Since our product has a global reach we need to be compliant with country and region specific regulations. Listed below are 2 such major regulations that we are compliant with.
1. HIPAA Compliance
The Health Insurance Portability and Accountability Act, sets the standard for protecting sensitive patient data. Any company that deals with protected health information must ensure that all the required physical, network, and process security measures are in place and followed. Please take a look at Clinicea HIPAA Compliance
2. EU Model Contracts for the transfer of personal data to third countries
Clinicea – “Data Processor” has entered into an agreement with the Cloud infrastructure Provider, Microsoft Azure – the “Data Processor” to ensure compliance with EU Model Contracts for the transfer of personal data to third countries. Since Microsoft Azure may store the data at one or several of its geographically spread out data centers, to further ensure compliance, the Clinic ie YOU – “Data Exporter”, can get into an agreement with Clinicea – “Data Importer”, to ensure the obligation of EU Model Contracts regarding security of your data are adhered to at Clinicea.
4. Please share a copy of your ISO 27001 certificate
We only focus on compliance with legislative requirements such as HIPAA for US, PDPA for Singapore, Standard Model Contracts for EU and so forth. ISO 27001 is not an acceptable legislative standard in any of the markets we have come across.
5. Do you also have HIPAA certification? Please share a copy of this as well.
We have been compliant with HIPAA since 2015. Please take a look at Clinicea HIPAA Compliance for reference.
6. GDPR Compliance
GDPR is now in effect and we wanted to let you know that we have completed all internal changes to be GDPR compliant. Please take a look at General Data Protection Regulation (GDPR) and Clinicea for reference.
7. Please go deeper and provide even more details on who exactly would have back-end access to patient data.
Only the support team can access a Client account, in order to address a support request. Such an access is restricted only from office premises.
Back-End Access to Web server, Caching Server, and so on, is not available to ANY Developer or Support Executive since April 2017, post-adoption of Azure App Service Technology. Only incremental code changes are pushed through an encrypted secure channel from Clinicea office premises to overseas Microsoft Azure Data Centers. The concept of direct access no longer exists at Clinicea.
Back-End Access to Database is similarly channeled, with the exception that the CTO of the company does have access to the Database Backup in the event of a contingency. We use “managed database services” from Microsoft Azure since Day 1, i.e. physical access to the database server, is not available to anyone at Clinicea, not even to the CTO.
Cloud Technology is evolving rapidly, and as and when better security systems are made available by partners at a commercial level, the same is reviewed and where required adopted. The output of the same is reflected in the updated Security WhitePaper
8. When was your last information systems audit carried out, and what evidence of the same can you share with us?
While we cannot publicly share the timetable of our internal periodic reviews. We are open to working with the security auditor of your choice in providing more answers. In the past too, when working with health data of Olympic Athletes, we have undergone similar processes on data security and penetration testing and will be happy to address your concerns.
9. Do your clients have a “right to audit” clause for the environment?
The right to audit can be extended upon request. Costs for auditing and charges if any by 3rd party vendors for access to their infrastructure is borne by clients.
10. Assuming your client was to terminate the arrangement, what assurance would you give on the data? Is it purged and if so, how exactly is it done & what evidence do you share?
The standard agreement we enter into with a client covers termination specifically. A draft can be provided on request. It basically reiterates that fact that we are simply custodians of data, with ownership resting solely with the client. The client can request us to permanently delete all of their data from our servers and that of the 3rd party services we may be using in the back-end. Upon such a request, within 30 days, Clinicea will delete all of the Client’s data and confirm the same to in writing.