Privacy, Security, & HIPAA Compliance
All BEHAVEHEALTH sofware is built on the Amazon Web Services HIPAA compliant platform.
The three components of a secure cloud software platform.
ESTABLISHING HIPAA COMPLIANCE and business associates agreement
BEHAVEHEALTH maintains ongoing compliance with the U.S. Health Insurance Portability and Accountability Act (HIPAA) and is able to process, maintain and store protected health information for any entities restricted by these regulations. BEHAVEHEALTH signs a business associate agreement (BAA) with your organization.
Data Policy and Ownership
Your patients own their data and consent for you to use it in the course of their treatment and for BEHAVEHEALTH to use it to complete the health insurance billing process.
We store all patient records for the mandated 8 year period and offer additional storage options beyond that as well.
Privacy, Security and Trust
Your company entrusts BEHAVEHEALTH to securely store and protect the Protected Health Information (PHI).
We comply with all elements of HIPAA from privacy to data ownership and portability.
We believe deeply in the right to privacy for all people.
INDUSTRY STANDARDS AND BEST PRACTICES
We have implemented the recommendations of National Institute of Standards and Technology (NIST) and Federal Information Processing Standard (FIPS) so our data is encrypted at rest using AES encryption with 256-bit keys.
We use the elliptic curve digital signature algorithm (ECDSA) for our digital signatures related to cryptography operations.
Transmitted PHI is encrypted using strong TLS (predecessor to SSL) ciphers configured for perfect forward secrecy. Insecure TLS ciphers are disabled per NIST recommendations.
Network access to virtual machines is inspected in real time and permanently logged.
Network traffic routed within each customer environment travels through an isolated, non-shared subnet.
SSH access to application environments is configured per the Center for Internet Security (CIS) benchmark recommendations.
Network traffic can be restricted to specific whitelisted IP addresses or VPN connections on a per environment basis.
Intrusion attempts are automatically identified and blocked on a per IP address basis for a significant duration of time, mitigating SSH dictionary attacks and other malicious behavior.
USER ROLES & PERMISSIONS
Access control to our system is managed through our user roles.
Each employee is assigned a user role when they are added and are governed by permissions.
DATA STORAGE BUILT FOR PEACE OF MIND
All data stored in the BEHAVEHEALTH EHR is safe and recoverable, protecting customers against accidental loss or mistakes.
Database backups are encrypted and stored in a highly durable storage infrastructure (99.999999999% durability and 99.99% availability).
Disk volumes leverage a fault-tolerant, high-availability storage system.
Nightly snapshots create a backup of each disk volume.
For data integrity purposes, database backups are automatically enabled based on a consistent schedule, sensible rotation, and retention policy.
Monthly backups are retained for 6 years by default.
PLATFORM OPS SECURITY AND COMPLIANCE ROUTINES
Analysis of intrusion detection system data for anomalous activity and system issues
Virtual machine filesystems are regularly scanned for file integrity, malware, and rootkits.
Audits of firewall rules and IP address whitelists
Maintaining base images for Docker containers used in our platform
Review of published vulnerabilities and exposures
HIPAA compliance requires a number of best practices to be established and maintained internally at your business.
We help you handle that by centralizing your information in the BEHAVEHEALTH EHR.