Page Icon

Health Insurance Portability and Accountability Act (HIPAA)

How is Curogram HIPAA compliant?

Curogram complies with the following HIPAA regulations:

The Security Rule – Technical Safeguards

Access Controls Unique User Identification: Each provider is assigned a unique user ID on Curogram. Providers use identified by email address; patients are identified by phone number. If patient or provider decides to change their identification the account is temporarily terminated and transferred to the new phone number or email when it becomes available.

Emergency Access Procedure (required): Curogram uses automatic backups on AWS (Amazon Web Services), which are accessible any time there is an emergency.

Automatic Logoff (addressable): Curogram automatically logs users out of sessions after a period of inactivity, which is user-controlled in settings.

Encryption and Decryption (addressable): All information is encrypted at rest through third-party integrations of AWS Marketplace partners; we are currently using dm-crypt.

Audit Controls

Curogram uses Loggly, as well as Curogram's internal logging system. All PHI (Protected Health Information) logs are stored on Curogram's internal logging system; non-PHI logs are stored on Loggly.

Integrity Controls

Mechanism to Authenticate Electronic Protected Health Information (addressable): Curogram employs AWS S3, which has built-in integrity checking.

Person or Entity Authentication (required): Healthcare providers authenticate to the application using username/email and password.

Transmission Security

Integrity Controls (addressable): Curogram employs SSL connections with built-in integrity checking.

Encryption (addressable): Curogram transmission of data is encrypted using SSL certificates.

The Breach Notification Rule

What constitutes a reportable HIPAA breach? Curogram considers any breach of PHI a HIPAA breach.

Who you must notify in the event of a breach. Possible entities include? In the event of a breach, Curogram alerts providers and patients who have been involved in the breach via email and text messages. In severe cases, Curogram may also alert law enforcement.

How quickly you must notify? HIPAA requires breaches to be reported within 60 days. However, Curogram protocols and procedures will report most breaches within 24 hours of detection.

See Also: HIPAA Policies and Procedures

Last Update: Nov 25, 2016