Getting Started with Compliance→
Since our product has a global reach we need to be compliant with country and region specific regulations. Listed below are 2 such major regulations that we are compliant with.
1. HIPAA Compliance
The Health Insurance Portability and Accountability Act, sets the standard for protecting sensitive patient data. Any company that deals with protected health information must ensure that all the required physical, network, and process security measures are in place and followed. Please take a look at Clinicea HIPAA Compliance
2. EU Model Contracts for the transfer of personal data to third countries
Clinicea – “Data Processor” has entered into an agreement with the Cloud infrastructure Provider, Microsoft Azure – the “Data Processor” to ensure compliance with EU Model Contracts for the transfer of personal data to third countries. Since Microsoft Azure may store the data at one or several of its geographically spread out data centers, to further ensure compliance, the Clinic ie YOU – “Data Exporter”, can get into an agreement with Clinicea – “Data Importer”, to ensure the obligation of EU Model Contracts regarding security of your data are adhered to at Clinicea.
4. Please share a copy of your ISO 27001 certificate
We only focus on compliance with legislative requirements such as HIPAA for US, PDPA for Singapore, Standard Model Contracts for EU and so forth. ISO 27001 is not an acceptable legislative standard in any of the markets we have come across.
5. Do you also have HIPAA certification? Please share a copy of this as well.
We have been compliant with HIPAA since 2015. Please take a look at Clinicea HIPAA Compliance for reference.
6. Please go deeper and provide even more details on who exactly would have back-end access to patient data.
Only the support team can access a Client account, in order to address a support request. Such an access is restricted only from office premises.
Back-End Access to Web server, Caching Server, and so on, is not available to ANY Developer or Support Executive since April 2017, post-adoption of Azure App Service Technology. Only incremental code changes are pushed through an encrypted secure channel from Clinicea office premises to overseas Microsoft Azure Data Centers. The concept of direct access no longer exists at Clinicea.
Back-End Access to Database is similarly channeled, with the exception that the CTO of the company does have access to the Database Backup in the event of a contingency. We use “managed database services” from Microsoft Azure since Day 1, i.e. physical access to the database server, is not available to anyone at Clinicea, not even to the CTO.
Cloud Technology is evolving rapidly, and as and when better security systems are made available by partners at a commercial level, the same is reviewed and where required adopted. The output of the same is reflected in the updated Security WhitePaper
7. When was your last information systems audit carried out, and what evidence of the same can you share with us?
While we cannot the timetable of our internal periodic reviews. We are open to working with the security auditor of your choice in providing more answers. In the past too, when working with health data of Olympic Athletes, we have undergone similar processes on data security and penetration testing and will be happy to address your concerns.
8. Do your clients have a “right to audit” clause for the environment?
The right to audit can be extended to a specific client if they are an enterprise customer i.e. they are subscribing to a dedicated cloud infrastructure. For Clients using a shared infrastructure, access for audit is not technically feasible as such an access to the database, servers and other infrastructures are being used by other clients too.
Additionally, We used to enter into Right to Audit with our back-end vendors, but that process too is no longer followed due to logistical issues in implementing the same. Instead, we opt for HIPAA compliant vendors, and enter into BA Agreements with them, to ensure compliance.
9. Assuming your client was to terminate the arrangement, what assurance would you give on the data? Is it purged and if so, how exactly is it done & what evidence do you share?
The standard agreement we enter into with a client covers termination specifically. A draft can be provided on request. It basically reiterates that fact that we are simply custodians of data, with ownership resting solely with the client. The client can request us to permanently delete all of their data from our servers and that of the 3rd party services we may be using in the back-end. Upon such a request, within 30 days, Clinicea will delete all of the Client’s data and confirm the same to in writing.