The Health Insurance Portability and Accountability Act (HIPAA) establishes national standards to protect patients' medical records and other health information from being disclosed without their consent.

This type of information is categorized as “Protected Health Information” (PHI).

HIPAA requires technical, administrative, and physical safeguards to protect PHI from intentional or unintentional unauthorized disclosure. Securing the local network is a key component of this.

Compliance with HIPAA is a shared responsibility between Meter and the Customer. Meter Network supports customers’ efforts to achieve compliance goals and protect PHI through effective security controls, and simple network management.

Implementation of network security features alone does not guarantee HIPAA compliance. HIPAA compliance requires a comprehensive program that extends beyond network infrastructure and includes policies, procedures, and controls across your entire organization. This document describes how Meter Network's features can support your HIPAA compliance efforts as part of a broader compliance strategy.

Recommended Technical Controls


Access Control: Unique User Identification

Meter recommends using 802.1X with WPA2-Enterprise or WPA3-Enterprise on wireless in order to ensure the highest fidelity user identification and management on the network. This requires a RADIUS server from the Customer. 802.1X provides authorization, authentication, and accounting, meaning that each individual user's access is managed directly, logged frequently, and can be modified at any time. For unmanaged users, such as visitors, Meter recommends using a segmented guest network (VLAN) that does not have access to any other segment of the network or other users on that same segment. All connection events, whether on wired or wireless, are logged by Meter and can be accessed by administrators from the Meter dashboard.

Access Control: Emergency Access Procedure

Emergency access allows personnel to access PHI during an emergency. Meter Network devices provide access to wired and wireless users, even when there is loss of access to the Internet or connectivity to the Meter Cloud. During an Internet outage, personnel can still access PHI on local storage and other local resources.

Access Control: Automatic Logoff

For users managed with 802.1X, as recommended, periodic re-authentications or automatic logoffs can be configured directly by the customer's RADIUS server. For unmanaged users, periodic logoffs or password rotations can be triggered at a customer defined interval. For example, for guest networks with WPA2-PSK, the password can be configured to rotate every 24 hours, forcing every user off of the network at that time.

Access Control, Transmission Security, and Data Integrity

These specifications are intended to ensure that PHI

  • is only accessed by authorized users
  • is not altered in transit
  • is not intercepted in transit

On wireless, Meter networks can be configured with WPA2-PSK, WPA2-Enterprise, WPA3-Personal, and WPA3-Enterprise, each with their own form of strong encryption. Meter devices do not break TLS encryption; all encrypted data on your Meter Network will remain encrypted from source to destination. Traffic on the data plane of Meter Networks is never sent to the Meter Cloud.

Audit Controls

Audit controls empower administrators to monitor user activity on systems that access PHI. Meter creates logs of user events, including connection, disconnection, authentication attempts, and bandwidth usage. All are accessible by administrators in the Meter Dashboard.

Administrative Controls

Log-in monitoring

HIPAA requires organizations to record the activity of administrations. Meter logs administrator logins and all network configuration changes. This provides a record that can be used to investigate any potential events on the network.

Password management

Meter networks and devices are fully cloud managed through the Meter Dashboard, and do not have local access via usernames and passwords. Customers access the Meter Dashboard through single sign-on with their chosen identity provider (e.g. Microsoft Azure, Okta) which, in turn, preserves any password policies and requirements, enabling them to make sign in to Meter as secure as the rest of their IT stack. Meter integrates with any identity provider that supports the SAML standard.

Security Incident Response  

Meter provides comprehensive visibility across the entire networking stack, from individual clients, to hardware devices, and ISPs. All of this data is available to administrators in the Meter Dashboard and can be leveraged for incident response and investigation. Meter will support customers with any additional data that is available and may be needed.

Additionally, Meter maintains rigorous, regularly audited internal policies and controls for security incidents affecting Meter’s own infrastructure, including standardized communication timelines with customers. Copies of Meter’s policies are made available to the Customer upon request.

Backup and recovery

Meter Cloud, which contains encrypted configuration data, logs, and other historical data, is backed up multiple times per day. In the unlikely event of a network outage requiring restoration of configuration information, Meter is able to restore from the last known good backup within our documented service level agreement.

Emergency mode operation 

A loss of Internet access will not disrupt the Meter local area network (LAN) or user access to the LAN. ​Meter Network is ‘cloud managed’, but the architecture is designed to be resilient to failures across the stack.

Physical Controls

Device Security

While Meter devices are resistant to unauthorized physical access, installation of Meter equipment should be in protected or locations that are not easily accessed by casual traffic. Securing access to network equipment is a customer responsibility. Our operations team can offer guidance about how to limit access to Meter equipment.

Media Re-use

Meter equipment does not store client data, such as PHI. Customers should ensure applications handling PHI use TLS or other secure protocols with strong encryption to prevent unauthorized access. Meter does not have the ability to intercept or read encrypted traffic and that traffic is never sent to the Meter Cloud.

Documentation Requirements

As part of HIPAA compliance, organizations must maintain documentation of their security measures and configurations. While Meter provides detailed logs and configuration records through the Dashboard, customers should maintain their own records of:

  • Network security configurations
  • Configuration changes and justifications
  • Risk assessments
  • Security incident responses
  • Regular security reviews