[Edmond]

You actually can guarantee the transmission of information from one entity to another without sniffing or alteration...that is how internet transport layer security works....our API is built on those principles.

Of course there may be other caveats that I am not aware of, I don't know much about HIPAA.

EDIT:

You don't need to trust twilio (or any intermediary)...You can transmit encrypted information end-to-end without any risk that the intermediary can access it. That is the solution we've created with our API, you can see the full docs here: https://www.cipheredtrust.com/doc/

[markolschesky]

HIPAA doesn't care about the logistics of whether or not the intermediary can/cannot decrypt the data. If the intermediary touches the data and it's not exempt by the conduit exception, then there has to be a BAA in place. It's why even though FaceTime hypothetically has E2E encryption and Apple claims to not have the capability to decrypt the data, it's still inappropriate to use for patient-doctor communication due to the lack of that BAA being in place.

[dragonwriter]

> HIPAA doesn't care about the logistics of whether or not the intermediary can/cannot decrypt the data. If the intermediary touches the data and it's not exempt by the conduit exception, then there has to be a BAA in place.

HIPAA cares deeply about the logistics, which is what the privacy, security, breach notification, etc. rules largely address. The logistics just don't come into play until after the determination that you are a business associate and therefore required to sign a BAA and comply with the rules.

[Edmond]

got it.