The team that stands behind PatientPrompt takes data security and privacy of information very seriously. We recognize that we have a responsibility to protect individually identifiable health information according to the principles outlined in the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the HITECH Act of 2009.
As a Business Associate for Covered Entities, we apply the administrative, physical and technical safeguards to ensure the privacy, confidentiality and security of your data.
The following is a subset of the data security practices which are employed to ensure the safety of your information.
• All data sent to us is encrypted while in transmission (“in-flight”) and while stored (“at-rest”).
• The communication between your computer and our servers is encrypted using strong 128-bit keys. This means that even if the information traveling between your computer and our servers were to be intercepted, it would be extremely difficult for anyone to make sense of it.
• Our network is gated and screened by powerful and certified Intrusion Detection and Prevention Systems (IDS/IPS).
• All access to production data is controlled and audited.
• Threat management, security monitoring and file/data integrity prevents or detects any tampering of data.
A note about Data Ownership
At PatientPrompt, we consider ourselves a custodian of your data, not the owner of it. You, our clients remain the owner of your data. We will never mine your data for advertising purposes nor will we sell your information to a third party. Should you ever choose to stop using PatientPrompt (and we hope we never give you a reason to), you can take your data with you.
For over 10 years, PatientPrompt has been used by healthcare clients in both the United States and Canada. As such, we understand how important it is to keep health data in its country of origin. This is why US clients have a US-based data center while Canadians operate out of data centers in Canada. At both facilities, data center best practices have been implemented which includes, but is not limited to:
• Only select employees with the appropriate clearance have access to our physical data centers. Employee access is logged and is strictly controlled.
• We limit access to client data to only a select few employees who need such access to provide support and troubleshooting.
• Audits are regularly performed and the entire audit process is regularly reviewed by management.
• All client data is backed up to offsite storage and can be restored quickly in the event of an emergency.
• We have established a robust recovery strategy that includes procedures for critical infrastructure, Internet connectivity, platform components and client data.
PatientPrompt is hosted in secure facilities that are in locations well-protected from physical and logical attacks as well as from natural disasters such as earthquakes, fires, and flood. Every facility has extensive physical protective measures that include:
• Private security guards 24 hours a day, each and every day of the year.
• Constant video-surveillance.
• Multi-factor authentication, including biometric scanning for data center access.
• Generic-looking, undisclosed locations that reduce the risk of physical attack.
• Redundant power.
• Multiple Internet connections from different communication providers
PatientPrompt is committed to meeting and exceeding the standards and regulations established for the products we deliver. We have achieved the SOC Type II certification for Service Organizations. SOC Type II is an evaluation of the design and operating effectiveness of controls that meet the AICPA’s Trust Services Principles criteria:
• Security: The system is protected against unauthorized access (both physical and logical).
• Availability: The system is available for operation and use as committed or agreed.
• Processing Integrity: System processing is complete, accurate, timely, and authorized.
• Confidentiality: Information designated as confidential is protected as committed or agreed.
• Privacy: Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles issued by the AICPA and CICA.