Authentication & HIPAA-ready Security

Security is critical in Telemedicine. The KiviCare Telemedicine Addon implements several layers of protection to ensure patient confidentiality and data integrity.

🔑 Authentication Mechanisms

OAuth 2.0 (User Managed)

This is the modern standard. Instead of sharing passwords, doctors “Authorize” the KiviCare app.

• Tokens: The plugin stores access_tokens (expires in 1 hour) and refresh_tokens.
• Handling: Tokens are automatically refreshed in the background during API calls.

Server-to-Server OAuth

Used for institutional accounts. It allows the Admin to manage meetings for multiple doctors under one master account.

• Security: Requires an account_id, client_id, and client_secret.
• Storage: These are stored in the WordPress Options table and protected by standard WordPress security protocols.

🏥 Clinical Security Features (HIPAA Readiness)

Anonymous Join Prevention

The plugin enforces authentication where possible. By default, it encourages patients to have a display name or Zoom account, preventing “Zoom-bombing.”

Mandatory Waiting Rooms

All meetings created via KiviCare are configured with Waiting Rooms Enabled. The doctor must manually admit the patient, ensuring no unauthorized party enters the “Digital Exam Room.”

Dynamic Passcodes

Every meeting is generated with a unique, high-entropy passcode. This is embedded in the join_url so the patient can click once, but the underlying meeting remains private.

🔒 Data Protection

• No Video Storage: KiviCare never stores video recordings or transcripts on your local server. All media flows through Zoom’s encrypted infrastructure.
• Encrypted Communication: All API calls use TLS 1.2+ encryption.
• Capability Checks: Only the specific doctor assigned to an appointment and the super-admin can view the start_url.

Next: Global Zoom Settings (Admin)