In terms of physical infrastructure - we use the service of the best professionals in the world - AWS. Amazon continually manages risk and undergoes recurring assessments to ensure compliance with industry standards.
Amazon's data center operations have been accredited under:
SOC 1 and SOC 2/SSAE 16/ISAE 3402 (previously SAS 70 Type ll)
PCI Level 1
Sarbanes - Oxley (SOX)
As data centers are certified, they must pass security audits and are protected against unauthorized access (virtual and physical) - fires, earthquakes, blackouts etc.
Regarding Data Security - every application runs in it's own environment. There is no possibility of interaction with other apps or potentially vulnerable areas of the system. This standard allows us to build a stable, secure and isolated system where your data is safe. We keep all the sensitive information in the database with strictly specified access so only you and the system administrator can see it. Passwords are always encrypted.
We do a full Data Backup of our database every day, and backups are stored with the full protection and technical safeguards of Amazon AWS security.
Connection Security - the connection between your browser and application server is secured by an SSL certificate and all data is encrypted and visible only for the two sides of communication.
The one thing we do not influence in is your computer security. We can only advise you do your recommended software updates, use anti-virus software and make sure you and your employees follow the highest standard of security practices.
Security and Patient Data Privacy is of the utmost importance to us at Happy Charting Ltd and we maintain the use of the latest security practices and safeguards to make sure your patient's personal data is kept safe and secure.
We take HIPAA Compliance seriously.
And we encourage both private and community acupuncturists to do the same.
HIPAA Compliance is an ongoing process of remediation and review. There is no such thing as HIPAA certification, however we believe we are making the best efforts, under the advice of our HIPAA consultant advisors, to comply with the laws governed by HIPAA.
We work with Compliancy Group - www.compliancy-group.com - HIPAA Compliance Specialists - to make sure we consistently review and update our Effective Compliance Plan and exercise the best practices in HIPAA Compliance.
In support of educating acupuncturists on HIPAA Compliance, we have created a free 5 Day HIPAA Training Video Series that explains the basic fundamentals of HIPAA. You can access the training on this page here.
We'd like to clarify on our status of whether clinics who do not bill insurance are required to be HIPAA compliant. The formal answer is no. And we'd like to apologize if this has been miscommunicated on our behalf.
However, speaking to the COO of Compliancy Group, he has stated that even if a clinic is cash only and uses paper charts, as long as you're dealing with PHI - you can still be severely fined in court for negligence if you lack the security and privacy policies and procedures up to the minimum standard requirements stated in HIPAA.
The major difference between a 'Covered Entity' and not being a Covered Entity is that you will not be randomly chosen to be audited by the government, which lessens your chances of being audited.
However, there is still the possibility where clinics not deemed 'Covered Entities' can be reported from a patient or anonymously who have been investigated.
Another case is where you are using a vendor such as a scheduler or EHR system who handles your PHI who is audited by the government.
Once reported, the government has the right to audit you, regardless of whether or not you are a 'Covered Entity'.
If you do not satisfy HIPAA, you will be fined.
HIPAA Compliance was placed as a guide to show the practices and standards the government expects from businesses who deal with PHI.
It is the most basic, minimum standard the government expects and therefore in a court of law, is the standard your clinic will be held against.
This is why it is highly encouraged for you to understand HIPAA Compliance and put HIPAA policies and procedures in place to make sure to decrease the potential for liability and cover all your bases.
It is our goal to make sure the transition from your previous EHR or paper charting is as easy and stress-free for you as possible.
Currently we require an exported csv. file to import your patient information.
You can head to Settings - Data Transfer and upload your file/s from either your current EHR or scheduler.
If you have a specific question about what we can and can't import or need something specific to you, please click here to contact us.
We will do whatever we can to make sure your needs are met :)