Health Insurance Portability and Accountability Act (HIPAA)

What is HIPAA?

The U.S. Health Insurance Portability and Accountability Act (HIPAA) requires companies dealing with protected health information (PHI) to have physical, network, and process security measures in place and to follow them.

This has been extended to anyone providing treatment, payment, and operations in the field of healthcare, including entities, such as subcontractors and any other related business associates conducting business within the healthcare space. Rocketseed falls under the Business Associate definition due to the company processing emails on behalf of entities within the healthcare space.

Being HIPAA compliant entails addressing the seven fundamental principles, as applicable to and tied in with the functionality of the Rocketseed software and services provided, which are as follows:

1. Implementing written policies, procedures, and standards of conduct
Rocketseed has an extensive set of policies describing procedures of processing and handling information, involving administrative, technical and physical safeguards to protect any type of personal information, including PHI. These policies also cover security incidents reporting, response, business continuity and risk mitigations.

2. Designating a compliance office and compliance committee
Rocketseed has a designated Data Protection Officer who is responsible for maintaining data security systems and ensuring compliance, as well as developing internal policies and procedures across the various operational geographies.

3. Conducting effective training and education
It is part of commencement of employment and within the onboarding process for all employees to be made aware of and complete data security training for all regions in which Rocketseed operates. All employees are kept abreast of updates and changes in legislations, with regular updates on data security and relevant materials available for all.

4. Developing effective lines of communication
A successful compliance program should include open lines of communication, providing options for workforce members to ask questions, report problems, or share concerns. This is part of the Rocketseed culture and, in addition to this, confidentiality and non-retaliation policies are developed and distributed to all employees.

5. Conducting internal monitoring and auditing
To maintain data safety and privacy compliance, Rocketseed regularly audits and monitors its operations to make sure legal requirements are up to date and employees kept abreast of updates. Rocketseed has processes and controls in place with tiered level of authority, to ensure that decisions on – or access to – personal information and hosting systems can only be made through necessary internal approvals.

6. Enforcing standards through well-publicized disciplinary guides
Rocketseed is following rigorous standards of data and privacy safety in all the regions where it operates, following the appropriate national and international guidelines necessary to ensure the safeguarding of processed data. In line with this, Rocketseed is also preparing an ISMS certificate to underpin its standards.

7. Responding promptly to detected offenses and undertaking corrective action
Rocketseed has rigorous 24/7 monitoring of its systems, regular testing of its software functionality, and continuous communication with its hosting providers to ensure early detection of offenses that may pose a risk to both clients and the company. Employees are also trained in security awareness created by human error or malicious attacks. Such attempts or incidences are promptly communicated to affected parties, with a clear outline of corrective actions.

Rocketseed provides users with a safe service, and offers a Business Associate Agreement, that specifies the responsibilities of each party when it comes to PHI for your own peace of mind.