put in place “administrative, physical, and technical safeguards” for protecting PHI, it differs from the Security Rule in that it discusses the cases in which PHI can be used, when authorization is required and what are patients’ rights with respect to their health information. (Page 8335 of the final Security Rule)Summary of Privacy Rule
2. The Security Rule applies only to protected health information in electronic form (E-PHI) and builds on the Privacy Rule requirements of “administrative, physical, and technical safeguards.” Unlike the Privacy Rule which is more concerned about patients’ rights and how health information is used and released, the Security Rule sets standards on the processes and technical security measures that should be taken to keep PHI private. It discusses acceptable ways to “implement basic safeguards to protect E-PHI from unauthorized access, alteration, deletion, and transmission.” (Page 8335 of the final Security Rule)* Under the Security Rule, paper to-paper faxes, person-to-person telephone calls, video teleconferencing, or messages left on voice-mail do not count as E-PHI because they did not exist in electronic form before the transmission. Thus those activities are not covered by [the Security Rule]” (Page 8342 of the final Security Rule). In contrast, the Privacy Rule applies to all forms of PHI.In particular, it calls for attention to
   • risk analysis and management
   • administrative, technical, and physical safeguards
   • organizational requirements
   • policies, procedures, and documentation requirements

   The Security Rule 101 Overview

   Security Rule Guidance Material

   The HITECH Act essentially added teeth to the HIPAA Privacy and Security Rules by specifying levels of violations and penalties for violations. It also requires periodic audits to ensure that covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification.

   HITECH modifications to privacy and security

Not all operations that handle health-related information must follow HIPAA law (such as many schools, state agencies, law enforcement agencies, or municipal offices). Under HIPAA the 2 groups that must follow HIPAA rules are

• covered entities – health care providers, health plans, and health clearinghouses
• business associates – a person or group providing certain functions or services for a covered entity which require access to identifiable health information, such as a CPA firm, an attorney, or an independent medical transcriptionist; More business associate FAQs here

Videoconferencing may involve the electronic exchange of health information which is protected under HIPAA law. Security considerations with videoconferencing may involve making sure unauthorized third parties cannot record or “listen in” on a videoconferencing session, making sure recorded videoconferencing sessions are stored and identified in a secure and proper manner, or having a procedure for initiating and receiving video calls. Other video collaboration features affecting security may include text chat, screen-sharing, and file-transfer.

Videoconferencing would only be one small piece to consider when establishing and maintaining HIPAA-compliant IT security standards as described by the Privacy Rule and the Security Rule.

NousTalk has several characteristics that make it easy to protect the confidentiality of protected health information:

1)Peer-to-Peer sessions

NousTalk uses a managed peer-to-peer architecture, where video (and other media) are streamed directly from endpoint to endpoint. Information is never stored on any NousTalk servers or intercepted by NousTalk in any way. The NousTalk management server is only used for address lookup, connection brokering, and system/user administration. This prevents information leakage between point A and point B.

2)Encryption

Encryption adds another layer of security to NousTalk. All NousTalk traffic is encrypted; By default NousTalk compatible endpoints use the AES cipher with 128-bit keys to encrypt audio and video.

For enhanced security, NousTalk also supports the AES-256 level of encryption on media streams. When a client is connecting to an another client, the cipher to use will be negotiated. If the client supports AES-256 then this will be the cipher negotiated for the media traffic. If the client does not support it, then AES-128 will be used. Servers, including NousTalk’s, do not have access to the decryption keys. This keeps your videoconference absolutely confidential.

3) Security and Process Management

Information security is the preservation of confidentiality, integrity and availability of information. In the healthcare setting, this security includes ePHI used for clinical decision making or healthcare operations.

The NousTalk platform has been designed to meet HIPAA and PHIPA security requirements by having the following safeguards in place for clinicians and their patients:

• Access Control
• Audit Management Control
• Administrator Control and Dashboard
• Security Management Controls
• Person or Entity Authentication
• Breach Notification Protocols
• Transmission Security (Audio, Video/Chat Encryption)
• Encrypted Archiving