Healthie Security and Privacy
Healthie is used as the underlying technology for health services delivery by many large companies and institutions, including Universities, Hospital Systems, Healthcare Clinics, and Digital Healthcare Startups. Healthie meets medical-grade security and privacy protections to secure your and client personal health information (PHI) stored within Healthie.
Healthie has also supported customers by completing (and passing) rigorous security & vendor assessments. We conduct regular external Gap and security assessments, as well as an annual third-party penetration test. If you are interested in our support in this process, or have any questions about our Security & Privacy, please e-mail compliance@gethealthie.com
IN THIS ARTICLE:
- Privacy & Security Qualifications
- Security Overview
- HIPAA Compliance & Business Associate's Agreement (BAA)
- SOC 2
- ONC Certification
- HITRUST R2 Certification
- PCI Compliance
- PIPEDA/PHIPA Compliance
- FERPA Compliance
- AUS Privacy Act
- CCPA
- GDPR Compliance
- WCAG 2.1 A and 2.1 AA Compliance
- Integration with HIPAA-compliant Zoom
- Healthie Back Up Procedures
Privacy & Security Qualifications
Healthie meets the following privacy and security standards:
- HIPAA
- SOC 2 Type-2
- HITRUST R2 Certification
- ONC Certification
- PIPEDA/PHIPA
- FERPA
- PCI Compliance (via our third-party payment processor, Stripe)
- AUS Privacy Act
- CCPA
- GDPR
- WCAG 2.1 A
- WCAG 2.1 AA
Security Overview
Healthie's platform meets the highest certification standards for data security and privacy, leveraging industry standards to secure data for you and your clients. Our customers can rest easy knowing the the Healthie platform meets rigorous Health IT requirements.
Physical Security:
Our servers are housed in facilities that are protected by biometric security, surveillance systems, and security guards - 24 hours a day, 7 days a week, 365 days a year.
Data Security:
We store data at SOC Type 1- and SOC Type 2-certified facilities. Patient data providers have on the platform is encrypted even while at rest.
Transmission Security:
Our website data is encrypted with 256-bit Secure Socket Layer (SSL) technology, whether you’re on a desktop, laptop, tablet, or phone. We use cryptographic keys to authenticate data transfer.
Financial Security:
We process credit card transactions using secure encryption on a Level 1 PCI-compliant network. We tokenize and encrypt all payment information, and we do not store it ourselves.
HIPAA Compliance & Business Associate's Agreement (BAA)
Healthie is HIPAA-compliant and we pass regular third-party attestations.
The Health Insurance Portability and Accountability Act (HIPAA) is a series of US regulations that protects personal health information. Healthie is compliant with the HIPAA Privacy Rule, the HIPAA Security Rule, the HIPAA Breach Notification Rule, the HIPAA Administrative Safeguards, and the HIPAA Physical Safeguards.
Business Associate's Agreement (BAA):
Business Associates Agreements are in place with strategic partners and site sessions are encrypted with 512-bit Secure Socket Layer technology.
Healthie signs a Business Associate’s Agreement with entities, and access to specific provider and client profiles is highly limited, regulated, and closely monitored. Team members have signed agreements in place accordingly.
You can view a copy of Healthie's Business Associate's Agreement (BAA) here.
SOC 2 Certified
Healthie is SOC 2 Type 1 and SOC 2 Type 2 Certified.
Healthie has successfully completed a System and Organization Controls (SOC) 2 Type II audit, performed by Sensiba LLP (Sensiba). Developed by the American Institute of Certified Public Accountants (AICPA), the SOC 2 information security audit provides a report on the examination of controls relevant to the trust services criteria categories covering security, availability, processing integrity, confidentiality, and privacy. A SOC 2 Type II report describes a service organization's systems, whether the design of specified controls meets the relevant trust services categories, and whether the controls were operating effectively spanning an agreed upon review period (Last recertification: March 2024).
ONC Certification
Healthie’s Early EHR certification is 2015 compliant and has been certified by an ONC-ACB in accordance with the applicable certification criteria adopted by the Secretary of the U.S. Department of Health and Human Services (Certification Date: December 7, 2022).
Via Healthie, providers are able to utilize key functionalities including direct messaging, reimbursements for meaningful use (eCQMs and MIPS) and FHIR as a result of Healthie meeting ONC certification requirements. Learn more about ONC functionality here.
