In CodeTwo, we care deeply about the privacy and security of our customer’s data. That is why we are committed to providing our customers with solutions that make it easier for them to comply with the requirements of the Health Insurance Portability and Accountability Act (HIPAA).
What is HIPAA?
HIPAA is a federal law in the United States that applies to healthcare organizations. Under HIPAA, certain information that relate to an individual’s health is classified as Protected Health Information (PHI). Such information is subject to additional security and privacy requirements set forth in HIPAA.
It is your individual responsibility to determine if, and to what extent, HIPAA requirements apply to your business. If you determine that HIPAA applies to your business and your use of CodeTwo products or services, we can help you comply with those requirements by offering a possibility to sign a Business Associate Agreement (BAA) with us. If you wish to enter into BAA with CodeTwo, contact us using this form.
How has CodeTwo ensured HIPAA compliance?
CodeTwo has engaged external advisors to make sure that its operations and processes meet the requirements of HIPAA. CodeTwo has undertaken the following actions to ensure HIPAA compliance:
1. Defining the context of organization and assessing risks
CodeTwo has carefully analyzed the context in which it operates and identified relevant entities and their roles within PHI lifecycle, as well as risks that apply to CodeTwo’s operations.
2. Internal safeguards and controls
CodeTwo has implemented processes and controls to make sure that no vital decisions regarding PHI and information security system can be made without a prior analysis and necessary internal approvals.
3. Procedures and documentation
CodeTwo has defined an extensive set of procedures describing the PHI processing and information security system. Those procedures describe administrative, technical and physical safeguards that we have implemented to ensure privacy and security of PHI. These procedures also cover security incidents reporting and handling.
4. Data Protection Officer and Compliance
CodeTwo has designated a Data Protection Officer – a person who is responsible for maintaining our data security system and compliance program, as well as the development of internal policies and procedures required to ensure HIPAA compliance.
5. Training and awareness
We regularly conduct trainings on data security and make training materials constantly available for all members of CodeTwo personnel. No one can start working in CodeTwo without being trained on the data security principles. All members of CodeTwo personnel undergo the training periodically.
6. ISO 27001 and ISO 27018 certification
CodeTwo’s Information Security Management System (ISMS) is certified as compliant with the requirements of ISO/IEC 27001 and ISO/IEC 27018. This guarantees a maximum information security and PHI protection both in the cloud and on-premises.
Constant enhancements and control
Maintaining compliance with HIPAA requires an ongoing commitment. Therefore, we regularly audit and monitor our operations to make sure that we remain compliant with legal requirements.
We have also employed our new and proprietary software development methodology to make sure that personal data protection and security principles are encoded in our products by design. We are working on several other initiatives as well.