NutriAdmin is a HIPAA compliant software for nutritionists and dietitians. Though other health and nutrition professionals can use it as well.
HIPAA stands for Health Information Portability and Accountability Act. On the other hand, HITECH stands for Health Information Technology for Economic and Clinical Health Act. These acts were created to ensure the security and privacy of Protected Health Information (PHI), both offline and online. We will refer to both acts jointly as HIPAA from now onwards, in the interest of convenience.
Healthcare professionals such as Registered Dietitians, must ensure they take all necessary measures on their part to protect the privacy and security of their patient's data. Data protected includes, but is not limited to, physical and mental health (past, present, or future), billing information, health care services received, demographics data, client questionnaires, etc. You can check HIPAA for Professionals to gain a better understanding of your own responsibilities.
HIPAA is not only limited to health care professionals. Any business associates that have access to the PHI of a given health care professional's patients, must be HIPAA compliant as well. In particular, this means that software like NutriAdmin needs to comply with HIPAA regulations. The reason is again to ensure the safety and privacy of client confidential data.
When you use NutriAdmin, It is fundamental to understand that HIPAA has two sides: you as a professional (covered entity), and NutriAdmin as a software provider. Below you'll find a summary of our practices and security procedures to meet our end of the security policy. Please always remember that you are responsible for your own side of the policy as well.
NutriAdmin's HIPAA compliance
NutriAdmin takes security and HIPAA regulations seriously. The government requires our software to be HIPAA compliant, and to safeguard all data you and your clients enter in the system.NutriAdmin's main responsibilities regarding HIPAA compliance apply to data when:
- it is transferred
- it is received
- it is handled
- it is stored
- it is shared
NutriAdmin uses the latest technology and most advanced security standards of the industry. Below is a summary of our security and privacy procedures and practices:
Hosting
- NutriAdmin is hosted in a HIPAA compliant cloud hosting provider: Microsoft Azure (more information here).
Redundancy
- All data is geo-replicated across several regions, to prevent data loss in the event of any local disaster.
Account Access
- To prevent fraud, we verify the identity of users registering to NutriAdmin by asking for their card before they can access the software.
- NutriAdmin users need their private username/password to login and access their clients' data, or make any changes to their accounts.
- User sessions expire after a period of inactivity, meaning users need to login back again to access their account.
Encryption whilst sending/receiving data
- NutriAdmin always sends/receives data via TLS (Transfer Layer Security, similar to SSL). This means data is always encrypted in transit. You may recognize we use this certificate by checking any NutriAdmin URL (they are always https, as opposed to only http).
Data is encrypted when stored
- All data is encrypted at rest.
- All application data is encrypted when stored in hard drives.
- All back up copies are encrypted as well.
Back ups
- We take daily back ups to ensure your data can be recovered in case of a loss, or accidental deletion.
- Backups are kept in secure geo-redundant storage managed by Microsoft Azure
Log monitoring and alerting
- All activity in NutriAdmin is saved in system logs 24/7.
- If any suspicious activity or error occurs, the system administrators are notified to take prompt action to fix potential issues.
No confidential data in emails
- Emails sent by the system to clients – including but not limited to questionnaire fill in emails, appointment booking, and reminder emails – contain the minimum amount of Protected Health Information needed. I.e. Just a client's first name as opposed to the full name, plan appointment dates without specifying the medical reason for the meeting, etc.
Firewall
- NutriAdmin servers are protected by a firewall, to prevent attacks from external sources.
Infrastructure
- We have procedures in place to replace any damaged or obsolete piece of infrastructure in the system, should it be needed to ensure the performance of the application as well as the security of data.
Videoconferencing
- NutriAdmin uses Chime from AWS (Amazon Web Services) to provide secure, HIPAA-compliant videochat/videoconferencing capabilities. You can click here for further details.
Your responsibilities as a NutriAdmin user
In order to comply with HIPAA, and to ensure your clients' data is safe, you need to pay attention to the following:Protect your password
- Keep your NutriAdmin password secure at all times.
- Setup a strong password: longer than 8 characters, and combining lower/upper case letters, numbers, and symbols.
- Keep your password secret.
- Do not keep paper or electronic notes of your password anywhere.
- If you suspect someone may have stolen your password, please update it to a new one as soon as possible.
- Do not use the same password for NutriAdmin and other software programs.
Train yourself, your staff, and clients
- If you have employees, ensure they understand HIPAA, and the security procedures they must follow.
- Ensure clients understand relevant security policies and procedures
- Educate yourself, your clients, and your staff about the risks and associated security measures of storing data online, and using email for data transfer.
Access
- Ensure there is a system password in place in any device (computer, phone, tablet, etc) where you use NutriAdmin.
- Allow only each staff member to access their own account in the system.
- Log out your NutriAdmin session and lock your computer after finishing using the software
- Don't share your account with anyone
- Design a work specific system, and avoid login in to your NutriAdmin account from public, shared, or insecure devices.
The above is not an exhaustive list. For more information on your own responsibilities, you can check HIPAA for Professionals.