Health Information Portability and Accountability Act (HIPAA) requires healthcare providers such as RDs (covered entities) and their business associates (like Kalix) to establish and follow procedures and practices that ensure the confidentiality and security of Protected Health Information (PHI) when it is transferred, received, handled, or shared. The privacy and security provisions of HIPAA are broadened by the Health Information Technology for Economic and Clinical Health Act (HITECH). While this document refers to the HIPAA for convenience, it covers both the HIPAA and HITECH.
Protected Health Information: is any identifiable demographic and other information relating to the past, present, or future physical or mental health or condition of an individual. This includes information related to the provision or payment of health care services to an individual that is created or received by a health care provider, health plan, employer, or health care clearinghouse.
As a covered entity it is important for you to have a good understanding of your responsibility to protect the privacy and security of your patient's health information, please click here for more information.
Kalix and HIPAA
Here at Kalix we view HIPAA regulations very seriously. As a covered entry we also must also comply with HIPAA requirements to protect the privacy and security of health information. We have the most stringent procedures and cutting edge technology in place, making sure Kalix meets government privacy and security requirements. We request that all paying users based in the United States of America, to enter into a Business Associate Agreement (BAA) with us in accordance and compliance with the Privacy Rule. Our BAA incorporates Kalix's Terms and Conditions. If there is a conflict between those terms and the BAA, the BAA prevails.
A summary of Kalix's privacy and security practices are listed below:
- Kalix is hosted using a HIPAA compliant hosting provider - Microsoft Azure Cloud located in the United States of America.
Data is encrypted in transit
- All data is encrypted in transit (to and from the cloud) using TLS (Transport Layer Security).
- Data is encrypted in transit between Kalix and our third party providers.
Data is encrypted at rest
- All data is encrypted at rest including all backup copies.
- We use certificate based encryption methods which means that the keys to access your records are stored in a special area of the operating system that is inaccessible to an outside attacker.
- We also use higher levels of encryption that the current standards recommend to make sure your records stay secure.
- All data is stored in triple redundancies in two data centers 500 miles apart (hence, x6 redundancies).
- We take snapshots of every change you make to every file in Kalix.
- We run a service to backup files to a third data center that is not related to Microsoft, the HIPAA compliant hosting provider Amazon.
- In the case of a catastrophic failure by Microsoft, we still have your data available on a third party.
- If you accidentally delete saved information we are able to recover it from a previous snapshot of your data.
Monitoring for suspicious activity:
- Daily operational procedures are in place to log and monitor data 24/7 looking for any suspicious activities.
- Kalix accounts with multiple users, each user has their own account log in. Kalix tracks each users activity.
- Incident response process procedures are in place for containing the incident and notification of covered entities.
- Plans are in place to address the recovery or continuation of technology infrastructure critical to a covered entity (you) after a natural or human-induced disaster.
- At Kalix, access controls are in place that include the electronic identification and limiting physical on-site data access to a restricted list of people.
- Kalix users must log into Kalix (therefore verify their identity) to access their accounts.
- Directors (owners) of each Kalix account can restrict other users access level to Kalix and ability to alter records.
- Kalix limits ePHI transmission to the minimum necessary, for example only a client's first name can be included in a messages, not their full name.
Administrative, physical and technical safeguards YOU should take
As a covered entity, it is your responsibility to take appropriate administrative, physical and technical safeguards to ensure the safe transmission and storage of ePHI. Below is a list of factors and suggestions you should consider:
- Educate your staff and clients as to the risks of using email, text and voice messaging communication and how to mitigate these risks.
- Clients should sign a consent form prior to sending automated reminders.
- Limit your staff's access to Kalix , allow only required staff to access Kalix.
- Staff that access Kalix, each member should have their own log in and unique password.
- Assign staff that access Kalix appropriate access levels, click here for details. Choose the lower access level when possible.
- Password lock all computers and devices that access Kalix, so others cannot obtain access when you and your staff leave them unattended.
- Enable computer locking when there is no activity (mouse or keyboard movement).
- Set up policies and procedures relating to use and disclosure of PHI. Make sure they are understood and followed by all staff.
- For your Kalix log in, choose strong passwords: at least 8 characters (the longer the better), with a combination of uppercase and lowercase letters, numbers and symbols. Do not choose commonly used passwords.
- Do not re-use the same password on multiple programs.
- Do not share your Kalix log in or password with others.
- Don't leave notes with your passwords to various sites on your computer or desk. People who walk by can easily steal this information and use it to compromise your account. Click here for more information about managing secure passwords.