Contact us
Back

HIPAA

HIPAA Security Program

As a medical research company, Healthy.io takes all security and privacy requirements in the healthcare industry very seriously and has implemented the following list of security practices to protect PHI/ePHI.

1. Technical Controls

Encryption

Healthy.io encrypts any ePHI to satisfy NIST parameters any time the ePHI is outside the firm’s firewalled hardware.

Access Control

Healthy.io strengthens security with solid and secure logins to ensure data is in the right hands. It assigns unique user accounts to individuals, providing them access to the system that matches their role.

Healthy.io employs the need-to-know basis and the Principle of Least Privilege (PoLP), allowing only the necessary access for users to accomplish their job function. It creates user accounts to have minimal access. Access beyond these least privileges requires appropriate authorization.

When granted, access is carefully controlled and logged. Strong authentication, including the use of multi-factor authentication, helps limit access to authorized personnel only.

Healthy.io enforces Segregation of Duties (SoD) through user-defined roles to minimize the risk of unintentional or unauthorized access or changes to production systems. It restricts information system access based on the user’s job responsibilities.

An independent auditor reviews privileged user access controls during the Healthy.io ISO/IEC 27001:2013 audits.

Healthy.io revokes access when it terminates an employee’s record in its HR system. When an employee’s job function changes, it must explicitly or revoke approvals for continued access to resources.

Auditing and Monitoring

Healthy.io monitors controls and ensures logging is working correctly.  It pays close attention to PHI access and manipulation. Its IT personnel make sure that the logging feature is active within all systems around-the-clock. In addition to logging, Health.io also monitors the data accumulation process via a system of rules to ensure that everything continually meets its access control policy.  After a specific period of user inactivity, it enables automatic log-off. It assesses access controls across all layers, including the network and its software.

2. Physical Controls

Control Facility Access

AWS and GCP carefully track the specific individuals who have physical access to data storage, not just engineers, but also service personnel and even custodians.

Workstation Management

 Healthy.io has a written policy implementing procedures describing how to guard a screen against parties at another location, delineating proper workstation use, and limiting the use of the workstation to access health data.

Mobile Protection

Healthy.io implements policies/procedures and a Mobile Device Management solution (MDM) to remove data before circulating a device to another user or remotely wipes a lost/stolen device.

Asset Inventory

All Healthy.io infrastructure is in a managed inventory, including information about its location.

3. Administrative Controls

Risk Assessment

Healthy.io periodically conducts comprehensive risk assessments for all health data. It performs these risk assessments at regular intervals and introduces measures to reduce the risks appropriately.

Human Resources

Healthy.io uses providers such as HireRight to conduct criminal background checks, as permitted by applicable law, as part of employee pre-employment process screening practices, commensurate with the employee’s position and level of access.

In alignment with the ISO/IEC 27001:2013 standard, all Healthy.io employees complete periodic role-based training that includes Healthy.io Security training and requires an acknowledgment that they have completed it. Healthy.io also periodically performs compliance audits to validate that employees understand and follow the established policies.

All Healthy.io personnel must sign confidentiality commitments before being granted access to Healthy.io systems and devices. Furthermore, when hired, Healthy.io requires personnel to read and accept the Acceptable Use Policy and the Healthy.io Code of Business Conduct and Ethics (Code of Conduct) Policy.

Training / Education / Awareness

At least twice a year, Healthy.io trains all its employees on topics related to all ePHI access protocols, HIPAA requirements, cyber-security, and how to recognize potential phishing attacks. The training includes HIPAA, HITECH, Omnibus, Texas HB 300, and Confidentiality of Medical Information Act (CMIA).

Build Contingencies

Daily, Healthy.io assists hospitals and clinics in improving and saving human lives. Business continuity is fundamental. This is the primary reason Healthy.io is always preparing for, responding to, and recovering from disruptive incidents when they arise. It periodically tests its contingency plans with regard to all essential software.

Third-Parties

 Healthy.io signs Business Associate Agreements with all partners (BAA) and ensures that parties, such as subcontractors, cannot view ePHI without granted access.

Security Incidents

Healthy.io trains its Incident Response Team to recognize, respond and document security incidents according to its policies and procedures. It firmly believes that it can stop a security incident internally before anyone can breach the data.

Vetting Process

Healthy.io checks prospective third parties before employment to validate that they meet its security standards. Customer data is not accessible to third parties or subcontractors.

Ongoing Monitoring 

The Healthy.io security team reviews applicable vendors annually or does it via a third-party report (e.g., SSAE 16 SOC2 report, ISO27001). The procedure considers the type of access, classification of data accessed (if any), and controls necessary to protect data and legal/regulatory requirements.

ISO 27001:2013 ISMS

Learn more