Built for clinical workstations · zero-relay, zero-account

Remote desktop, built for clinical data.

No protected health information ever transits Remio's servers — because nothing transits them. Every session is direct peer-to-peer between the host workstation and the client device, end-to-end encrypted with AES-256. No Remio account, no telemetry pipeline, no third-party relay holding a frame of your screen. The architecture is the safeguard.

See the architecture Talk to us about your deployment
Architecture, not a checkmark

Why architecture matters more than a checkmark.

A “HIPAA-compliant” badge on a vendor's website tells you almost nothing about where your patient data actually lives. The real question is structural: does the vendor's infrastructure ever see a frame of your screen?

01
The relay problem

Most “HIPAA-compliant” remote desktops relay your session through their cloud.

Look at the wire diagram of the popular incumbents. A client connects to the vendor's cloud. The host workstation connects to the same vendor's cloud. The vendor forwards frames, keystrokes, clipboard, and file transfers between the two endpoints — which means every byte of clinical data passes through infrastructure the vendor operates, monitors, and (legally speaking) handles. The vendor becomes a business associate because the vendor is, in fact, an associate handling your business.

A BAA in that posture is not optional — it is mandatory, because the vendor's servers see PHI in transit and could, in principle, decrypt it (if they hold the session keys) or be compelled to retain it. Every subcontractor that touches the vendor's stack — their cloud provider, their content-delivery partner, their analytics platform — inherits some portion of that exposure under chained BAA structures.

02
The Remio difference

Remio's infrastructure never sees a frame of your screen.

Remio uses a different topology. The signaling server — the only piece of Remio infrastructure your devices contact — is the smallest possible introduction service. It tells the host and the client how to find each other on the network, then steps out of the path. From that moment on, the connection is direct between the two devices, end-to-end encrypted with keys derived on the endpoints. Pixels, keystrokes, audio, clipboard, file transfers, recordings — nothing reaches Remio.

If a court order arrived tomorrow demanding session data, Remio would have nothing to produce. If Remio's signaling server were breached, the attacker would find no PHI to exfiltrate — just a list of devices that, at some point, exchanged a handshake. There is no honeypot to point an adversary at, because the honeypot does not exist.

03
What this means for clinical workflows

A vendor checkmark is a deployment claim; an architecture is a structural property.

When a vendor says “we are HIPAA compliant”, what they typically mean is: “we have signed BAAs with our subcontractors, we have administrative policies in place, our SOC 2 audit covers the relevant controls.” That can all be true and still leave clinical data flowing through third-party infrastructure that you do not control and cannot audit at the wire level.

Remio's posture flips the question: instead of asking how well a vendor protects your data while they hold it, ask whether the vendor needs to hold it at all. The answer for Remio is no. End-to-end encryption with direct peer-to-peer transport is not a feature we added on top — it is the only mode the product ships in.

BAA scope

What Remio's architecture means for your BAA.

A Business Associate Agreement governs what a vendor can do with PHI they handle on your behalf. When the vendor handles no PHI, the BAA scope shrinks dramatically — and so does the residual risk.

01
Software supplier, not service provider

Remio's role is to ship software that runs on your hardware.

There is a meaningful difference between a vendor that hosts a service handling your PHI (a service provider) and a vendor that ships software that runs on your hardware and never sees the data (a software supplier). Remio falls firmly in the second category. The host application runs on your workstation; the client application runs on your clinician's device; the encryption keys exist only on those two endpoints; the session never enters Remio infrastructure.

Under HIPAA, a software supplier whose product never touches PHI is not automatically a business associate. The conduit exception and related guidance reflect a similar principle for vendors that have only ephemeral access to data they cannot decrypt. Remio's signaling, when it operates at all, is closer to a conduit handshake than a service that processes PHI.

02
Technical safeguards baked into the protocol

Encryption in transit, encryption at rest, and access controls are protocol-level.

HIPAA's technical safeguards (45 CFR § 164.312) require encryption of electronic PHI in transit and at rest where reasonable, access controls that uniquely identify users, and audit-grade logging where applicable. Remio's protocol is designed around those obligations. The streaming transport is AES-256 with per-session ephemeral keys — the same family of encryption that protects banking sessions and government traffic. Host-side recordings, when enabled, write to encrypted local storage. Pairing uses a per-device PIN that authorises a specific device, not an identity, and can be revoked instantly.

Because these safeguards live in the protocol itself rather than in an operational policy that a vendor promises to follow, they cannot be silently relaxed by an internal decision or a configuration drift. The product cannot fall back to an unencrypted transport. There is no “convenience mode” that bypasses end-to-end encryption.

03
Narrower BAA, fewer subcontractor questions

A small BAA scope means fewer chained obligations to manage.

When a vendor's BAA scope is broad — the vendor hosts the service, stores the data, processes the data with subcontractors — your procurement team has to chase every downstream BAA, audit every subprocessor, and re-evaluate every vendor-side architectural change. Remio's narrow scope removes most of that work, because there is little downstream activity to chase.

