Security, HIPAA & Privacy
As a healthcare business you need to be sure your technology vendors take cybersecurity risk and data protection as seriously as you do. That's why we’re committed to protecting the confidentiality and security of all data, especially protected health information, we receive, transmit or store on behalf of customers.
HIPAA compliance includes both technical and organizational policies and controls. At Planbase we take the necessary technical measures to secure our application in a HIPAA compliant way. This includes encryption, scanning, monitoring, and much more. Organizational controls are also a fundamental component of security, and as such, we take steps including signing Business Associate Agreements (BAAs), screening 3rd party vendors, managing company policies like training & access control, and much more.
Below you can find a brief summary of key technical and organizational policies we have in place. If you have any questions about these policies please reach out to firstname.lastname@example.org.
Security Operations & Development
- All new systems and services are scanned prior to being deployed to production.
- Static and dynamic software application security testing is performed on all code, including open source libraries, as part of our software development process.
- Security is embedded in all stages of the SDLC and we continuously monitor our security and compliance status.
Third-party Risk Management
- We enter Business Associate Agreements (BAAs), with all of our partners and vendors who process PHI data on our behalf.
- Before engaging with a third party all vendors with access to customer or internal data must be evaluated for their compliance with Planbase's security requirements.
- Only HIPAA compliant vendors may process PHI data on our behalf.
- Planbase ensures formal agreements are in place with relevant vendors/third parties and contain the scope of services, security, availability, confidentiality and service level expectations.
- On an annual basis, the organization performs a review of business associates or vendors with access to ePHI to assess their compliance to agreed-upon security, confidentiality, and privacy requirements.
Cloud Server Security
Planbase leverages the network security features of managed cloud service providers to maintain the infrastructure, services, and physical access policies and procedures.
- Our application is hosted on AWS, a SOC-2 type II, HIPAA-compliant infrastructure provider. A description of their security controls can be found here.
- We have a BAA in place with AWS and only use applications which are covered by this BAA.
- Planbase is a multi-tenanted cloud application. Customer data is separated via logical access control mechanisms written into the core of Planbase’s systems.
- Authentication and sign-in flows are managed by Auth0/Okta which is a SOC-2 type II, HIPAA-compliant authentication provider.
- All data, including Electronic Protected Health Information (ePHI), is encrypted at rest and in transit using industry-leading encryption technologies.
- We employ the principle of least privilege and role based access, which is reviewed regularly and access revoked as needed.
- Confidentiality and security policy agreements are signed by all employees who have access to customer data.
- All employees undergo regular security awareness training & testing.