Digital Health Coaching and HIPAA Compliant Programs
Is Nudge HIPAA compliant? We get the question a lot. And the answer is yes, but it’s up to put the right processes in place to keep it that way.
Nudge is HIPAA-compliant, but in some ways it can feel almost misleading to answer the HIPAA question with a quick "yes."
I realize that for many people this is just another box to be checked for their 'higher-ups' - I get it, compliance isn't "cool" - but if you feel that maintaining HIPAA-compliance and securing PHI are worthy of thoughtful consideration, then this article is for you.
Now that we've covered the fact that Nudge is HIPAA-compliant, let's hit the reset button on expectations...
The fact is, any web-based, app-based or online platform that claims to be HIPAA-compliant CAN BE used in a non-HIPAA compliant way.
And that is where you and your team come in.
If it helps to kickstart the feeling of responsibility, try thinking of any "HIPAA-complaint" software solution, and Nudge's digital health coaching platform specifically as merely “HIPAA-compatible,” because while our security, monitoring and response protocols massively reduce risk of any type of PHI breach, in the end it’s up to you and how you use the system to keep your data secure.
Now that I've 'got your mind right,' keep reading about the key partners and systems we have in place in order to ensure we secure your data.
And please remember to Nudge responsibly :)
Systems & Partners
Hosting
Creating a HIPAA-compliant digital coaching platform begins with where all the data lives, and for us, that begins with our first key partner in HIPAA-compliance and security, and that’s leading cloud-based secure hosting provider, Armor.
As you can see from their logo, they take security pretty seriously. And that’s why we trust them to host all of our applications and our database, and provide the necessary triggers, protocols and around-the-clock monitoring that ensure total data security from breach.
It’s a common misconception that HIPAA has a specific set of prescriptive sort of protocols that technology subcontractors like our organization (with help from Armor in our case) can implement step-by-step.
In reality HIPAA provides high-level guidelines from what can and can’t happen, and it’s up to us to make that possible, and in Armor’s case, raise the bar much beyond that level in terms of security and monitoring.
HITRUST is a non-profit that provides more specific guidance in the form of a certifiable framework that provides organizations with a comprehensive, flexible and efficient approach to regulatory compliance and risk management.
Armor is HITRUST CSF Certified, and here’s what Michael Frederick, HITRUST’s VP of Assurance Services & Product Development said about them...
“The company has built its infrastructure specifically for security. It’s extremely well suited for our client data. It’s HIPAA-compliant and has helped us streamline the scope of our own internal audits.”
As you can see HITRUST themselves clearly trust Armor with their client data.
Support
Engagement is a huge buzzword for a digital coaching company. So when it comes to providing built-in support for all of our platforms, it is important that we practice what we preach.
Not so easy with a small team I might add.
Although I was already at the time a huge fan of a company (Intercom) that does built-in support and customer engagement software really well, Intercom (see the little chat bubble on the homepage of our website), they were not willing to sign a Business Associate Agreement (BAA) with us for HIPAA-compliance.
So we had to find another, HIPAA-compliant in-platform support solution that would work with us to maintain security and HIPAA-compliance.
And luckily, we came across HelpScout - who made it easy.
They handle in-platform and email-based support in a simple and intuitive way while keeping the proper protections in place to ensure no PHI gets shared with inappropriate parties.
all in-platform support requests are protected behind HelpScout logins
email responses also require login before viewing
support tickets can be assigned to the appropriate parties who are HIPAA-trained
Fortunately for you, we put our ENTIRE team through annual HIPAA training - no shortcuts - so you can rest assured that anyone who has access to your (or your client’s, member’s or patient’s) support questions, knows exactly how to handle your case with the appropriate care.
(NOTE: since we’re talking about systems and partners, we use a platform called Accountable HQ to manage our team’s HIPAA trainings and internal HIPAA policies and process)
In short, HelpScout makes it easy for us to keep your data private and secure, even when you need help in a hurry.
How Nudge Responsibly
Now that you’ve seen how we partner to ensure data security, privacy and HIPAA-compliance, I want to circle back to what I said earlier, about your responsibility in all of this.
Like I said, it’s very possible to use a HIPAA-compliant digital coaching platform like Nudge Coach in a non-HIPAA-compliant way, so I wanted to leave you with a simple document that outlines what we do in order to steer you and your organization clear of any HIPAA, security and privacy-issues with client, patient, or member data [see below].
In conclusion, please remember that HIPAA-compliance isn’t about a specific list of boxes to check, it’s about doing everything within your power to reduce the risk of sharing someone’s personal health information in an inappropriate way.
Whether that means you and your team making a mistake and sharing it in the wrong place, or it means an organized breach of a data system like ours, we all have to work together to use our best judgement.
People are entrusting their personal information to us both. Let’s make sure we both share in that responsibility and accountability in the right way.
Download our Nudge Privacy & Security Brief for a concise overview of how we secure your data.