HITRUST Certification
Healthie is HITRUST Certified (Type R2) certified, utilizing the HITRUST CSF® framework, which integrates over 50 security and privacy standards, including HIPAA, NIST, and GDPR. This ensures comprehensive, scalable protection and compliance, allowing us to meet the highest data security standards in an evolving regulatory landscape.
PCI Compliance
Healthie's system protects credit card and bank account information. Healthie incorporates industry-leading measures to secure the financial information of you and your clients.
What is PCI Compliance?
The Payment Card Industry Data Security Standard, a set of security measures designed to ensure a secure environment for transmitted credit card information. Healthie’s payment processor is certified as PCI Service Provider Level 1, the highest possible level. Healthie tokenizes and encrypts all payment information and payment information is not stored by Healthie, nor accessible to anyone within the organization.
What makes Healthie PCI Compliant?
We partner with Stripe and Microsoft's Azure on PCI compliance:
- Stripe's compliance - https://stripe.com/docs/security/stripe
- Actual certification - http://www.visa.com/splisting/searchGrsp.do?companyNameCriteria=stripe
Azure compliance - https://www.microsoft.com/en-us/trustcenter/Compliance/HIPAA
PIPEDA Compliance
The Personal Information Protection and Electronic Documents Act (PIPEDA) is a series of Canadian regulations that protect personal health data. Healthie’s infrastructure protects personal information in compliance with PIPEDA.
PHIPA is Ontario Canada's Personal Health Information Protection Act that protects personal health data. Healthie’s infrastructure protects personal information in compliance with PHIPA.
FERPA Compliance
Healthie works with dozens of Universities to provide software for campus wellness, sports nutrition, clinical services, and other University needs.
Healthie is FERPA Compliant, and upon request via e-mail to hello@gethealthie.com, can share details with your Organization.
AUS Privacy Act
The AUS Privacy Act includes thirteen Australian Privacy Principles that outlines how personal information must be protected, secured, and stored by health care providers and professional entities. Healthie follows the AUS Privacy Act.
CCPA
Healthie is CCPA compliant, to be consistent with California's Consumer Privacy Act which outlines how companies must protect consumer information
GDPR Compliance
Healthie is GDPR-compliant, to be consistent with the EU's updated General Data Protection Regulations.
In May 2018, we updated our terms of use and privacy policy to provide transparency on how personal information is collected, stored, and shared.
WCAG 2.1 A and 2.1 AA Compliance
Web accessibility makes it easier for people to use the web. It creates a better user experience for a wider audience, not just users with disabilities. Accessibility standards for the internet are set by the Web Content Accessibility Guidelines (WCAG). These are the guidelines for making the web accessible to everyone, regardless of their needs or if they require assistive technologies to use the web.
Healthie is WCAG 2.1 A compliant. This is viewed as the acceptable level of accessibility for many online services, which should work with most assistive technology which is now widely available on desktop devices, or which can be purchased as a third-party installation. We integrate with Zoom, which is meets WCAG 2.1 A Standards, Revised Section 508 Standards, and EN 301 549 Accessibility requirements.
With regards to mobile devices, the web and user interface is written in HTML and fully 508 (WCAG 2.1 Level A) compliant. There is no need for a text only page.
Integration with HIPAA-compliant Zoom
The HIPAA-compliant level of Zoom is available via Healthie, which is the most secure version of Zoom available. HIPAA-compliant Zoom is used by hospitals, medical facilities, and clinics all over the world for end-to-end 256-bit AES encrypted and secure video and audio calls. This offers an added layer of protection over direct-to-consumer version of Zoom available to the public. Healthie has a Business Associate's Agreement signed with Zoom, which outlines how client information is protected and fully encrypted.
Healthie also offers a built-in WebRTC solution for video chat that does not utilize Zoom. Providers can alternatively choose to utilize Zoom or our built in telehealth software, when they go to schedule a call.
If you have more questions on Zoom's Terms and Security, please visit: Zoom's Trust Center
Back Up Procedures
Information held in Healthie is secured and backed up regularly on our servers; we partner with AWS, Aptible, and Microsoft Azure to ensure that data is encrypted and prevent data loss. We keep full audit trails of information if ever needed. If you would like an export of your information for personal records, please e-mail compliance@gethealthie.com
Disaster Recovery
We have a disaster recovery plan in place, including redundant power supplies and data backup.
Audit Controls
We keep access logs and audit trails every time patient information is viewed, edited, or deleted. This includes SSH logs, SQL query logs, platform backend activity logs, and Apache logs.