PRIVACY & SECURITY
Privacy & Security
Healthcare Standards - HIPAA
Pro-Activity complies with HIPAA standards (privacy and security) as is required to perform its work as a professional health and healthcare company.
Generally, HIPAA mandates policies that address:
-
Confidentiality,
-
Identification and protection against threats,
-
Protection against impermissible uses and disclosures
-
Workforce compliance
High Level Protection
To ensure systems and policies meet or exceed standards, Pro-Activity utilizes a variety of approaches and measures including but not limited to:
-
Strong password protection and 2 step authentication when needed
-
Encryption during transmission of data and locked record systems
-
Non-disclosure agreements by all staff
-
Training related to data integrity
-
All data, active and at rest, is maintained in North American server farms
Best Practices
To ensure systems and policies meet or exceed standards, Pro-Activity employs a variety of approaches and measures including but not limited to:
-
De-identifying and/or decoupling all protected health information (PHI) from personal identifying information (PII)
-
Requiring regular password changes and updates
-
Maintaining central device management and storage (allowing remote “wiping” of devices in case of breach)
-
Cascading permissions to access systems
-
Performing audits and self-checks to periodically ensure locally stored information is secure
-
Scheduling secure destruction of paper records annually.
-
Maintaining internet liability and network (cyber) protection insurance.
Human Resource Protections
Pro-Activity utilizes licensed healthcare staff which are required to perform a state police background check. In the case of termination or off-boarding, staff are removed from all data systems and all company-owned assets that may contain data are returned. Employees are required to attest that all information has been returned and that the previously signed non-disclosure agreement is intact.
All staff are required to do initial and periodic training related to HIPAA which includes data management. In line with best practice, this information is reviewed at least annually.
Additional Detailed Information
Pro-Activity utilizes Google based systems for data storage and communication. Information on security can be found here: https://safety.google/
HIPAA requires 128 bit AES encryption. Pro-Activity utilizes Google Apps which meets or exceeds HIPAA requirements when a BAA is in place. Pro-Activity holds a BAA. More detail can be found here: https://support.google.com/a/answer/3407054
With the exception of in-clinic medical records, Pro-Activity utilizes Google Apps for all documentation and storage. Google has secure, redundant servers placed globally allowing for virtually 100% uptime.
Google has sought and received security certifications such as ISO 27001 certification and SOC 2 and SOC 3 Type II audits.