HIPAA Security Program
As a medical research company, Healthy.io takes all security and privacy requirements in the healthcare industry very seriously and has implemented the following list of security practices to protect PHI/ePHI.
1. Technical Controls
Healthy.io encrypts any ePHI to satisfy NIST parameters any time the ePHI is outside the ﬁrm’s ﬁrewalled hardware.
Healthy.io strengthens security with solid and secure logins to ensure data is in the right hands. It assigns unique user accounts to individuals, providing them access to the system that matches their role.
Healthy.io employs the need-to-know basis and the Principle of Least Privilege (PoLP), allowing only the necessary access for users to accomplish their job function. It creates user accounts to have minimal access. Access beyond these least privileges requires appropriate authorization.
When granted, access is carefully controlled and logged. Strong authentication, including the use of multi-factor authentication, helps limit access to authorized personnel only.
Healthy.io enforces Segregation of Duties (SoD) through user-defined roles to minimize the risk of unintentional or unauthorized access or changes to production systems. It restricts information system access based on the user’s job responsibilities.
An independent auditor reviews privileged user access controls during the Healthy.io ISO/IEC 27001:2013 audits.
Healthy.io revokes access when it terminates an employee’s record in its HR system. When an employee’s job function changes, it must explicitly or revoke approvals for continued access to resources.
Auditing and Monitoring
Healthy.io monitors controls and ensures logging is working correctly. It pays close attention to PHI access and manipulation. Its IT personnel make sure that the logging feature is active within all systems around-the-clock. In addition to logging, Health.io also monitors the data accumulation process via a system of rules to ensure that everything continually meets its access control policy. After a specific period of user inactivity, it enables automatic log-off. It assesses access controls across all layers, including the network and its software.
2. Physical Controls
Control Facility Access
AWS and GCP carefully track the speciﬁc individuals who have physical access to data storage, not just engineers, but also service personnel and even custodians.
Healthy.io has a written policy implementing procedures describing how to guard a screen against parties at another location, delineating proper workstation use, and limiting the use of the workstation to access health data.
Healthy.io implements policies/procedures and a Mobile Device Management solution (MDM) to remove data before circulating a device to another user or remotely wipes a lost/stolen device.
All Healthy.io infrastructure is in a managed inventory, including information about its location.
3. Administrative Controls
Healthy.io periodically conducts comprehensive risk assessments for all health data. It performs these risk assessments at regular intervals and introduces measures to reduce the risks appropriately.
Healthy.io uses providers such as HireRight to conduct criminal background checks, as permitted by applicable law, as part of employee pre-employment process screening practices, commensurate with the employee’s position and level of access.
In alignment with the ISO/IEC 27001:2013 standard, all Healthy.io employees complete periodic role-based training that includes Healthy.io Security training and requires an acknowledgment that they have completed it. Healthy.io also periodically performs compliance audits to validate that employees understand and follow the established policies.
All Healthy.io personnel must sign confidentiality commitments before being granted access to Healthy.io systems and devices. Furthermore, when hired, Healthy.io requires personnel to read and accept the Acceptable Use Policy and the Healthy.io Code of Business Conduct and Ethics (Code of Conduct) Policy.
Training / Education / Awareness
At least twice a year, Healthy.io trains all its employees on topics related to all ePHI access protocols, HIPAA requirements, cyber-security, and how to recognize potential phishing attacks. The training includes HIPAA, HITECH, Omnibus, Texas HB 300, and Confidentiality of Medical Information Act (CMIA).
Daily, Healthy.io assists hospitals and clinics in improving and saving human lives. Business continuity is fundamental. This is the primary reason Healthy.io is always preparing for, responding to, and recovering from disruptive incidents when they arise. It periodically tests its contingency plans with regard to all essential software.
Healthy.io signs Business Associate Agreements with all partners (BAA) and ensures that parties, such as subcontractors, cannot view ePHI without granted access.
Healthy.io trains its Incident Response Team to recognize, respond and document security incidents according to its policies and procedures. It firmly believes that it can stop a security incident internally before anyone can breach the data.
Healthy.io checks prospective third parties before employment to validate that they meet its security standards. Customer data is not accessible to third parties or subcontractors.
The Healthy.io security team reviews applicable vendors annually or does it via a third-party report (e.g., SSAE 16 SOC2 report, ISO27001). The procedure considers the type of access, classification of data accessed (if any), and controls necessary to protect data and legal/regulatory requirements.