Security is important to us. It’s our business.
Our #1 responsibility is providing you with the best possible product. One major component of that product is security. If you have any questions regarding security you can contact us at firstname.lastname@example.org. For urgent matters, you can contact us at 1-800-619-2955.
HIPAA & HITECH
HIPAA (the Health Insurance Portability and Accountability Act of 1996) and HITECH (Health Information Technology for Economic and Clinical Health Act of 2009) are two separate sets of regulations that govern the sharing of patient data. HIPAA establishes your practice as a “Covered Entity” and regulates how you use and disclose protected health information (PHI). The HITECH Act complements HIPAA and controls with whom you can share this information. Parties with whom you share such information are identified as “Business Associates,” and must comply with HIPAA Privacy and Security rules to the same degree as any covered entity. We act as your Business Associate and your practice is the Covered Entity. We electronically sign a business associate agreement with you upon signup. We also provide a document which covers best practices when using our system.
Compliance & Communication Protocol
All communication with our service goes through HTTPS and email is sent using TLS. In fact, our console is only available on port 443 through HTTPS, our public sites force HTTPS. Look in the address bar for the green https. If it’s missing or appears broken, quickly close the page and contact email@example.com. For email, we enforce Transport Layer Security (TLS) is a protocol that encrypts and delivers mail securely. Reasonable precautions and safeguard should be taken when dealing with email communication. We provide a HIPAA compliance guide that is available for download in the footer of the admin dashboard or here: HIPAA Compliance Guide Sheet
All patient documents are encrypted with 256-bit AES encryption keys as soon as they enter our secure databases. Every patient document is encrypted with a unique initialization vector by a unique encryption key to achieving semantic security. Practice Sense verifies each document’s integrity on a regular basis and each time a document is requested using a hash-based authentication code (HMAC) which is calculated using its own unique 256-bit HMAC key. Encryption keys, initialization vectors, and HMAC keys are re-keyed and each document re-encrypted on a regular basis. In layman’s term: we’ve got you covered. We meet and exceed HIPAA and HITECH’s requirements for ePHI storage and access.
Network Security and Subsystems
We combine multiple subsystems to run Practice Sense. Each subsystem is totally and completely segmented from each other by software and network security rules to provide maximum protection. We never store encrypted patient documents and their encryption keys in the same server cluster. Our configuration requires each subsystem to access another subsystem via specific network routes and specific inbound and outbound port rules.