In CodeTwo, we care deeply about the privacy and security of our customer’s data. That is why we are committed to providing our customers with solutions that make it easier for them to comply with the requirements of the Health Insurance Portability and Accountability Act (HIPAA).
What is HIPAA?
HIPAA is a federal law in the United States that applies to healthcare organizations. Under HIPAA, certain information that relate to an individual’s health is classified as Protected Health Information (PHI). Such information is subject to additional security and privacy requirements set forth in HIPAA.
It is your individual responsibility to determine if, and to what extent, HIPAA requirements apply to your business. If you determine that HIPAA applies to your business and your use of CodeTwo products or services, we can help you comply with those requirements by offering a possibility to sign a Business Associate Agreement (BAA) with us. If you wish to enter into BAA with CodeTwo, contact us using this form.
How has CodeTwo ensured HIPAA compliance?
CodeTwo has engaged external advisors to make sure that its operations and processes meet the requirements of HIPAA. CodeTwo has undertaken the following actions to ensure HIPAA compliance:
1. Defining the context of organization
CodeTwo has carefully analyzed the context in which it operates and identified relevant entities and their roles within personal data lifecycle.
2. Internal controls
CodeTwo has implemented processes and controls to make sure that no vital decisions regarding personal data processing and information security system can be made without a prior analysis and necessary internal approvals.
3. Internal procedures
CodeTwo has defined an extensive set of procedures describing the personal data processing and information security system, including procedures governing exercising data subjects rights.
4. Data Protection Officer and Compliance
CodeTwo has designated a Data Protection Officer – a person who is responsible for maintaining personal data security system and compliance program.
5. Data retention periods and scope of processed data
We have introduced and documented data retention periods and reviewed our processes against the scope of collected personal data to make sure that the data minimization principle is fulfilled.
6. Third parties
We have updated contracts with third parties to make sure that all contracts contain relevant data protection provisions required by GDPR and introduce a verification process to make sure that entities which do not guarantee security of personal data cannot become our business partners.
7. International Data Transfers
CodeTwo has reviewed contracts with third parties located outside of the EEA and updated relevant transfer mechanisms to make sure that international data transfers comply with the GDPR and that these third parties guarantee an adequate level of protection of personal data.
9. Training and awareness
We have prepared training materials on the GDPR and data security which are constantly available for all members of CodeTwo personnel. No one can start working in CodeTwo without being trained on the relevant GDPR provisions. All members of CodeTwo personnel undergo the training periodically.
Constant enhancements and control
Maintaining compliance with HIPAA requires an ongoing commitment. Therefore, we regularly audit and monitor our operations to make sure that we remain compliant with legal requirements.
We have also employed our new and proprietary software development methodology to make sure that personal data protection and security principles are encoded in our products by design. We are working on several other initiatives as well.