Will Remio sign a BAA? Yes — on request, and the scope reflects the architecture. Customers conducting their own HIPAA validation typically find Remio adds less risk than a cloud-relayed alternative, because the data-flow surface that the BAA has to govern is structurally minimised.

Clinical use cases

Where Remio fits in clinical workflows.

Concrete scenarios where a direct, end-to-end encrypted remote desktop is a better fit than a cloud-relayed alternative. The examples below are typical of deployments where Remio's posture is the cleaner choice.

Radiologist reading studies from home

A radiologist on overnight call connects from a home workstation to a high-end imaging machine sitting in the hospital data center. The diagnostic monitor stays calibrated where the studies live; the radiologist sees a true colour-accurate 4K stream at sixty frames per second. No DICOM bytes leave the hospital network — the pixels on the radiologist's screen are an encrypted rendering of the remote display, not a copy of the underlying study.

When the read is complete and the workstation locks, nothing remains on the home device. The study lived where the studies live; the radiologist visited it.

Imaging stays on hospital storage

On-call physician reviewing an EHR from a tablet

An on-call physician at home pulls up the hospital EHR from a tablet to triage an incoming admission. The EHR client never leaves the hospital workstation; the tablet sees a live, encrypted view of that workstation. When the call ends, the session ends — nothing about the chart is cached on the tablet, no PHI is left on personal hardware, no third-party cloud was in the path.

The physician can scroll the chart, dictate orders into the EHR running on the workstation, and disconnect — without the tablet ever becoming a place where PHI lives.

No PHI cached on personal devices

Pharmacy tech accessing a shift-locked workstation

A pharmacy technician operates a shared workstation that is locked to a single shift. The connection requires per-device pairing with a fresh PIN, and the host can require explicit approval on every new session. When the shift ends, pairings tied to that shift can be revoked centrally on the host; nothing on the vendor side has to be deleted because nothing on the vendor side ever existed.

The audit trail of who connected, from which device, and when, lives in the host workstation's logs — not in a third-party cloud the pharmacy has to subscribe to indefinitely.

Per-shift access, instant revocation

Biomedical engineer monitoring connected devices

A biomedical engineer monitors a fleet of infusion pumps, ventilators, and patient monitors that report into a back-office console. From home or another hospital site, the engineer sees the live console exactly as it appears on the floor — without exposing any device telemetry to a third-party cloud. Diagnostics, firmware notes, and audit logs stay inside the hospital's own systems.

When a device alarm fires at 03:00, the engineer can investigate it within seconds without the alarm payload ever traversing a vendor relay.

Device telemetry never leaves the perimeter
Audit, recording, access control

Sessions you can review, without exporting PHI.

Three capabilities most healthcare deployments need: a recording trail that meets internal audit policies, a pairing model that does not leak across devices, and an approval gate the host operator controls.

01

Host-side recording to encrypted local storage.

When recording is enabled, the session is captured on the host workstation and written to encrypted local storage on that same machine. Remio never receives, transmits, or stores recordings — the recording lives where the data lives, under the hospital's own retention policy, on hardware the hospital already manages and protects.

That means audit trails stay inside the institution's perimeter. If your internal policy requires recordings to be encrypted at rest, the host operating system's existing full-disk encryption (FileVault on Mac, BitLocker on Windows) provides that layer; Remio's recordings inherit it automatically. There is no separate cloud bucket to audit, no vendor-managed key escrow to worry about, no exported PHI to track across a third-party data centre.

Recordings can be retrieved, reviewed, exported to internal review systems, or deleted — all by the workstation's local administrators, without contacting Remio.

02

Per-device PIN pairing, configurable expiry.

Pairing a new client device with a host requires a fresh 4-digit PIN displayed on the host screen. The PIN authorises a specific device — not a user identity — and is valid for a configurable window before it expires. A stolen PIN that is never used is automatically useless after expiry; a paired device that is later lost can be revoked from the host's pairing list.

This trust model is closer to in-person key exchange than to a typical software account. There is no central authority granting access, no master credential to compromise, no “forgot password” flow for an attacker to phish. The host operator is the gatekeeper, every time.

03

Approval required on every connection.

For deployments where unattended access is not appropriate, the host can require an explicit on-screen approval on every new connection attempt. The operator at the workstation accepts or rejects in real time. The approval prompt names the client device and shows the time of the request — useful both for clinical workflow and for a written audit trail.

04

Revoke instantly, no vendor request needed.

Pairings are local to the host. Revoking a client device's access is an action on the host machine — not a ticket to Remio support, not a setting in a cloud console, not a delay while a vendor processes the request. If a device is lost, an administrator at the host machine removes its pairing immediately, and that device is locked out from that moment on.

Honest checklist

What you should verify before deploying.

Remio is one piece of a HIPAA-aware deployment — an important one, but not the whole picture. The checklist below is honest about where Remio's responsibility ends and yours begins.

01
Your own risk analysis

Complete a HIPAA risk analysis for the workflow you are deploying.

HIPAA expects covered entities and business associates to perform their own documented risk analysis for each workflow that touches PHI. No vendor — including Remio — can do this on your behalf, because only you know the full inventory of data, devices, and people involved. Treat this page as supporting evidence about the Remio component; do not treat it as a substitute for the analysis itself.

02
Endpoint hardening

Confirm full-disk encryption and screen-lock policy on every endpoint.

End-to-end encryption protects the session in transit. It does not protect a workstation whose disk is unencrypted and whose screen does not lock. Verify FileVault is enabled on every Mac, BitLocker on every Windows endpoint, and a comparable disk-encryption mode on iOS and Android devices participating in the workflow. Confirm idle screen-lock timeouts that match your institution's policy.

03
Workforce training

Document a workforce training programme on the workflow.

HIPAA's administrative safeguards require that workforce members be trained on the policies and procedures that govern their handling of PHI — including remote access. Document who is trained, on what, and when refreshers occur. The strongest technical safeguards will not survive a clinician who shares a pairing PIN over an unsecured channel; training is the layer that prevents that.

04
Downstream BAAs

Sign appropriate BAA structures with any other vendor that touches PHI in your stack.

Remio's BAA scope is narrow because Remio's architecture is narrow. But your stack almost certainly includes other vendors — an EHR provider, a cloud storage tier, a backup service, an identity provider — that do touch PHI. Make sure each of them has a signed, current BAA with appropriate scope. Remio's posture removes one set of vendor risks; it does not remove the others.

05
Incident response

Have a written incident-response plan that covers remote-access compromise.

Even with strong technical safeguards, plan for the day a clinician's laptop is stolen or a pairing PIN is leaked. Document who revokes the pairing, how the affected sessions are reviewed, and what disclosure obligations apply under your state's breach-notification rules. Test the plan annually. The institutions that handle incidents well are the ones that practised before the incident.

When Remio is not the right fit

When not to use Remio for clinical work.

Honest scope: Remio's architecture is the cleaner posture for many clinical workflows, but it is not a fit for every one. Two scenarios where a different category of product is likely a better match.

You need vendor-hosted relay with EHR SSO integration

If your deployment requirements include a vendor-hosted relay tier with single-sign-on integration directly to your EHR identity provider (so that a clinician's EHR login also grants remote-desktop access), Remio is not the cleanest fit. Vendor-hosted relays exist precisely to be the integration point for centralised identity systems. A cloud-relayed remote-desktop product, with appropriate BAAs in place, will give you that integration out of the box.

Remio's architecture deliberately keeps identity local to each device, which is excellent for confidentiality but does not provide the single-pane-of-glass identity story that a large hospital IT team often needs. We do not currently integrate with enterprise SSO, SAML, or EHR identity providers.

If SSO to EHR is a hard requirement — flag the gap

You need vendor-managed centralised audit logs in the cloud

If your compliance posture requires audit logs to be aggregated to a vendor-managed cloud SIEM in real time (rather than to your own on-premises logging infrastructure), Remio's host-local approach is not the right tool. Remio's recording and session metadata live on the host workstation, by design, to keep PHI inside the institution's perimeter — which means there is no vendor-side aggregation layer to query.

Conversely, if your workflow can use direct peer-to-peer with local pairing and host-side recording, Remio is the cleaner posture. Pick the architecture that matches your audit topology.

Centralised cloud SIEM aggregation not provided
FAQ

Questions clinical IT teams ask first.

Five honest answers about HIPAA posture, BAA scope, recording, and what Remio does — and does not — do today.

Remio is architecturally designed to support HIPAA-aware deployments — end-to-end encrypted, no third-party relay of session data, no account collection. HIPAA compliance is a deployment status that depends on your full stack, your policies, and your workforce training, not on any single vendor's certification. Remio is built to make the technical safeguards portion easier; the rest is yours to validate.
No. All sessions are direct peer-to-peer between the host and the client device. Remio's signaling server helps the two devices find each other and never sees any frame, keystroke, or file content.
On request. Because Remio's architecture limits Remio's exposure to PHI to effectively zero, the BAA scope is narrow. Contact support@remio.net to start the conversation.
Yes. Recording is a host-side option. Recordings save to local encrypted storage on the host machine; Remio never receives, transmits, or stores them.
Remio does not currently integrate with enterprise SSO or identity providers. Pairing uses a local 4-digit PIN per device. If single sign-on against an EHR identity provider is a hard requirement for your deployment, that is a gap to flag during your evaluation.
Ready when you are

Bring remote desktop into your clinical stack.

Pilot Remio on a single workstation and a single clinician's device today. When you are ready to talk about a wider deployment — BAA structures, recording policies, pairing rollout — we read every email.

Talk to us about your deployment Download Remio

Free during launch. No account. No telemetry. macOS, Windows, iOS, iPadOS, and Android.